Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
OK. Regardless of services being free or not, what would services be worth anyway if offered by a host who has more important things to do then make sure integrity is maintained or restored? Would you feel secure using them?
Hell no, especially since he is saying he is not going to notify his customers at this point.
I take the security of the server very seriously, let me assure you. But there is no point in re-installing the entire OS, putting back the same services and getting compromised again.
Quote:
Hell no, especially since he is saying he is not going to notify his customers at this point.
Why wouldn't I notify my users if I didn't think it was one of them? I can't scare away the attacker for now, that would be stupid. If I didn't suspect any of them, then it would be completely fine for me to notify them as a whole. Right now, a certain few users that I trust already know about the situation.
Please stop trying to tell me 'what' I should do, but rather, how I can find out how the attacker got in. If I really took 'that stance' on security, most people wouldn't even ask for help on a forum. Am I not being reasonable here? It is solely up to me to find out my method of mitigation, there is no one-way to solve a compromise, everyone's circumstances are different, I was just asking here for some information on a strange binary file. If you haven't seen it before, that's fine, you can reserve your judgement.
"Offline because of bugs."
That's just because of some PHP issues in that web application.
Sorry, I thought the user in question was freeshell, do you have a dedicated server with several usernames on it? Or are all your IRC people under the freeshell account?
Sorry, I thought the user in question was freeshell, do you have a dedicated server with several usernames on it? Or are all your IRC people under the freeshell account?
I wasn't talk to you specifically, but it's a VPS with several usernames on it.
People, try to understand where I'm coming from. I can't re-install the OS without knowing how the intruder got in. Nor would it be smart to go to a backup.
I wasn't talk to you specifically, but it's a VPS with several usernames on it.
People, try to understand where I'm coming from. I can't re-install the OS without knowing how the intruder got in. Nor would it be smart to go to a backup.
Well, if he got root access there probably a problem at the OS level, or one of the OS level packages you have installed, like something is out of date.
Or he has your root password.
Not doing anything is pretty stupid, like leaving the system comprimised.
Sound like you need to clean house with who you are hosting, especially if its a free service.
People, try to understand where I'm coming from. I can't re-install the OS without knowing how the intruder got in. Nor would it be smart to go to a backup.
I think you in turn do not understand, I think I made it pretty clear in post #10, what and how we would like to see things reported back to be able to start to help you. Basically all we got back was some loose information plus "I have to run off now, so thanks for your help" which you would have to agree provides no starting point at all. As they say the ball is in your court...
I had to go to uni. I had no intention of being rude or seeming that way. I presented the information that you requested, OS and version along with the running services. Anyway, I've reinstalled the server with Fedora 10 (EOL in 2 or so months, but unfortunately, my provider doesn't have an OS template for Fedora 11), and hopefully I can track down the intruder this way. Obviously, I couldn't show all the server logs as some of the data is private and confidential. Feel free to mark this thread as closed.
I had to go to uni. I had no intention of being rude or seeming that way. I presented the information that you requested, OS and version along with the running services.
OK, noted. No, you did not present all the needed information but discussion is futile now. If you want to see how it should look like and how we'd like to help, check this forum for compromise threads I replied in.
Quote:
Originally Posted by ShellPwn
Anyway, I've reinstalled the server with Fedora 10 (EOL in 2 or so months, but unfortunately, my provider doesn't have an OS template for Fedora 11),
Please make certain to install all updates, enable logging, properly harden the machine and restrict access where necessary.
* If you'd like help with hardening or a second opinion on what to do I suggest you create a new thread, list the application versions installed, post the results of running a remote nmap scan and a local GNU Tiger scan and post the measures you will take.
Quote:
Originally Posted by ShellPwn
and hopefully I can track down the intruder this way.
Unless you have the knowledge to play such games I'd advise against it. Better invest time in keeping the machine secure.
Quote:
Originally Posted by ShellPwn
Obviously, I couldn't show all the server logs as some of the data is private and confidential.
And that's why I sometimes invite people to contact me by email. That way discussing non-disclosure issues and facilitating bulk transfers could be one of the possibilities.
Quote:
Originally Posted by ShellPwn
Feel free to mark this thread as closed.
On LQ we don't. As thread creator you are allowed to mark the thread as solved, which I just did for you.
4. After you've answered those questions (do not install or delete anything) we'll move on to preparing backups for reference (not reuse) and investigate further using system authentication data (logrotated wtmp), IDS logs, filesystem integrity checkers, package manager (if good enough), all system, daemon and firewall logs, temp files, unusual (setuid root) files, user shell histories. When you report back include any information, hints, hunches or gut feelings you think would help. Please attach logs if possible, else please use BB code tags to preserve formatting and efficient reading. And please ask before doing things if you have any doubts.
Can you elaborate on this part? I know the guy didn't write back with the info, but if he had, what would the next steps be?
Quote:
Originally Posted by unSpawn
2. As root account user list open files (\lsof -P -w -n), process (\ps ax -o ppid,pid,uid,cmd --sort=uid) and network data (\netstat -anpe) listings to a location where you do not overwrite data or pipe data through ssh.
And you can you give the command to pipe data through ssh?
lsof | ssh ???
Can you elaborate on this part? I know the guy didn't write back with the info, but if he had, what would the next steps be?
Prepare backups for reference. Investigate. With system authentication data I mean utmp, wtmp and changes in any auth databases, filesystem integrity checkers and package managers (when used with known good off-line backups of databases) are for separating changed from inert files and dividing files with known good checksums from "bad" ones, system, daemon and firewall logs often contain recon info and per-IP history you can trace back with say Logwatch, temp files and unusual (setuid root) files and user shell history files also help build timelines. What's missing from this picture? Volatile data that doesn't survive reboots (people often think just rebooting is a good thing), data that gets deleted deliberately in an attempt to thwart detection, data that only gets injected on the fly, data that is otherwise hidden. Strangely enough we're spotting rootkit infections again, albeit sporadically. To answer your question in short: checkpoint your data (so you know what changed after you saved it), gather data and process it.
Quote:
Originally Posted by abefroman
And you can you give the command to pipe data through ssh?
Both will require root account access to run commands but Netcat probably would be easier. On the receiving host do 'nc -l -n 10000 2>&1 | tee /dev/shm/netcat.tee', then on the "victim", as root, run '( \lsof -P -w -n; \ps ax -o ppid,pid,uid,cmd --sort=uid; \netstat -anpe ) | nc receiving_host_ip 10000'. Note full path prepending / usage of backslashes depends on actual path usage and available aliases you would need to avoid.
There are numerous hosting sites that get attacked on a regular basis. 2 days before defcon this year someone hacked the hosting service that dan kaminsky and kevin mitnick were using to get to there info. The exploit used was over 6 months old.
There is certainly a need for good secure hosting!
Excellent point.
What causes people to choose bad hosting?
I think many people choose hosting based on pricing. They usually want cheap hosting. The saying, "you get what you pay for" applies, though. Those who choose bad hosting usually lack the experience in judging/researching for good hosting, too.
Quote:
Originally Posted by unSpawn
How could they recognize good hosting solutions?
By researching the hosting company for negative trends. Personal and/or professional references help also.
I think many people choose hosting based on pricing. They usually want cheap hosting. The saying, "you get what you pay for" applies, though. Those who choose bad hosting usually lack the experience in judging/researching for good hosting, too.
What do you mean, how could you go wrong with unlimited disk space, unlimited bandwidth, etc. for only $3.95/mo, with a 50% off coupon and 6 months free? LOL
Honestly I think the majority of hosting companies out there are:
1. Resellers or dedicated server leasers who really have no idea how or the time to keep up with security
2. Trying to be ultra competitive by offering gimmicks like unlimited disk space (last time I checked no harddrive manufacturer was making an unlimited space harddrive) and they usually have something in the TOS that say you can only use it for html and pictures, and no more than x% can be for photos an multimedia.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.