suspected hacking on RHEL 6.2
Hi there,
I have reason to believe my system has been hacked and would like some advice about what to do next. I should preface this post by pointing out that I am rather inexperienced with Linux systems; I have been using RedHat for some years with a very limited set of applications, but up until now have had full IT support. My current institution does not support Linux so I'm trying to resolve these issues alone, and am not really equipped to do so. I'm running RHEL 6.2 on a single workstation connected to a university network. In recent days I began noticing some strange errors and warning messages when performing ordinary operations, including the following: 1) ls returns the warning: Quote:
Quote:
Quote:
Summary output from rkhunter log file: Quote:
I'm also not sure whether these issues have the ptential to infect external media attached to my computer. Is this a reasonable fear? Is there a way of checking this? Finally, and possibly most importantly, what security steps - other than regularly changing passwords - should I take to prevent this happening again? I have read a number of posts on this topic but wasn't able to decipher most of them. I'd really appreciate any assistance you can offer in this matter. Please let me know if you would like me to provide any further information. Thanks! |
Quote:
Quote:
We'll address your questions wrt reinstalling and hardening later on. But first things first. Quote:
0. First of all please don't reboot the machine (but please indicate if you already did). 1. Please do not use this machine (or let it be used) anymore: use another one. If it's on the same subnet please ensure it's clean before using it. 2. If you have a router then (if possible: log and) block traffic to and from the machine. If you haven't or can't then if the machine has a wired connection then disconnect the cable. If it's wireless then bring the interface down. 3. Please attach the full rkhunter log file to your reply (do obfuscate your host name and IP address). If you do not feel like doing that then attach it to an email to me RSN. (As you can read from the Rootkit Hunter documentation) I'm at unspawn at hushmail dot com ;-p |
1 Attachment(s)
Quote:
Quote:
Quote:
OK, I've disconnected the network cable and attached the rkhunter log file. Thanks for any help you can offer! |
Quote:
Quote:
Quote:
Code:
[14:34:40] Warning: File '/sbin/ifconfig' has the immutable-bit set. Code:
[14:35:17] Warning: cb Rootkit [ Warning ] Code:
[14:36:15] Warning: Checking for possible rootkit strings [ Warning ] As an encore you seem to have company: Code:
[14:36:25] Info: Found password file: /etc/passwd If you want to find out how / how long this has been going on you should save output and copy files to another machine or external storage for processing: - /var/log/wtmp*, /var/log/btmp* and /var/log/lastlog, - all system and daemon logs, - a list of all files with ownership and MAC time stamps (as in 'find / -xdev printf "\"%p\":%U:%G:%m:%T%:%A@:%C:%Z\n" 2>&1|tee /mnt/mountpoint/find.txt;'), - all users shell history files, - router logs (if any). Elif you want to move on then just say so. |
Quote:
Quote:
What's my next move? Thanks for all your help so far! |
OK, moving on. In short: Inform, backup, install, harden.
I. Inform Rootkit installations are quite exceptional these days. Compromised systems can be used as springboard. Without further analysis there is no time line or point of origin. If this machine is owned by the institution or is part of an institutional network then the IT dept should be informed of the breach so they can decide if an investigation is needed or not. If your machine was used by other people (local account or as authenticated user of a service) then inform them of the breach as well. II. Backup If you kept regular backups fine, else backup 0) only human readable configuration files from /etc (and other common locations like /usr/local/etc) 1) your /home/ directory contents and 2) the whole of /var to external storage. The /etc configuration files (no passwd, group or shadow!) serve as reference, meaning you copy relevant lines but not complete files and not without inspection. Your /home/ directory should contain configuration files and documents but not any binaries. Backing up /var is for reference too (wrt log analysis). If you have a router then change the admin password and ensure any port forwarding is disabled for now. III. Installation Before you install an (any) OS you should be aware of the basics. CentOS documentation resides at http://www.centos.org/docs/ and TUV (aka RHEL) documentation resides at https://access.redhat.com/knowledge/.../?locale=en-US. Review at least the Installation and Deployment guides. If your IT department has installation then follow those. Use the CentOS 6.3 DVD (or netboot ISO) and let the installer reformat the partitions. Select workstation mode, meaning an OS without network accessible services. When creating accounts ensure you change the password for root and for your personal account. Do not install software you do not need right now. IV. Hardening If your IT department has hardening guidelines follow those. Check the firewall. For a quick can run 'yum install -y system-config-firewall-tui && system-config-firewall-tui' and ensure no unwanted ports are open[1]. Check SELinux is activated (system-config-securitylevel). Check unwanted and unnecessary services are deactivated (chkconfig or system-config-services). Check basic authentication (the "options" section of system-config-authentication). Check user accounts (passwd and chage or system-config-users) for password aging, shell usage[2]. Install or check availability of: iptables, audit service, Sudo, AIDE (or tripwire), GNU Tiger (www.nongnu.org/tiger/), Logwatch (set detail to "High" and configure a non-root email address), fail2ban (the latter requires the EPEL repo. Run Tiger and review its report. Review how you're going to be alerted of crucial software updates. Check and test your backup process. Confirm the warnings and alerts you're sending goes to an email address where somebody actually regularly reads email. Otherwise alerting makes no sense. Review the RHEL 6 Security Guide, the NSA Hardening Tips For Default Installation of RHEL 5 and the NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5. Finish off by doing another Tiger run and comparing the reports, address any leftover issues and if you want to check against the Cisecurity RHEL 5 benchmark. V. The Rest ;-p Now you have a basic workstation you can add network services to. Before you do that this would be a good moment to make a baseline backup. That's about it. Any questions just ask. [1] A minimalistic workstation firewall (/etc/sysconfig/iptables) could look like: Code:
*filter |
Hi, thanks for all that. I've reinstalled RedHat and am working my way through the hardening measures, but I'm having trouble running tiger. I keep getting the error
Quote:
Thanks. |
Quote:
Quote:
Code:
%init006e |
All times are GMT -5. The time now is 10:24 PM. |