Hi guys,

Recently my server was hacked. I have lots of questions for you Linux experts.

1.And I was wondering if there is any turnkey solution to check out the vulnerabilities of the server. E.g. the software should be able to simulate a hacker and try to hack into my server then notify me of the vulnerability.

The information on Linux security is just too overwhelming so I was thinking if there is any easier solution for this. If not then someone should try compile one as I believe it would benefit Linux newbies like me.

2.As for my server, someone hacked into it by uploading phpmyshell program.
But how can he gain access to other accounts from there??

3. He was dumb enough to leave traces in my /var/log/wtmp
I got his IP address and the time he logs in.
I went to FTP section and downloaded the raw FTP log.
I nabbed that fella!

212.174.89.155 - - [25/Jun/2004:06:51:20 -0400] "GET / HTTP/1.1" 200 660 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; 118K501TUR)"

Went to http://www.ip2location.com/free.asp to check out the IP:212.174.89.155

"212.174.89.155 TR TURKEY"
Got him!

Then I used IP tables to block the whole class C IP.OK I am mean. lol
iptables -I INPUT -s 212.174.89.0/24 -j DROP

Now what should I do with it?

4. If he wasn't smart enough to cover his traces I assume there must be a way for me to find out which files he modified, right? OK how????

Thanks in advance for your help! I will update you guys regarding the situation.

now that you have done your research, it is always recommended to format and reinstall the OS.

Don't forget to report him to his ISP.

The sad part is I am running web hosting service so reinstalling would mean my clients have to upload their site again.

I will try to avoid this if possible that is why I asked question number 4.
4. If he wasn't smart enough to cover his traces I assume there must be a way for me to find out which files he modified, right? OK how????
I wanted to just reverse the damage done to the system.

Take a look at the /var/log/security log and messages log. Might give you some clues. If you were not running Tripwire previous to the breakin, then there is no telling what files the hacker changed or created.

I would be real surprised if that IP you got in your research turns out to be the culprit. More than likely, that is just a IP of a system the hacker compromised and used to run the exploit. And that IP is in Turkey.....good luck...he is long gone.

The previous suggestion of format/reinstall is right. After reinstall, but before putting the box back on the network, install and run Tripwire. It will create checksums for all your executables so if anything changes, you will know.

Later...

If he has got a router in his home and a proxy server in Iran, it will not do much good too report him to his ISP, as they would probably tell you to speak to their chairman or police and most crackers above the age of knowledge dont like to get arrested.

He is from Turkey. When he defaced the site it was showing some 'Turkish Pride' message with turkish flags.

There may be other trojans/backdoors lurking there which you might detect pretty late. And till the time you weed out all the compromised programs, you will be giving them time to carry on their activities.

If you are really keen, take a dump of the disk for forensics. Repeat, format and reinstall the OS.

Although there may be some downtime, you can be rest assured that your new OS is free of all trojans that may be compromising your clients' data.

BTW are your clients aware of this break-in?

They are aware of it. So it is impossible to reverse all damage?
I really don't want to reinstall as I have done many mods and configurations to the server.

May be it is possible to reverse all the damage.... but can you be sure there isn't just one more backdoor that has gone undetected?

You can always take a backup of your config files.

Anyway ever since I used IP tables to block the whole of Turkey from accessing my site I never had anymore break in from them.
They used to break in like everyday

jut a thought ... perhaps you can setup a honey pot just to monitor the TR user's intentions, etc.

Youmean honey pot as in real honeypot or somekinda linux software?
sorry Im new to linux but Im learning real fast.

How did you block the entire of Turkey from accessing your Web Servers / Proxy Servers?

If you do not want to reinstall. Change your Root password and User passwords. Make sure passwords are safe (plenty of numbers and no dictionary words). Also consider setting up a firewall.

Which firewall do you recommend?