LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-13-2005, 05:42 PM   #1
tvn
Member
 
Registered: Mar 2004
Posts: 96

Rep: Reputation: 15
Machine compromised, now have ports opened


Hi all, several of my home machines (all run Fedora Core 3) have been hacked and I want to know what to do to get rid of all the malicious things left behind. I believe it is because one of the user has a weak password and the hacker entered that account then run a bunch of ssh port scan and probably many other things. I have disabled that useraccount, kill all his processes, change rootpw and run chkrootkit on the machine and it reports some problems still around. The machine is now offline.

Basically I need your guidance in recover from this without complete reinstall. Thanks in advance.


... sniplet of the report from chkrootkit ,

Checking `bindshell'... INFECTED (PORTS: 4000)
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 3460 tty4 /sbin/mingetty tty4
! root 3462 tty5 /sbin/mingetty tty5
! root 3464 tty6 /sbin/mingetty tty6
chkutmp: nothing deleted
 
Old 09-13-2005, 09:47 PM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 420Reputation: 420Reputation: 420Reputation: 420Reputation: 420
Quote:
Basically I need your guidance in recover from this without complete reinstall. Thanks in advance.
The truth is that you need to do a complete re-install. Unless you've been running something like Tripwire or Aide, you can't tell what has been changed and what hasn't. So if you don't wipe the drive and re-install from trusted sources, you run a signficant risk of continuing to run a cracked machine. The best you can do at this point is to copy DATA files only (nothing executable) off the machine and then wipe the drive. None of the executables on that box are trustworthy and it isn't worth the time to try and save them.
 
Old 09-17-2005, 03:19 PM   #3
teckk
Senior Member
 
Registered: Oct 2004
Distribution: FreeBSD Arch
Posts: 2,425

Rep: Reputation: 574Reputation: 574Reputation: 574Reputation: 574Reputation: 574Reputation: 574
my 2 cents. I would do a
Code:
dd if=/dev/zero of=/dev/hda bs=1M
To zero the whole drive and then re-install. You will have wiped the MBR, everything.
 
Old 09-20-2005, 01:51 PM   #4
Krugger
Member
 
Registered: Oct 2004
Posts: 229

Rep: Reputation: 30
If reinstall is not an option I would reinstall most system packages, so that any trojanized binaries are overwritten. Then with a clean netstat and ps an so I would rebuild the kernel from scratch in case the kernel image was patched. Finally I would check with netstat -ap to see which ports are open and which processes opened those ports.

But I would wipe the system and do a clean install as soon as I had the time, preferably with a more recent copy of FC like FC4 if you like FC.
 
Old 09-21-2005, 04:04 AM   #5
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
run "rpm -Va" which checks everything against its database of hashes
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Machine compromised, now have ports opened tvn Fedora 1 09-13-2005 06:30 PM
Compromised machine delling81 Linux - Security 3 04-05-2005 11:20 PM
If I had a compromised machine... TheIrish Linux - Security 9 11-28-2003 02:31 PM
Which ports should be opened? ivanatora Linux - Security 8 09-28-2003 09:24 AM
Ports that are already opened? ksoma Linux - Newbie 3 06-29-2003 09:13 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration