Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 08-23-2008, 02:07 PM   #1
Registered: May 2006
Location: USA
Distribution: FreeBSD Ubuntu Debian
Posts: 137

Rep: Reputation: 15
Question script cracked my server

So I'm sitting there in the other room and my server just starts playing music out of the blue. Turns out whatever broke in was typing commands exceedingly fast into the currently active tty which consequently had left mocp running on. I quickly pulled the plug on the switch and the server.

Now I can track down where the attack came from myself with the snort logs I think. What I would love to figure out is what service the attack made it in through. My first thought would be Apache since I haven't bothered to update it in about 3 months and it was running whatever was in Debian Unstable at the time.

So what kind of vulnerability would give the attacker control of the currently active interface? I would rule out ssh since that would give the attacker their own shell not one I had locally logged in. Do I just start digging through apache logs? Where should I start?

Obviously I'll never boot off that drive again. For now I'll yank the HD and put the backup in and do any forensics on that disc off a bootable cd. This should be fun, I've never had the opportunity to track down a breach before
Old 08-23-2008, 05:28 PM   #2
Senior Member
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
Bit lost, did you perhaps get root-kitted at some point? My first guess if it was a root kit would be it was FTP related (FTP is highly insecure, Thus why SFTP and SCP exist). My guess is that something like they placed in some kinda cron job and it was just passing out the information in any relavant open places, like your active shell or what not, could be wrong...

however if you were root-kitted, I'd probably think about reinstalling the machine from scratch, root-kits are horrific after all...
Old 08-23-2008, 06:18 PM   #3
Registered: May 2001
Posts: 29,359
Blog Entries: 55

Rep: Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546
Originally Posted by kav View Post
Where should I start?
In short: start with the Intruder Detection Checklist (CERT):

What you're looking for is building an understanding of the situation, which is different from "guessing" message the first reply carries. Even without talking about evidence acquired for judicial purposes and court situations, anyone with a structured approach to diagnosing things, any investigator will tell you that guessing is as bad as assuming, and you know what assuming makes... The checklist should guide you through most of the basic needs for gathering information like purpose of the box, date and duration of incident, distro+release+kernel data, audit data (system, daemon and firewall logs), auth data (login db, et cetera), IDS data, installed SW versions, integrity and updates, running services, finding "evidence" like setuid root files or LAMP piggybacking or user shell histories. There's lots of basic forensics docs on the 'net if you're interested in that and you could also search for and read some incident response threads in this particular forum. We've handled a few.

Also often the first thing to do would be doing nothing except for thinking over the sequence of ops and the consequences of performing those on a system. It's not for nothing Wise Hannibal says he loves it when a plan comes together: Think. Plan. Act.
Old 08-26-2008, 12:08 PM   #4
Registered: Oct 2006
Location: Kenya
Distribution: Ubuntu, RHEL, OpenBSD
Posts: 287

Rep: Reputation: 32
For futures sake try and also have an integrity checker in place. Tripwire does a very good job on this though other people may have different utilities for this. Then, whether the results of your forensics point to apache or not, try and keep your box uptodate. Its always best practise to do so.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: PostPath cracked Exchange protocols for Postfix-based mail server LXer Syndicated Linux News 0 07-30-2008 09:12 PM
my pc cracked help me senthil_sivanath General 5 01-09-2007 09:27 PM
cracked or not cracked (tripwire & chrootkit) ddaas Linux - Security 1 04-27-2005 07:29 AM
Possible Cracked.... Aeiri Linux - Security 4 02-22-2005 08:15 AM
Does this mean I have been cracked? BajaNick Linux - Security 4 08-13-2004 10:10 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:26 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration