Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Right, I can run remote commands but not sure if I am root. Are there any commands I suggest I run? I'll post what they give here.
I still think the best suggestion is to back up your data, have aplus.net reload the OS, and then start from scratch. Once your server has been compromised you can never be certain as to what the intruder did while they were in. Once the os is reloaded setup tripwire and read some docs on how to secure ssh. For example, use strong passwords, use the Allowed Users parameter and set root login to no.
If I'm reading the OP correctly, the log he posted is from a different server. Those are ssh login attempts originating from his server, not trying to get into his server.
Ok, now I get it. That is very odd.
However, what if the SSH attempts were coming from webmin? Would that show that they were executed from OUR server?
However, what if the SSH attempts were coming from webmin? Would that show that they were executed from OUR server?
My guess is that they would show as executed by the server Webmin is running on. However, I've never used Webmin for SSH access so I may be wrong about that. The one thing to keep in mind is that the log file in the original post very much resembles the kind of automated SSH attack that everyone sees. Given that log, I would not suspect someone using Webmin but rather a script.
Quote:
Originally Posted by x42bn6
Are there any commands to block that IP address? Or perhaps any other suggested commands?
May I point out that at this point you have no idea how your server was compromised, or even if it was compromised. I would suspect that the ssh script doesn't take root access to run, so it is possible that one of your approved users ran it, or your forum was compromised and the script run as the Apache user. Certainly the wipe and reinstall that msound has suggested is the only way to be certain your box is clean. However, you would need to make sure everything is upgraded and patched since doing that wipes out any chance of figuring out how the compromise took place. May I suggest that someone with root access start looking here for some ideas on where to go next.
My guess is that they would show as executed by the server Webmin is running on. However, I've never used Webmin for SSH access so I may be wrong about that. The one thing to keep in mind is that the log file in the original post very much resembles the kind of automated SSH attack that everyone sees. Given that log, I would not suspect someone using Webmin but rather a script.
May I point out that at this point you have no idea how your server was compromised, or even if it was compromised. I would suspect that the ssh script doesn't take root access to run, so it is possible that one of your approved users ran it, or your forum was compromised and the script run as the Apache user. Certainly the wipe and reinstall that msound has suggested is the only way to be certain your box is clean. However, you would need to make sure everything is upgraded and patched since doing that wipes out any chance of figuring out how the compromise took place. May I suggest that someone with root access start looking here for some ideas on where to go next.
I have a good idea that the account "Amantis" was compromised. I just spoke with her and confirmed she didn't log into Webmin recently, so it must have been a hacker.
We aren't going to reinstall until our webhost replies again later, and definitely not if not required. I do have a good feeling about this, though. If we get any more issues, then I will post here again.
I would caution against a premature declaration of victory here. If you suspect the Amantis account was compromised, it is possible you'll see evidence in the .bash_history file of what was done. It certainly can't hurt to look and see. Also, assuming your right about the compromised account, there is the question of how it was compromised. A little shoulder surfing? Insecure password? Cracked software?
I'm also a touch confused about how Webmin plays into this. In most of the threads, it sounds like you are using SSH to access the server. However, if you are running Webmin on that server and accessing through that, you may have more trouble. Webmin is often run with root privileges so if that was the way they got in, they may have had root access.
I would caution against a premature declaration of victory here. If you suspect the Amantis account was compromised, it is possible you'll see evidence in the .bash_history file of what was done. It certainly can't hurt to look and see. Also, assuming your right about the compromised account, there is the question of how it was compromised. A little shoulder surfing? Insecure password? Cracked software?
I'm also a touch confused about how Webmin plays into this. In most of the threads, it sounds like you are using SSH to access the server. However, if you are running Webmin on that server and accessing through that, you may have more trouble. Webmin is often run with root privileges so if that was the way they got in, they may have had root access.
I know what you mean - I logged into Webmin as root and got the command shell as root too...
Here is .bash_history: can't see anything bad, though. But my guess was insecure password.
> more .bash_history
::::::::::::::
.bash_history
::::::::::::::
ifconfig
top
chkconfig
chkconfig--list
chkconfig --list
chkconfig
chkconfig --level 1
chkconfig --level 2
chkconfig --level 3
chkconfig --level
chkconfig --list | more
chkconfig
chkconfig --level 0123456 xinetd off
chkconfig --list | more
chkconfig --level 0123456 xfs off
chkconfig --level 0123456 netfs off
chkconfig --level 0123456 pcmcia off
chkconfig --level 0123456 rpcgssd off
chkconfig --list | more
chkconfig --level 0123456 rpcidmapd off
chkconfig --level 0123456 rpcsvcgssd off
chkconfig --list | more
chkconfig --level 0123456 mdmonitor off
chkconfig --level 0123456 portmap off
chkconfig --level 0123456 isdn off
chkconfig --list | more
chkconfig --list | more
chkconfig --level 0123456 nfslock off
chkconfig --list | more
chkconfig --list | more
chkconfig --level 0123456 cups off
chkconfig --level 0123456 readahead off
chkconfig --level 0123456 readahead_early off
chkconfig --level 0123456 gpm off
chkconfig --level 0123456 haldaemon off
chkconfig --list | more
sync
reboot
vi /etc/hosts
vi /etc/sysconfig/network
vi /etc/sysconfig/network-scripts/ifcfg-eth0
sync
reboot
top
ls
pwd
chkconfig --list | more
ifconfig
ping cox.net
ping cox.net
exit
top
netstat -ant
netstat -ant
top
netstat -ant
exit
ping cox.net
top
netstat -ant
netstat -ant
netstat -ant
netstat -ant
netstat -ant
netstat -ant
netstat -ant
vi /etc/sysconfig/rhn/sources
up2date -uf
rpm --import /usr/share/rhn/RPM-GPG-KEY
rpm --import /usr/share/rhn/RPM-GPG-KEY-fedora
up2date -uf
up2date -uf
netstat -ant
netstat -an
service iptables stop
up2date -uf
vi /etc/sysconfig/network-scripts/ifcfg-eth0
service network restart
netstat -ant
service iptables start
netstat -ant
up2date -uf
up2date -uf
sync
reboot
sync
halt
chkconfig --list | more
chkconfig --level 0123456 apmd off
chkconfig --level 0123456 rhnsd off
chkconfig --list | more
chkconfig --level 0123456 mDNSResponder off
chkconfig --list | more
chkconfig --level 0123456 nifd off
chkconfig --list | more
chkconfig --list | more
ping cox.net
vi /etc/sysconfig/iptables
vi /etc/hosts
sync
reboot
sync
halt
vi /etc/cron.monthly/up2date.cron
chmod 755 /etc/cron.monthly/up2date.cron
sync
halt
ping yahoo.com
vi /etc/selinux/config
rm -f /etc/ssh/ssh_host_*
vi /etc/sysconfig/network
vi /etc/sysconfig/network-scripts/ifcfg-eth0
ls
ftp 216.55.169.170
halt
passwd
vi /etc/hosts
vi /etc/sysconfig/network
vi /etc/sysconfig/network-scripts/ifcfg-eth0
vi /etc/hosts
rm -f /etc/ssh/ssh_host_*
reboot
ping yahoo.com
setup
service network restart
ping yahoo.com
halt
ftp 216.55.169.170
ls
rpm ?
rpm webmin-1.220-1.noarch.rpm
rpm zxbf webmin-1.220-1.noarch.rpm
exit
yum install webmin
yum search webmin
wget http://internap.dl.sourceforge.net/s...0-1.noarch.rpm
ls
rpm -ihv webmin-1.230-1.noarch.rpm
vi /etc/sysconfig/iptables
/etc/init.d/iptables restart
ls
rm webmin-1.2*
ls
yum upgrade
ls
cd /
cd /etc
vi proftpd.conf
cd ssh
vi sshd_conf
ls
vi sshd_coningf
vi sshd_confing
vi sshd_config
ls /var
iptables --list
php
locate php
updatedb
locate php
yum install php5
rpmfind
locate find
php
locate php
apachectl -t
apachectl
locate apachectl
cd /usr/sbin
apachectl
./apachectl
./apachectl -t
nano
nano /etc/httpd/conf/httpd.include
nano /etc/httpd/conf/httpd.conf
./apachectl -t
nano /etc/httpd/conf/httpd.conf
./apachectl -t
locate php.so
locate php4
exit
cd /etc
vi php.ini
service httpd restart
cd httpd
cd conf
ls
vi httpd.conf
service httpd restart
vi httpd.conf
service httpd restart
cd /var/www
ls
cd battlenetwork/
ls
cd ook
ls
more index.php
cdd includes
cd includes
ls
vi config.php
cd /var/log/httpd
ls
tail -f access_log
ls
tail -f error_log
php -i
cd /var/www
ls
ls -alh
cd battlenetwork/
ls
cd ook
ls
ls -alh
more Warn.php
more .htaccess
cdc /etc
cd /etc/httpd/conf
ls
vi httpd.conf
vi httpd.conf
ls
ls
ls
php --help
rpm -ql php
rpm -ql php |more
httpd
httpd -L
httpd -L | grep php
yum search php
yum search php |more
yum search php
yum search php | grep php
yum install mod_php
rpm -ql php
cd /usr/share/doc/php-4.3.11/
ls
more INSTALL
cdc /etc
cd /etc/httpd/conf
vi httpd.conf
service httpd restart
rpm -ql php
rpm -ql php |more
cd /etc/httpd/conf
vi httpd.conf
service httpd restart
service httpd restart
vi httpd.conf
ls
vi httpd.conf
exit
yum update
ls
exit
exit
cd /home/
ls
uname -a
updatedb
locate httpd.conf
vi /etc/httpd/conf/httpd.conf
cd /var/www/battlenetwork
ls
cd ook/
ls
vi index.php
vi /etc/php.ini
service httpd restart
vi /etc/httpd/conf/httpd.conf
vi /etc/httpd/conf/httpd.conf
locate httpd
service httpd restart
ls -al
cd install/
ls
cd ../
ls
vi includes/config.php
cd /var/lib/mysql/
ls
cd 1BfMaiN1
ls -al
cd ../
du -h 1BfMaiN1
cd 1BfMaiN1
du -h *
vi /var/www/battlenetwork/ook/includes/config.php
vi /etc/php.ini
service httpd restart
locate httpd
cd /var/log/httpd
ls
tail error_log
vi /etc/httpd/conf/httpd.conf
service httpd restart
cd /var/lib/mysql/
ls
du -h 1BfMaiN1
ls -al
cd /var/www/battlenetwork/
ls
vi test.php
ls -al
ls -al
cd ook/
ls
ls -al
cd ../
ls
ls -al
chown -Rh cr00k3d:cr00k3d ook/
tail /var/log/httpd/error_log
tail /var/log/messages
ls
cd ../
ls
cd cr00k3d/
ls
ls -al
cd ../
ls
cd battlenetwork/
ls -al
cd ook/
ls
vi index.php
ls
cd errorlog/
ls
cd ../
ls
cd archive/
ls
vi index.php
cd ../
mv index.php index.php.bak
cp archive/index.php index.php
vi index.php
cd ../
ls
cd ../
ls
cd BfMaiN/
ls
cd ../
ls
cd battlenetwork/
ls
cd ook/
ls
cd includes/
ls
cd ../
ls
cd in
cd install/
ls
mv install.php.renamed install.php
cd /var/lib/mysql/
ls
tar cvf 1BfMaiN1.bak.tar 1BfMaiN1/
ls
cd /var/www/
ls
cd battlenetwork/
ls
yum install ncftp
ncftp -u technik
ncftp -u technik 216.55.162.23
ftp 216.55.162.23
ncftp -u taylor void.gloom.org
ls
mv ook/ ook.bak/
mkdir mv vbulletin_3-0-3_15946fc1.zip ook.
ls
mkdir ook
cd mv/
ls
cd ..
rm -Rf mv
ls
mv vbulletin_3-0-3_15946fc1.zip ook/
cd ook/
ls
unzip vbulletin_3-0-3_15946fc1.zip
ls
cd upload/
ls
cd includes/
ls
mv config.php.new config.php.new
mv config.php.new config.php
vi config.php
ls -al
cd ../
cd install/
ls
cd /etc/yum.
cd /etc/yum.repos.d/
ls
yum upgrade
yum update
yum remove php
yum install php*
service httpd restart
yum remove php4_module
yum remove mod_php
yum remove mod_php4
yum install mod_php
rpm -qa | grep mod_
rpm -qa | grep php
locate httpd
locate httpd.conf
vi /etc/httpd/conf/httpd.conf
cd /var/www/
ls
cd battlenetwork/
ls
mv ook/ vbulliten_unzipped/
ls
mv ook.bak/ ook/
cd ook/
ls
vi index.php
mv index.php index.php.bak.2
mv index.php.bak index.php
ls
vi index.php
cd includes/
ls
ls -al
cd ../
ls
ls
cd /var/www/battlenetwork/
ls
cd ook
ls
cd ../
cd ook.bak/
ls
cd includes/
ls
vi config.php
cat config.php
q
w
ls
w
history
last
ls /var/www/
service psa stopall
w
history
/etc/init.d/webmin
/etc/init.d/webmin stop\
/etc/init.d/webmin stop
/etc/init.d/webmin start
/etc/init.d/webmin start
/etc/init.d/webmin restart
,ls
ls
locate webmin
exit
shutdown -h now
Here is .bash_history: can't see anything bad, though.
You would be a better judge of what is normal on your machine than I would, but this strikes me as odd:
Quote:
chown -Rh cr00k3d:cr00k3d ook/
Is cr00k3d a user and group that is supposed to be on this box? Also, was this the .bash_history from root or from the Amantis account? If it is from the Amantis account, then I might actually worry more because of the lack of signs of the cracking.
Quote:
But my guess was insecure password.
You guys are doing a lot of guessing here, and that could land you right back into hot water. From what you've posted, here are what we know as facts:
1) Your box was fingered as the culprit in an SSH dictionary attack.
2) The Amantis account has logins that cannot be accounted for by the legitimate owner.
That's pretty much all we know as facts, unless you're not telling us everything. And that is not enough to diagnose how the intruder got access. If this is as far as you're willing to go, then you really need to reinstall the OS because you don't know what happened. You need to make sure everything is fully patched and you need to make sure that all passwords and SSH keys (if you use them) are changed. Otherwise you do need to do more digging to find out what actually happened.
You would be a better judge of what is normal on your machine than I would, but this strikes me as odd:
Is cr00k3d a user and group that is supposed to be on this box? Also, was this the .bash_history from root or from the Amantis account? If it is from the Amantis account, then I might actually worry more because of the lack of signs of the cracking.
You guys are doing a lot of guessing here, and that could land you right back into hot water. From what you've posted, here are what we know as facts:
1) Your box was fingered as the culprit in an SSH dictionary attack.
2) The Amantis account has logins that cannot be accounted for by the legitimate owner.
That's pretty much all we know as facts, unless you're not telling us everything. And that is not enough to diagnose how the intruder got access. If this is as far as you're willing to go, then you really need to reinstall the OS because you don't know what happened. You need to make sure everything is fully patched and you need to make sure that all passwords and SSH keys (if you use them) are changed. Otherwise you do need to do more digging to find out what actually happened.
Your call.
The giant post above you is .bash_history.
The problem is, reinstalling something like this is not going to be easy. Employing someone to fix this is beyond our financial means (most of us are still students).
We have banned a few IPs, disabled SSH, changed the root passwords, deleted Webmin accounts and chanaged ports... We can't find anything suspicious, .bash_history looks clean (cr00k3d is a known user)... We will keep digging, but if soomething happens, I (or we) will be back here.
To check if your box has been compromised install, root kit hunter, can be found at www.rkhunter.nl, aslo to prevent this again use "DenyHost", it can be found at http://www.howtoforge.com/preventing...with_denyhosts . Works wonders for me and I can check who has tried a brute force SSH attack
Before anyone start suggesting things to "fix" this (which you shouldn't (yet)) I think you should start investigating in a more methodical way. Please read Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html and post anything anomalous here. If it's too much to post, tarball up the results, logs, whatever and provide a D/L location.
// I also would like to applaud those who ask questions, shun guessing, doubt the completeness of the "evidence" and the validity of it all. Only the inquisitive approach can yield the "right" results. Keep up the good work.
I know that. The question was which account it belonged to.
Quote:
Originally Posted by x42bn6
The problem is, reinstalling something like this is not going to be easy. Employing someone to fix this is beyond our financial means (most of us are still students).
That is certainly a concern, but you are going to have to weigh that against the possiblity that you haven't closed the door on the cracker and your computer is going to get pulled off the net again because its a platform for crackers.
Quote:
Originally Posted by x42bn6
We have banned a few IPs, disabled SSH, changed the root passwords, deleted Webmin accounts and chanaged ports...
All of which could be completely useless depending upon how the box was compromised. Which you don't know.
Quote:
Originally Posted by shawnbishop
To check if your box has been compromised install, root kit hunter, can be found at www.rkhunter.nl,
Good suggestion. That and chkrootkit would be a good thing to do.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
