LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-25-2007, 12:42 AM   #1
koodoo
Member
 
Registered: Aug 2004
Location: a small village faraway in the mountains
Distribution: Fedora Core 1, Slackware 10.0 | 2.4.26 | custom 2.6.14.2, Slackware 10.2 | 11.0, Slackware64-13
Posts: 345

Rep: Reputation: 33
someone's hacked our college server


Hi all,

I'm a student at a University. Lately we've been experiencing certain problems. Sometimes someone changes the i.p. address of our proxy server, or sometimes the port on which it runs is changed.
The server machine runs Solaris 10.

The common ports open on the server machine are...

1) ftp
2) ssh
3) finger
4) rcpbind
4) http-proxy

and a few others...

I'm not a network administrator... so I do not have access to the server machine. We've contacted our server administrator and are now trying to nab the culprit.

One thing we know is that, he's someone from our internal network. If I do a finger on the server machine I get an internal i.p. from which a root user had logged into the server.

Now, I'm very new to these kind of things and our Network administrator is also not that advanced. Could anyone give any pointers as to how we can nab the culprit.

One more question: Our network administrator is not available frequently, so mostly the scenario is that, I'm on an internal i.p. trying to access the net through the proxy server... and the hacker (who is also on an internal i.p.) chnages the proxy port/i.p. so that he can have all the bandwidth to himself.

Can I find who's doing this without actually logging in to the server machine. I've tried using tcpdump...but I don't know much about using it. Once the hacker has changed the proxy's port/i.p. only his web browser will have active tcp connections with the server. Can i somehow find his machine by analyzing the network traffic.
Thanks for any help.
 
Old 03-25-2007, 04:12 AM   #2
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 97
Hi.

(N.B. I'm assuming here that your proxy host is actually under attack, and that it's not just a weird config issue at play here, but I'm not sold either way.)

If you know the IP from where your attacker has logged in, then it shouldn't be a major problem to find out where the host is. Do a traceroute to the offending IP and find out which router she's connected to.

Some point of interest, though.

1) Your attacker has root on an outward facing server. This is a pretty serious issue, and implies that either the system is vulnerable to a remote exploit which can result in root access, or more likely, that someone has the root password for the system.

2) Why is this system running services like finger?

If you eventually get access to the system (you don't appear to be the admin, so I don't know how likely this is), run 'last' to find out where logins came from (if your attacker has root, though, then there's nothing stopping them from modifying the 'last' database). You might get some joy from running a snoop, to see where network traffic is going, but read the man page first to decide on a decent syntax to filter out legitimate traffic. netstat should show all the live connections to and from the box.

To be honest, though, if there's any doubt about the integrity of the system (especially as root access is involved), then get it off the network, and reinstall-and-patch after doing your forensics.

Dave

Last edited by ilikejam; 03-25-2007 at 04:25 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Server has been hacked, help please Seventh Linux - Security 11 09-26-2006 11:57 AM
Someone's trying to SSH into my Server msound Linux - Security 9 09-14-2005 08:21 AM
How to print at home from Linux server at college ekern Linux - Newbie 3 11-17-2004 08:12 PM
Is my server hacked? kazjol Linux - Security 3 10-10-2004 12:09 PM
server hacked!?!?! vittibaby Linux - Security 1 03-27-2004 12:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration