Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Recently my server was hacked. I have lots of questions for you Linux experts.
1.And I was wondering if there is any turnkey solution to check out the vulnerabilities of the server. E.g. the software should be able to simulate a hacker and try to hack into my server then notify me of the vulnerability.
The information on Linux security is just too overwhelming so I was thinking if there is any easier solution for this. If not then someone should try compile one as I believe it would benefit Linux newbies like me.
2.As for my server, someone hacked into it by uploading phpmyshell program.
But how can he gain access to other accounts from there??
3. He was dumb enough to leave traces in my /var/log/wtmp
I got his IP address and the time he logs in.
I went to FTP section and downloaded the raw FTP log.
I nabbed that fella!
The sad part is I am running web hosting service so reinstalling would mean my clients have to upload their site again.
I will try to avoid this if possible that is why I asked question number 4. 4. If he wasn't smart enough to cover his traces I assume there must be a way for me to find out which files he modified, right? OK how????
I wanted to just reverse the damage done to the system.
Take a look at the /var/log/security log and messages log. Might give you some clues. If you were not running Tripwire previous to the breakin, then there is no telling what files the hacker changed or created.
I would be real surprised if that IP you got in your research turns out to be the culprit. More than likely, that is just a IP of a system the hacker compromised and used to run the exploit. And that IP is in Turkey.....good luck...he is long gone.
The previous suggestion of format/reinstall is right. After reinstall, but before putting the box back on the network, install and run Tripwire. It will create checksums for all your executables so if anything changes, you will know.
Originally posted by XavierP Don't forget to report him to his ISP.
If he has got a router in his home and a proxy server in Iran, it will not do much good too report him to his ISP, as they would probably tell you to speak to their chairman or police and most crackers above the age of knowledge dont like to get arrested.
I wanted to just reverse the damage done to the system.
There may be other trojans/backdoors lurking there which you might detect pretty late. And till the time you weed out all the compromised programs, you will be giving them time to carry on their activities.
If you are really keen, take a dump of the disk for forensics. Repeat, format and reinstall the OS.
Quote:
The sad part is I am running web hosting service so reinstalling would mean my clients have to upload their site again
Although there may be some downtime, you can be rest assured that your new OS is free of all trojans that may be compromising your clients' data.
They are aware of it. So it is impossible to reverse all damage?
I really don't want to reinstall as I have done many mods and configurations to the server.
Anyway ever since I used IP tables to block the whole of Turkey from accessing my site I never had anymore break in from them.
They used to break in like everyday
Originally posted by cpanelskindepot Anyway ever since I used IP tables to block the whole of Turkey from accessing my site I never had anymore break in from them.
They used to break in like everyday
How did you block the entire of Turkey from accessing your Web Servers / Proxy Servers?
If you do not want to reinstall. Change your Root password and User passwords. Make sure passwords are safe (plenty of numbers and no dictionary words). Also consider setting up a firewall.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.