Hello.

My RH box has been recently hacked and rootkits intalled. Before i reinstall system i would like to know which services are not safe, i mean they are vulnerable to known exploits. I am running those standard RH daemons:
sshd version OpenSSH_3.5p1
BIND 9.2.1
and
vsftpd-1.1.3
Any suggestions where could be a security hole?

My RH box has been recently hacked and rootkits intalled.
Always sad to hear. Out of curiosity, how did you find out? What did Chkrootkit(.org) and Rootkit Hunter (rootkit.nl) say?


Before i reinstall system i would like to know which services are not safe, i mean they are vulnerable to known exploits.
First you'll have to decide *if* you need to provide services, and to *whom*. If you don't need to run public services the better. If you do have to provide public services you should skip installing R* services, telnet, and watch your steps when allowing public access to DNS, SMTP, Samba, FTP, HTTP/PHP, then harden them. Search for alternatives. DJBDNS is (for some) an alternative to ISC's BIND, SFTP/SCP (tru SSH) is a good one for FTP, and there's a lot of SMTP daemons that are worthy replacements for Sendmail.
If you post what services you *need* to run (and if you know what IP ranges you can restrict them to even better) we're willing to help you configure and harden them.


I am running those standard RH daemons:
Listing daemon versions isn't the same as listing what services you run. I'm sure you run more... BIND and Vsftpd look current (tho you should list sub versions or search for more recent ones). Your OpenSSH is *way* old. With all due respect, but if you don't have the discipline to manually compile RPM's and upgrade from source, then *please* switch to a distro/release that's actively maintained and supported. As you're well aware (or should be) RHL >= 9.x have been phased out a while ago.


Also *please* check out the LQ FAQ: Security references.

chkroot and rootkit are great software, try this too ^^ clam av
http://sourceforge.net/projects/clamav/
Stick one of them live rescure disks in should help
http://www.inside-security.de/insert_en.html

=================== my opinion (below)============================
MIght wana try to use slackware, IHMO fedora make crappy servers ><, i am not trying to start a flame war, again /me hides behind a huge rock i think IIS or any product is good if is properly secured (^_^)V. I am really not certain what service was actually expolited, you really dont want to upgrade to fedora >< its getting to becoming like bloat ware.
=================== my opinion (above)============================

You might wana rebuild your box again, try some of the other none bloated distros, however if you gona go back to redhat 8 use apt-get or yum to update your software.

white box http://www.whiteboxlinux.org/
Libnet http://www.libranet.com/
Debian
slackware

Hello, thanks for replies.

I found out that my system is compromised when i run netstat -a and saw some suspicious open ports, one of them was opened by renamed ssh server (i wrote a simple program which listens on that port now and logs IP trying to connect). Then i used chkrootkit and the output is:
Searching for Suckit rootkit ... Warning: /sbin/init INFECTED
[root@kasia chkrootkit-0.43]# ls -li /sbin/*init*
6527 -rwxr-xr-x 1 root root 27036 maj 22 01:38 /sbin/init
978 -rwxr-xr-x 1 root root 32732 mar 13 2003 /sbin/initlog
588 -r-xr-xr-x 1 root root 12588 lut 20 2003 /sbin/lvmcreate_initrd
913 -rwxr-xr-x 1 root root 14737 lut 18 2003 /sbin/mkinitrd
1001 -r-xr-xr-x 1 root root 4831 sty 25 2003 /sbin/pcinitrd
2413 -rwxr-xr-x 1 root root 16416 lut 25 2003 /sbin/stinit
6527 -rwxr-xr-x 1 root root 27036 maj 22 01:38 /sbin/telinit
[root@kasia chkrootkit-0.43]# ./chkproc -v
PID 17: not in readdir output
PID 17: not in ps output
PID 2959: not in ps output
PID 3089: not in ps output
You have 1 process hidden for readdir command
You have 3 process hidden for ps command
[root@kasia 17]# cat /proc/17/cmdline
initauto
[root@kasia 17]# cat /proc/17/environ
HOME=/TERM=linuxBOOT_IMAGE=linuxBOOT_FILE=/boot/vmlinuz-2.4.20-8

I dig with google and found http://www.lugod.org/mailinglists/ar.../msg00102.html and there
[...]
> Oops, looks like someone *already* "0wn3d" the box....
>
> $ cat /proc/14/cmdline
> initauto
>
> $ ls -al /sbin/init /sbin/telinit
> - -rwxr-xr-x 1 root root 26920 Apr 19 2002 /sbin/init
> - -rwxr-xr-x 1 root root 26920 Apr 19 2002 /sbin/telinit
>
> This is a sign that the SucKit rootkit was installed
But no word about how to remove this sh*t.
Anybody know how to do it? /sbin/init u doesnt work

Hello again.

Services that i need worldwide are ftp and ssh, other i an limit to my local (safe) network. I'd like to continue using RH, i know it quite qood and dont have time to start again with other (maybe better) distro. I am sure that for my needs well configured RH will be ok.