|
I think I'm being hacked. How to proceed?
I've noticed that some files have permisions
root as UID and bin as GID. so someone has entered the computer through wrong door. Anyone knows what daemons start as bin. I have rh62 apache 1.3.12, sendmail 8.11.6, wu-ftpd, qpopper4.0, ssh 2.4, bind 9.2.0, servers running. And my screen dissapers every time. Does screen opens any ports when active, or is it exploitable? Thanks for any help! |
I don't know what servers have bin group rights, but you can easily locate 'em by doing "find / -group bin -print". Btw, "noticing" isn't enough. Having a file integrity checker like Aide, Tripwire or the like installed (and their database on read-only media) to check for changes in file(size,permissions,inode,atime,ctime,etc,etc) gives you a better chance to notice stuff the objective way.
If you think that box really has been compromised, read the following: CERT Intruder Detection Checklist, CERT Steps for Recovering from a UNIX or NT System Compromise and the CERT UNIX Security Checklist v2.0. Wouldn't hurt anyone to read it if you haven't got a compromised box. Btw, what do you mean by "screen"? |
I'm looking through tripwire, but it's too late now.
By screen I meant screen command (to use multiple terminals over ssh) Thanks for the links I'll read them |
I found a strange utilitiy .ttyaa which i think masks processes and files, but the problem is that nothing in logfiles, nothing in processes, nothing in network connections
|
If you think a system has compromised, you only ever have one option if you want to ensure the integrity of the hard disk contents: format the disk and re-install.
I noticed you said you had wu-ftpd on there. This ftp daemon has an attrocious security history. I'd almost bet money that that's how "they" got it. Regards |
Thats what I'm going to do anyways, I'm setting up new server with new hardware, so I'll just replace the whole thing, but I'm really keen on finding the leak, so I don't put new server up, and get hacked again, next day.
you said wu-ftpd. I need to check, I run it on all of my servers. What do you suggest for the good, configurable ftp server? thanks |
proftpd is probably one of the better ones, I've used it for some time.
When you say "all your servers" do you mean you have a lot? If so, have you ever considered having an external security audit done? Regards |
I have 5 of them, but two are serious, the rest are mostly for testing, I have some friends that are very good at security, but I rather try to solve problems my self, and if can't do it then ask them for help, but thanks. I saw your site, we have/sell similar services.
I remember installing proftpd once and was unable to set it up as I wanted, but I'll give it another try. Thanks for your clue! |
it's torn v8 rootkit
|
If you're so confident about your system, why not let me audit your boxes at, say, 10ukp per security hole? :)
After all, if you boxes are secure, I won't find anything, and it won't cost you a penny :)) Regards |
I didn't say I'm confident of my system. Far from being confident. I just like tackle problems on my own if I can. If I see I won't be able to solve it, then I call for help.
But thanks for your proposal. I'm looking forward to cooperate with you. |
Just out of curiosity, did you save the disk's image, or at least any weird files like the ".ttyaa" you mentioned? Ran "strings" on it?
Btw, locally exploitable version of screen in 2001(!) was updated with screen-3.9.10. More info look for SuSE Security Announcement (SuSE-SA:2001:030). |
I got this too?
Some programs in /bin have been modified. I could not run ls, ps, top, find, and many other programs. The permission of these files was set to "rwx------" of user root.
I believe my system was hacked because I cannot "rm" or "chmod" these files as superuser. "rm" and "chmod" must have been modified. My question is how this happened. My computer is behind a linksys router and the router functions as a firewall using NAT (Network Address Translation). Doris |
It depends on what your firewall does. "firewall" is a much overused and much misunderstood term.
Regards |
I used chkrootkit and suggested that I have some version of t0rn/etC, and I found most of the files which belong to t0rn v8.
I'm investigating how I got it, so I won't get my new system hacked again. My new system is ready with clean install, an almost no old files |
| All times are GMT -5. The time now is 12:02 AM. |