LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-09-2008, 02:37 PM   #1
rcrosoer
Member
 
Registered: Oct 2005
Distribution: SuSe
Posts: 41

Rep: Reputation: 15
My web server has been hacked. SU password has been disabled


I am running Suse 8 and Xampp (latest version). the security features all have new passwords, the firewall is up. When I went to log into my webserver I discovered a user account "Dodu" I could not delete it as it said Dodu was still connected. I rebooted and deleted the account but then I discovered that when I used the SU command no password was requested and I was allowed straight into SU mode.

So far I can't find any evidence of damage but...

This machine is on the office network so he could have found his way to the wider network.

Are there any logs to tell me what might have been done?
Has anybody encountered Dodu?
What should I do next?

ANY advice greatfully received?

Latest: just found file Dora.tar in the root directory. I guess it's not friendly but what does it do?

Last edited by rcrosoer; 06-10-2008 at 01:55 AM. Reason: more info
 
Old 06-09-2008, 03:03 PM   #2
trickykid
LQ Guru
 
Registered: Jan 2001
Posts: 24,149

Rep: Reputation: 256Reputation: 256Reputation: 256
Well first action is always, unplug this machine from any network.

Second action, get yourself a chrootkit to verify the system.

Thirdly, can you really trust this machine again? Probably not. If you need data from it, copy it off but be wary of what you copy, verify it's not been affected either. Usually cases like this resort to wiping and reinstalling, once you found how they got in to protect yourself in the future.

And in the future, don't allow remote root logins, make sure users have strong passwords, regularly making them change them every 30-90 days, disable accounts not needed, install tripwire or other similar functionality to help prevent future attacks, etc. And use sudo instead of just su'ing as root.
 
Old 06-09-2008, 03:10 PM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by rcrosoer
I am running Suse 8...
Also, I'm not familiar with Novell's release/support cycles, but be sure you're running a supported (regular security updates) OS.
 
Old 06-09-2008, 06:44 PM   #4
Renan_S2
Member
 
Registered: Jul 2007
Location: Santa Maria, Brazil
Distribution: Arch Linux
Posts: 66

Rep: Reputation: 16
I once had a box hacked and decided that it would be better to backup whatever I needed and just reinstall it.

And next time, use a more updated distro instead of SUSE 8.0...
 
Old 06-11-2008, 06:13 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by rcrosoer View Post
I am running Suse 8 and Xampp (latest version). the security features all have new passwords, the firewall is up. When I went to log into my webserver I discovered a user account "Dodu" I could not delete it as it said Dodu was still connected. I rebooted and deleted the account but then I discovered that when I used the SU command no password was requested and I was allowed straight into SU mode.
Apart from the remarks about the validity of running an old version of your distribution, and realising that you may not have been that proficient securing the machine (wrt your XAMPP thread of last year, if relevant), the first thing would actually be to do nothing. Reflexes can save critical things, but revooting also destroys vital information like process and network details if they are not logged elsewhere (machine, syslog server, router) and deleting items should only be done when a backup is made. Reading up on what's important and steps to take now may save you trouble later on. The fact that this compromised machine was part of an office network makes things more critical, and your actions depend on where the machine is in the topology (DMZ or not?) sealing off subnets other machines are on should be first option, else if everything is in the same subnet then severing the network connection is your only option, yes. The first thing to read would be the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html because it shows you where you can find what information, and you best run those checks booting a Live CD like HELIX or KNOPPIX. The second step would be to alert anyone using machines in those subnets and investigate each for possible breaches. Do not restore a backup of the machine unless you have independant and authoritative means of verifying the backup is "clean" in every way and uncompromised, and when you do you must keep the machine off the network until you fixed the vulnerability that let the intruder in. This requires investigation, which *is* necessary since the intruder rootkitted the machine. Before continuing it would be best if you post the steps you took after posting your OP.
 
Old 06-11-2008, 07:46 AM   #6
rcrosoer
Member
 
Registered: Oct 2005
Distribution: SuSe
Posts: 41

Original Poster
Rep: Reputation: 15
I have taken the machine off-line and replaced it with a clean machine running SuSE 10.2 and Apache 2 (all the XAMPP has been dumped) Only HTTP is enabled in the firewall and the machine is in the external zone. (I don't understand enough about DMZ yet) The machine is behind a router using port forwarding and NAT.

I have run virus and spyware checkers on all the office machines (XP)and checked my bank accounts!

chkrootkit revealed no infection on the file server but I could not get it to run on the hacked machine.

I found another alien file, psy.tar There was also a suspicious user with root privileges called grigo. The infected machine has been switched off and apart from deleting the dudo user account is unaltered. If you want some info from it please let me know.

The reaon I was running SuSE 8 was that the infected machine was an old P150 box that uses less power than a P4 it didn't have enough RAM to run V10.2 with a GUI (being green is not always the best policy)
 
Old 06-11-2008, 08:58 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Good work. Names are just names, but by name anything "psy" should point to PsyBNC, so that partially shows the perps MO (their reliance on IRC). I would like to have a content listing of the Dora.tar, maybe you could post the output of running 'tar -tf Dora.tar 2>&1'? If you still have all logs and auth databases, and files hopefully not being tainted by you, from running (from a Live CD!) 'rpm -qVa 2>&1 > logfile' and grepping for MD5 warnings see at aprox what time the binaries where changed? Another way would be to look though the system and daemon logs for anything "odd". With a fix on the aproximate time of entry you can guesstimate what time they had to "change things" (well, OK, *if* they did) or in other words what chances you have looking for clues.

Last edited by unSpawn; 06-11-2008 at 06:09 PM. Reason: I R engrish bad user, bad.
 
Old 06-11-2008, 03:48 PM   #8
rcrosoer
Member
 
Registered: Oct 2005
Distribution: SuSe
Posts: 41

Original Poster
Rep: Reputation: 15
Another bit of infomation. My ISP reported unusual activity on port 20 a few weeks ago. When I looked at the machine the network activity light was going full tilt. I re booted and nothing more was heard. The general concensus from the ISP support people was that they had given up an gone on to more interesting targets.

I'll try to find time to look at those logs etc tomorrow but I really have to do some real work or I shalln't need a server and a network!

Thanks fopr your help, it's good to know I'm not on my own.
 
Old 06-11-2008, 08:33 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
NP, just post when you want to share results.
 
Old 06-12-2008, 04:57 AM   #10
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
"Only HTTP is enabled in the firewall and the machine is in the external zone."

"Port 20"

Looks like they played with ftp data source port 20. Firewall/Router/NAT misconfiguration?
 
Old 06-27-2008, 02:24 AM   #11
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Quote:
Originally Posted by nx5000 View Post
"Only HTTP is enabled in the firewall and the machine is in the external zone."

"Port 20"

Looks like they played with ftp data source port 20. Firewall/Router/NAT misconfiguration?
or someone was FTPing data off the box at an alarming rate using Active-mode FTP...
 
Old 06-27-2008, 02:18 PM   #12
drokmed
Member
 
Registered: Dec 2005
Location: St Petersburg, FL, USA
Posts: 219

Rep: Reputation: 30
Good job, it sounds like you have things under control.

Quote:
Originally Posted by rcrosoer View Post
The reaon I was running SuSE 8 was that the infected machine was an old P150 box that uses less power than a P4 it didn't have enough RAM to run V10.2 with a GUI (being green is not always the best policy)
Just so you know, most experienced linux admins don't install GUI's on servers, especially ones that have limited resources. At a minimum, make sure you disable the GUI starting upon boot, to save precious RAM.

Another reason not to install a GUI is updates. Every time you run the update, it will not only update your server, but the GUI stuff as well, which is a waste of update time, not to mention disk space.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
password failure RH9 - hacked? jdraper Linux - Security 3 06-29-2005 01:53 PM
password change over LDAP works only if TLS is disabled cyrilrip Linux - General 2 06-02-2005 01:26 AM
setting up password protected web forms on an apache web server AZDAVE Linux - Security 3 07-07-2004 12:03 PM
web server hacked. sarin Linux - Security 12 10-05-2002 03:51 PM
help! ssh password being denied for ALL acccounts (hacked?) JustinHoMi Linux - Security 4 05-26-2002 05:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:11 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration