Server hacked
Hi guys,
Recently my server was hacked. I have lots of questions for you Linux experts. 1.And I was wondering if there is any turnkey solution to check out the vulnerabilities of the server. E.g. the software should be able to simulate a hacker and try to hack into my server then notify me of the vulnerability. The information on Linux security is just too overwhelming so I was thinking if there is any easier solution for this. If not then someone should try compile one as I believe it would benefit Linux newbies like me. 2.As for my server, someone hacked into it by uploading phpmyshell program. But how can he gain access to other accounts from there?? 3. He was dumb enough to leave traces in my /var/log/wtmp I got his IP address and the time he logs in. I went to FTP section and downloaded the raw FTP log. I nabbed that fella! 212.174.89.155 - - [25/Jun/2004:06:51:20 -0400] "GET / HTTP/1.1" 200 660 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; 118K501TUR)" Went to http://www.ip2location.com/free.asp to check out the IP:212.174.89.155 "212.174.89.155 TR TURKEY" Got him! Then I used IP tables to block the whole class C IP.OK I am mean. lol iptables -I INPUT -s 212.174.89.0/24 -j DROP Now what should I do with it? 4. If he wasn't smart enough to cover his traces I assume there must be a way for me to find out which files he modified, right? OK how???? Thanks in advance for your help! I will update you guys regarding the situation. |
now that you have done your research, it is always recommended to format and reinstall the OS.
|
Don't forget to report him to his ISP.
|
The sad part is I am running web hosting service so reinstalling would mean my clients have to upload their site again.
I will try to avoid this if possible that is why I asked question number 4. 4. If he wasn't smart enough to cover his traces I assume there must be a way for me to find out which files he modified, right? OK how???? I wanted to just reverse the damage done to the system. |
Take a look at the /var/log/security log and messages log. Might give you some clues. If you were not running Tripwire previous to the breakin, then there is no telling what files the hacker changed or created.
I would be real surprised if that IP you got in your research turns out to be the culprit. More than likely, that is just a IP of a system the hacker compromised and used to run the exploit. And that IP is in Turkey.....good luck...he is long gone. The previous suggestion of format/reinstall is right. After reinstall, but before putting the box back on the network, install and run Tripwire. It will create checksums for all your executables so if anything changes, you will know. Later... |
Quote:
|
He is from Turkey. When he defaced the site it was showing some 'Turkish Pride' message with turkish flags.
|
Quote:
If you are really keen, take a dump of the disk for forensics. Repeat, format and reinstall the OS. Quote:
BTW are your clients aware of this break-in? |
They are aware of it. So it is impossible to reverse all damage?
I really don't want to reinstall as I have done many mods and configurations to the server. |
May be it is possible to reverse all the damage.... but can you be sure there isn't just one more backdoor that has gone undetected?
You can always take a backup of your config files. |
Anyway ever since I used IP tables to block the whole of Turkey from accessing my site I never had anymore break in from them.
They used to break in like everyday |
jut a thought ... perhaps you can setup a honey pot just to monitor the TR user's intentions, etc.
|
Youmean honey pot as in real honeypot or somekinda linux software?
sorry Im new to linux but Im learning real fast. Quote:
|
Quote:
If you do not want to reinstall. Change your Root password and User passwords. Make sure passwords are safe (plenty of numbers and no dictionary words). Also consider setting up a firewall. |
Which firewall do you recommend?
|
All times are GMT -5. The time now is 09:28 PM. |