LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   How to recover the hacked linux system? (https://www.linuxquestions.org/questions/linux-security-4/how-to-recover-the-hacked-linux-system-4175457397/)

andi.ramesh 04-08-2013 02:06 PM
How to recover the hacked linux system?
 
Hi, one of our system(RHEL 5u8) got hacked it seems. We get error "unknown HZ value assuma 100" when we run the top command, ps-edf, etc.,.

I run the chkrootkit and found top, ifconfig, and some more are affected. The solution I have seen in the internet as delete the ps, top files and reinstall it.

Could any one guide how to uninstall a top, ps etc and reinstall the same?

ozar 04-08-2013 02:16 PM
Hello

If you know for sure that your system has been compromised, you need to reinstall from scratch, or restore a known to be good backup, then implement security steps to prevent the same from happening again.

salasi 04-08-2013 02:21 PM
Have you been through the CERT checklist? That would be a good first step. I haven't run 'chkrootkit', but a similar application (rkhunter) gives output that takes a bit of interpretation (that is, frequently gives some false positives which need a little intelligence to decode).

Can you post the command executed and the output so that we can look through that (...and when I say 'we', I really mean that portion of 'we' who have some more specific experience than I do...)?

Then there is the question of how they got in. It doesn't sound as if the apps that you mention (top, ps...) are exactly the most likely way to gain entry, so the chances are that something else was the way that they used to get in. In that case, if you don't do something about how they got in, likely they can do it again, and unless you really track down the exact mechanism used to get in, you are only guessing about what to do to cure it.

colucix 04-08-2013 03:48 PM
Moved: This thread is more suitable in Linux - Security and has been moved accordingly to help your thread/question get the exposure it deserves.

unSpawn 04-09-2013 02:02 AM
Quote:
Originally Posted by andi.ramesh (Post 4927736)
We get error "unknown HZ value assuma 100" when we run the top command, ps-edf, etc.,.
Looks like evidence of a SHv4/5 rootkit.


Quote:
Originally Posted by andi.ramesh (Post 4927736)
The solution I have seen in the internet as delete the ps, top files and reinstall it.
That is utter nonsense. Anyone writing that has no clue at all.


First of all this machine must not be used anymore by anyone:
- alert users the machine may be compromised,
- have them change all passwords related to this machine and
- investigate adjacent machines too.

If an investigation is required then preserving "evidence" is the next step:
- isolate the machine by bringing down its network interfaces or
- pulling out the network cable(s) and then
- follow the CERT link salasi posted.

If the machine needs to be used again then
- please do not restore a backup unless you are one hundred percent sure the backup isn't tainted.

Please follow up on replies Real Soon Now and please stay with this thread until completion.

andi.ramesh 04-21-2013 03:14 AM
Hello all,

Finally we re-installed the server from scratch as it is a commercial system. Thanks to all for your suggestions.

salasi 04-21-2013 06:20 AM
So, if you have done the same thing that you did for the first installation, you have reproduced the same vulnerabilities, no? Is that really what you wanted to do?

sundialsvcs 04-21-2013 09:42 AM
Presumably this system will be immediately re-compromised in the same way as before, if this has not happened already. These sorts of things are usually automated.


All times are GMT -5. The time now is 09:18 PM.