pacpac has hacked my server. Help!
I have a RH 7.1 webserver and I am unable to log in as root.
I checked the /etc/passwd file and found a mysterious user, pacpac. I have disconected the server from the network. How can I get root back? Or what should I do? Thanks |
Easy Work.
Hi there, if he corrupted your security do not delete any of the system, do not re-install everything befor you have found the precise hole he used, and report it to where you can. (Specialy the owner(s) of the software) You should also retrace the malicious user because it well know what comes, goes, and comes back. IF he deleted all thelogs no worrie put the system back up as it is corrupted but stay 100% of the day and night tailing all logs and tcpdump (or sniffit -i).
Now to get your password back, ive install a late version of red-hat (erreta i think) and it came will a Grub (i had the choise) hopfully ull have LiLo running. Un Plug Your box, or reboot it used the Magic Sys Keys (kernel hacking must be enabled) and shut down your system. At the boot up, you get lilo press tab / cap whatever to get the lilo: and type lilo :"linux init=/bin/sh rw" i think else you must look up on google. When you succeed simple run passwd and change the root password. YOu should also install aide, bastille, and all other defense and intrusion detection software. |
Re: Easy Work.
Quote:
|
I am going to re-install with RH7.2 and start using IPtables and tripwire.
I'm also going to try and send some of the log files to my other box. Thanks for all the help. |
if you are remote logging, you may want to look into hacking syslog to read the syslog.conf file from somewhere else, then place the normal conf file there. that way the hacker doesn't know that you are remote logging and may not look for them.
|
When you use remote login, I'd configure it to allow it only from certain IPs. If it's possible, do this.
|
choose a good password
make your password hard to crack:
ia@#xkd@!9S is a decent example, but its hard as hell to remember! RedHat 7.2 tells you if you entered bad password or not. |
Hi,
use this password for root. it is impossible to crack it. %$@@54psf*&gneo0 :p Regards Russell. |
In my experience of being hacked twice this year on a full production server (serving approx 30 websites + email) you should be wary of just 'rebooting' the server without finding out what damage has been done first and what tronjans, if any, have been installed.
In some cases, rebooting will basically bork your machine out totally ! In any case, you should consider running :- 1.) Chkrootkit 2.) Logwatch 3.) Tripwire Also, restrict access in total Paranoid mode - disable anonymous ftp and consider using sftp only allow ssh sessions from one fixed IP address remove any unneccessary running services keep the amount of users on your system at a bare minimum - if you have users getting email from your system but they don't need to ever log into the system, make sure they don't have a shell account ! After a fresh install and setup, back up your critical server configuration files - basically just backup the whole of /etc And of course, check security advisories on a daily basis. |
the coroner's toolkit comes to mind.
|
Quote:
|
All times are GMT -5. The time now is 08:32 PM. |