Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've noticed that some files have permisions
root as UID and bin as GID. so someone has entered the computer through wrong door.
Anyone knows what daemons start as bin. I have rh62 apache 1.3.12, sendmail 8.11.6, wu-ftpd, qpopper4.0, ssh 2.4, bind 9.2.0, servers running. And my screen dissapers every time. Does screen opens any ports when active, or is it exploitable?
I don't know what servers have bin group rights, but you can easily locate 'em by doing "find / -group bin -print". Btw, "noticing" isn't enough. Having a file integrity checker like Aide, Tripwire or the like installed (and their database on read-only media) to check for changes in file(size,permissions,inode,atime,ctime,etc,etc) gives you a better chance to notice stuff the objective way.
I'm looking through tripwire, but it's too late now.
By screen I meant screen command (to use multiple terminals over ssh)
Thanks for the links I'll read them
I found a strange utilitiy .ttyaa which i think masks processes and files, but the problem is that nothing in logfiles, nothing in processes, nothing in network connections
If you think a system has compromised, you only ever have one option if you want to ensure the integrity of the hard disk contents: format the disk and re-install.
I noticed you said you had wu-ftpd on there. This ftp daemon has an attrocious security history. I'd almost bet money that that's how "they" got it.
Thats what I'm going to do anyways, I'm setting up new server with new hardware, so I'll just replace the whole thing, but I'm really keen on finding the leak, so I don't put new server up, and get hacked again, next day.
you said wu-ftpd. I need to check, I run it on all of my servers. What do you suggest for the good, configurable ftp server?
I have 5 of them, but two are serious, the rest are mostly for testing, I have some friends that are very good at security, but I rather try to solve problems my self, and if can't do it then ask them for help, but thanks. I saw your site, we have/sell similar services.
I remember installing proftpd once and was unable to set it up as I wanted, but I'll give it another try.
I didn't say I'm confident of my system. Far from being confident. I just like tackle problems on my own if I can. If I see I won't be able to solve it, then I call for help.
But thanks for your proposal. I'm looking forward to cooperate with you.
Just out of curiosity, did you save the disk's image, or at least any weird files like the ".ttyaa" you mentioned? Ran "strings" on it?
Btw, locally exploitable version of screen in 2001(!) was updated with screen-3.9.10. More info look for SuSE Security Announcement (SuSE-SA:2001:030).
Some programs in /bin have been modified. I could not run ls, ps, top, find, and many other programs. The permission of these files was set to "rwx------" of user root.
I believe my system was hacked because I cannot "rm" or "chmod" these files as superuser. "rm" and "chmod" must have been modified.
My question is how this happened. My computer is behind a linksys router and the router functions as a firewall using NAT (Network Address Translation).
I used chkrootkit and suggested that I have some version of t0rn/etC, and I found most of the files which belong to t0rn v8.
I'm investigating how I got it, so I won't get my new system hacked again.
My new system is ready with clean install, an almost no old files
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.