Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-12-2006, 06:04 PM
|
#1
|
Member
Registered: Jan 2006
Posts: 70
Rep:
|
Possible ssh breach
ok i had an unknown person ssh'ed onto my server, anyways he was logged on as root, most likely a pc somewhere in the office i didnt log off since im the only one witht the root passwd. I did a pkill root and it kicked me out also and i cant ssh back in, what can i do at this point, this is serious btw so no laughing. thanks a million.
|
|
|
07-12-2006, 06:19 PM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
If you have access power off the thing now or ask someone to power it off. We'll handle the rest later.
|
|
|
07-12-2006, 06:23 PM
|
#3
|
Member
Registered: Jan 2006
Posts: 70
Original Poster
Rep:
|
Quote:
Originally Posted by unSpawn
If you have access power off the thing now or ask someone to power it off. We'll handle the rest later.
|
K, so after the reset the processes will come back and i can ssh?
|
|
|
07-12-2006, 06:37 PM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
No, I'd rather you POWER OFF the box and don't disturb it until you can boot a Live or rescue CD.
BTW, is the box local or remote? If it appears to be a box on the LAN is compromised you'll have to take care of that first by alerting someone to take care of it or denying inbound access on the router to that segment and killing that box.
|
|
|
07-12-2006, 06:43 PM
|
#5
|
Member
Registered: Jan 2006
Posts: 70
Original Poster
Rep:
|
Quote:
Originally Posted by unSpawn
No, I'd rather you POWER OFF the box and don't disturb it until you can boot a Live or rescue CD.
BTW, is the box local or remote? If it appears to be a box on the LAN is compromised you'll have to take care of that first by alerting someone to take care of it or denying inbound access on the router to that segment and killing that box.
|
Ok, i found out it was a pc i thought it was off and it had the same file open, in other words there is no security breach. The box is at a nap, ill have to pass by tonight to reset it, i just scared that once i have phisically rebooted the machine,that it will let me back in and bring all the processes up again.
|
|
|
07-12-2006, 06:48 PM
|
#6
|
Senior Member
Registered: Dec 2004
Location: Lee, NH
Distribution: OpenSUSE, CentOS, RHEL
Posts: 1,794
Rep:
|
First off, don't entitle a topic "Heeeeeeeeeeeelp!!!" - Instead, describe the problem with an intelligent phrase.
Can you log in locally? If not, then bashrc, bash_profile, .login, or another startup script is probably malconfigured. Boot to single user mode or from a live CD and check the files. Also, check /etc/passwd to make sure that the login shell for root is configured as bash or something else reasonable, and that the MD5 signture of that instance of bash matches what you actually installed.
Actually, the ideal solution? If you are not absolutely, positively 100% certain you can find the exploit, back up your data, key configuration files (e.g., /etc/httpd, /etc/X11, etc/), your data, and anything else that is important then wipe the system and either restore from a backup or reinstall and copy your data (and config files) back to the new installation. You may actually save yourself a LOT of time that way.
If you don't want to R&R, then do the following:
Now, for the first step, can you log in locally? If so, the first thing you should do is install and run clamav, chkrootkit( http://www.chkrootkit.org/), and rkhunter ( http://www.rootkit.nl/) on the entire filesystem to help ID compromised executables, and also known-bad executables. Check the usual suspects (/etc/ssh/, etc/passwd, etc.) for back doors. Check your /etc/init.d/ (runlevel) configuration to make sure that nothing unusual is being launched. I'd say to check timestamps on the init files to see if anything has been touched, but a good cracker would have touched the files to backdate mtime, ctime, and atime to evade suspicion, so your only recourse will be to either:
- diff the files against a KNOWN-clean system
or
- Examine each and every startup script to ID any potential back doors s/he added to the system
Eh, you know what? It's SO much work that you're best off restoring your most recent backup. I've cleaned systems before but unless you have a good basis for comparing the current config to the past (MD5 signatures or other method) or unless you've run rkhunter and/or chkrootkit from the very beginning and kept a history of changes, don't trust the system, unless it's just a toy in which case what's the big deal?
|
|
|
07-12-2006, 06:49 PM
|
#7
|
Moderator
Registered: May 2001
Posts: 29,415
|
Good to hear it's no breach of security.
One down, two to go.
(Still, what's someone doing logged in as root? Is that really necessary? But OK...)
|
|
|
07-12-2006, 06:51 PM
|
#8
|
Moderator
Registered: May 2001
Posts: 29,415
|
//Not that it's not appreciated, but using "preview post" before posting may save typing. Apparently a lot of people don't use the feature.
|
|
|
07-12-2006, 07:06 PM
|
#9
|
Member
Registered: Jan 2006
Posts: 70
Original Poster
Rep:
|
Im 100% sure there is no security breach whatsoever, Ill be going phisically to reset the machine. We do have an APC that can be remote managed but no one has the passwd, so ill have to phisically reset the pass on that one while im in there.
|
|
|
07-12-2006, 07:28 PM
|
#10
|
Senior Member
Registered: Dec 2004
Location: Lee, NH
Distribution: OpenSUSE, CentOS, RHEL
Posts: 1,794
Rep:
|
Quote:
Originally Posted by unSpawn
//Not that it's not appreciated, but using "preview post" before posting may save typing. Apparently a lot of people don't use the feature.
|
Not that it's not appreciated, but if I'd clicked "preview post" and saw that the original poster had posted an update in the meantime, it'd not have saved me a single keystroke. Thanks, though!
|
|
|
07-13-2006, 04:14 PM
|
#11
|
Member
Registered: Jan 2006
Posts: 70
Original Poster
Rep:
|
The aftermath
Today i walked to the actual server on the POP and it was completely frozen.I turned it off and on again, and it booted up just fine, all the processes run just fine. And i didnt get fired for bringing it down, So whats to learn fromall of this, perhaps.. tontt input a command before thoroughlydoing your research, and second, this forum pwns!!
|
|
|
07-13-2006, 05:32 PM
|
#12
|
Moderator
Registered: May 2001
Posts: 29,415
|
i didnt get fired for bringing it down
Cool
So whats to learn fromall of this, perhaps.. tontt input a command before thoroughlydoing your research
And maybe use more than one means of access for critical servers, like adding an (out of band) console server, monitoring and making sure services stay up and run Xinetd's backupssh on a different port ACL'ed to your management IP (range)?
BTW I'll change the thread title to "Possible ssh breach".
"Heeeeeeeeeeeelp!!!" just isn't descriptive enough...
Last edited by unSpawn; 07-13-2006 at 05:37 PM.
|
|
|
07-13-2006, 05:44 PM
|
#13
|
Member
Registered: Dec 2005
Location: Portugal
Distribution: Slackware64 13.0, Slackware64 13.1
Posts: 538
Rep:
|
@ xtremeclones:
just by chance i'm reading a book all about this kind of stuff. it called "Hardening Linux" and has everything to help make your server (neraly)bullet-proof.
i cant scan it for you :P , but i will leave you with the deatils so you can get it. it only cost $40 (sounds like a lot for a book, but well worth it to keep hackers out):
title: Hardening Linux
publisher: McGraw-Hill / Osborne
ISBN: 0-07-225497-1
you wont regret it i promisse
|
|
|
All times are GMT -5. The time now is 02:51 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|