LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-11-2007, 02:59 AM   #1
fenrire
LQ Newbie
 
Registered: Apr 2007
Posts: 3

Rep: Reputation: 0
my system has been hacked, please advise ?


hi,
my system have been hacked , i already try few command like :
last -> didn't find any ip address others than me

/var/log/messages -> didn't find any ip address that successfull log in others than me

i've tried rkhunter, but didn't found any rootkit in my system

i've tried history -> didn't find any suspicious command

i've tried to cat /etc/passwd -> didn't find any suspicious user


my only trace that my system hv been hacked is in binary sql log, that generated from mysqlbinlog :
# at 22572431
65 #070411 12:02:22 server id 1 log_pos 22572431 Query thread_id=3239 exec_time=0 error_code=0
66 SET TIMESTAMP=1176292942;
insert into user (userid,username,userpassword,usertype) values ('admin','admin','admin','pusat1');
68 # at 22572574
69 #070411 12:02:22 server id 1 log_pos 22572574 Query thread_id=3239 exec_time=0 error_code=0
70 SET TIMESTAMP=1176292942;
71 delete from embassy;


he inserted admin user, and deleted my table
currently i'm using slackware 10.1 and mysql 4.1

please advise ?

thanks
 
Old 04-11-2007, 03:24 AM   #2
rednuht
Member
 
Registered: Aug 2005
Posts: 239
Blog Entries: 1

Rep: Reputation: 31
you have two routes to take.
1: you have been hacked and ANYTHING that was accessable from that machine is now to be considered compromised.
Disconnect from the network and only use live CDs to access the machine as the kernel may have been replaced so that ANY command would see eveything as normal, hiding any activity extra users etc.
Your only option in this case is to format and restore from know good back up.
2: your mySQL service has been hacked and the cracker has only managed to attack your database and has not been able to escape into the machine at large.
Why are you running a mySQL server available to the internet?
can you lock it down?
is there a web interface that gave the attacker access to the mySQL server via the internet ?
if so can it be upgraded?
If you are a home user and you do not make regular backups then number two might be the only way to go.
There is also a number 3, install tripwire intrusion detection and see if the cracker comes back.
 
Old 04-11-2007, 03:45 AM   #3
fenrire
LQ Newbie
 
Registered: Apr 2007
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by rednuht
you have two routes to take.
1: you have been hacked and ANYTHING that was accessable from that machine is now to be considered compromised.
Disconnect from the network and only use live CDs to access the machine as the kernel may have been replaced so that ANY command would see eveything as normal, hiding any activity extra users etc.
Your only option in this case is to format and restore from know good back up.
2: your mySQL service has been hacked and the cracker has only managed to attack your database and has not been able to escape into the machine at large.
Why are you running a mySQL server available to the internet?
can you lock it down?
is there a web interface that gave the attacker access to the mySQL server via the internet ?
if so can it be upgraded?
If you are a home user and you do not make regular backups then number two might be the only way to go.
There is also a number 3, install tripwire intrusion detection and see if the cracker comes back.

well, i can't disconnect it to network because it's serves 24 hours to my client. and beside that it would be useless if i installing from beginning without knowing what the root cause my system hv been compromised? i'm affraid it's happening again...

no my mysql it's running on skip_networking mode, so the only possibility he was accessing locally thru shell, i didn't hv phpmyadmin or something like that installed.

but if he accessing thru shell, why i can't see he's logged to my system on that time, thru the log that i checked before.

what my question are :
1. how can he got into my mysql shell ? thru shell or is there something i didn't know ?
2. is there log that i missed, so i can check what's ip or how my system can be compromised ?
3. is there any handy tool, that can help me protect / logging my security ?

thanks for the reply.
 
Old 04-11-2007, 04:27 AM   #4
rednuht
Member
 
Registered: Aug 2005
Posts: 239
Blog Entries: 1

Rep: Reputation: 31
Quote:
what my question are :
1. how can he got into my mysql shell ? thru shell or is there something i didn't know ?
2. is there log that i missed, so i can check what's ip or how my system can be compromised ?
3. is there any handy tool, that can help me protect / logging my security ?
1. I do not know enough about mySQL to answer this my experience is compromised windows machines.
2. If the attacker gained root access then any log file could have been sanitized of their presents, there is a real danger that core components of your OS have been replaced i.e. the kernel, this means any attempt to detect the attackers presents could be masked, he/she could by attached right now and who/top rootkit hunter etc would never know.
3. Tripwire will allow you to monitor what is going on but unless you start from scratch number two my thwort your attempts.

If you have the time, create a backup of the hard drive with
Code:
dd if=/dev/hda of=/mnt/usb/hda.compromised
and then load it into a virtual machine and play about a bit more.
 
Old 04-14-2007, 12:38 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I'd vote for taking stock of everything that even remotely looks like system, login and daemon logs (also don't forget logs from adjacent fw/router if any) before going nuclear. Since you set skip_networking mode this means whatever is serving up data is on the same box and I'm sure its logs should show anomalies. Best would be to copy the logs off the box and work on a separate, secured, "known good" workstation. See if you get for instance remote probing, vulnerability "testing" or logins. If you rotate logs try to go back as far as you can, it's not said the table drop came right after the initial probing and compromise. Before you do better first read Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html if you need some guidelines on what logs and such to look at and maybe check this forum for past incidents and how we handled them to get the feel.

Post as much info as you can (if its too much data just post a temporary URI to a tarball of logs we can grab). One thing you should execute alongside your logsearch is verifying everything on the box. If you deployed something like Aide or Samhain this is the time to use it, else if you only got a package manager that can do package content verification then use that.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Cent OS 3.x Random System Failure, very odd please advise teryglenn1 Linux - General 6 12-01-2006 10:03 AM
sound not working,here is some info regarding system,please advise c0ldshadow *BSD 0 11-16-2004 06:01 PM
RH 8.0 system hacked sandalblady Linux - Security 4 07-03-2004 02:59 PM
Advise on Mail System rgerhards Linux - Newbie 1 01-02-2004 08:21 AM
Linux System being hacked saravanan1979 Linux - Networking 5 06-13-2002 06:59 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration