My server got broken in and all access of admin are changed passwd, etc. HELP needed!

sax8er · 12-24-2004, 02:21 AM

Today I realised that someone unothorized got on my server and in means of "F****ing" with my job/head changed root passwd, and dissabele/changed all of my user account settings. I realy need help, couse this is a server of a Primary school institution, and I dnot want anyything to go bad mor than its already is!
I heve Fedora2 on machine, And I suspect that the attacker came through SSH,
I shoud close down the sshd in my fw, but realy would like to know who the attacer is, and where is the attack been made from, so I cen get "Phisycal" on him

, need some advice how to be successfull detective in this case??

thanx
sax

bulliver · 12-24-2004, 07:53 AM

First of all...unplug this box from the network. It has been rooted, and therefore you can no longer trust *any* program on it. The logs/dmesg output et al may be doctored. You can no longer trust the files on this box. Your best bet if you want legal recourse down the road is to make an exact copy of the HDD onto another one...and leave it untouched. Do not go messing around wantonly. Next, either boot up the box with a forensics livecd, or put the HDD in a trusted computer and mount it.

Check out the forensics section in Unspawns excellent security references:
http://www.linuxquestions.org/questi...threadid=45261
for specifics on the forensic investigation.

You will have to perform a fresh install with different passwds, both root and user. Any passwds/sensitive data etc on the box at the time of attach should be considered compromised.

Quote:

but realy would like to know who the attacer is, and where is the attack been made from, so I cen get "Phisycal" on him

Although it is a natural instinct to want to kick this guys ass...remember that you are a professional (I hope) and that is not the way to deal with this.

fotoguy · 12-26-2004, 10:48 PM

I would also look at configuring your firewall to block ssh and telnet port 23, these are usually the ports most often used in an attack, unless there is a specific reason you need to allow those ports to be open, and even if there is, can you get by with local connection only and disabling remote connections.

Tracing the cracker will be almost impossible, the IP address you will find will most likly be from another comprised computer.