LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-06-2001, 05:21 PM   #1
nabil
Member
 
Registered: Feb 2001
Location: MI, USA
Distribution: Debian Linux 100% GNU
Posts: 210

Rep: Reputation: 31
Question


Just noticed that all my redhat 7.0 Linux root file system is set to user "toor" as owner and "root" as group owner????
What the heck is that???? Where did this come from???
Can any body shed some light for me here...Did I get hacked or something?????


Thanks,..
 
Old 02-06-2001, 05:50 PM   #2
devnull
Member
 
Registered: Feb 2001
Posts: 84

Rep: Reputation: 15
Sounds very much like you've been' hacked ;-)
 
Old 02-06-2001, 05:51 PM   #3
devnull
Member
 
Registered: Feb 2001
Posts: 84

Rep: Reputation: 15
Sounds very much like you've been' hacked ;-)
Check your /etc/passwd an /etc/group for that user.
And also have a look at the timestamp of these files.
You should also consider a look into your message-files!
 
Old 02-06-2001, 05:55 PM   #4
devnull
Member
 
Registered: Feb 2001
Posts: 84

Rep: Reputation: 15
I forgot: did you install and run tripwire after setting up your LINUX-Box? If so (and i hope so) do a "tripwire --check")
Do you have a firewall?
 
Old 02-06-2001, 06:21 PM   #5
nabil
Member
 
Registered: Feb 2001
Location: MI, USA
Distribution: Debian Linux 100% GNU
Posts: 210

Original Poster
Rep: Reputation: 31
Angry

I did not install tripwire after...I did configure something with tripwire after installation though but that was few days back!...But most importantly is this new user I discovered called C4UD which was logged in from some europen domain that ends with .br instead of .com and he must have broke in using port 10000 which I use for webadmin remote administration and had specified a user to create new user accounts that start with 1000 PID... he was 1004...
Now my login screen show " Virtual server (C4DU)" on my server console screen and every time I telent and try to login...I found some program called "BNC" in /home/c4du...I think it's some kind of IRC program or something...
What I did is changed root password and did a chown on all root and system file system execpt /home then deleted the users"toor" and "c4du"....

Damn it I destroyed my system file permission I bet....
Luckily it's a fairley new install and most of the services including my mail and web site is still functional...

I will have to install off course to be sure...

It does sounds like some one hacked my box....Damn it Redhat...I had SuSE running for 2 years with no problems, and now I went and spent $180.00 to get Redhat 7.0 so a week later I get hacked...


What is with the tripwire thing any way????

 
Old 02-06-2001, 06:45 PM   #6
nabil
Member
 
Registered: Feb 2001
Location: MI, USA
Distribution: Debian Linux 100% GNU
Posts: 210

Original Poster
Rep: Reputation: 31
Here is what I got when I did #tripwire --check

[root@viper /root]# tripwire --check
### Error: File could not be opened.
### Filename: /var/lib/tripwire/viper.twd
### No such file or directory
### Exiting...
[root@viper /root]#


To be honest with you, I don't even know what tripwire is!!!!
 
Old 02-06-2001, 08:30 PM   #7
mjakob
Member
 
Registered: Feb 2001
Posts: 69

Rep: Reputation: 15
Ah, Tripwire... Tripwire is a program that tells you what has been hacked, after it has been hacked. First of all, you must actually go and download it. RedHat cannot distribute it due to the national encryption laws. In short, they cannot export US encryption technology out of the USA.

Anyway, after you download it and install it, you tell tripwire which files you want it to watch via a policy file included with the program. You can usually start with it as is and customize it to fit your system later. After you initialize the policy file, Tripwire uses the policies to build a database that represents the system file system.

Now, had you installed Tripwire and built the database, you could run it with the --check file as recommended by devnull. This would give you a list of any file system changes made since the database was made. Thus, this would insure you about the integrity of the system and you could say with confidence that the things you've found are the only things that have been changed by the hacker.

Typically, I run Tripwire mostly on Firewalls that have a filesystem that rarely changes. Then, i set up a cron job that does a scan every night and emails the results to me. Actually, it is already set up in the program when you install it.

It doesn't do anything to prevent getting hacked, but it will tell you that you've been hacked, and it also gives you a guide as to what's been hacked. In your current case, it looks like the intruder wanted to borrow a box to run an IRC bot and that's it. Maybe, maybe not. Tripwire will tell you for sure and you may have been able to avoid a re-install.

You can download tripwire and get some instructions at http://www.tripwire.org. I believe Tripwire HowTo can also be found at redhat.com.

As far as RedHat 7.0 goes, it's the newest thing out. If you have an application that is more than just fun, I would recommend using a slightly older version, say 6.2, with all know patches applied. Others have gone through with 6.2 what you're going through now with 7.0. Might as well benefit from their knowledge.
 
Old 02-07-2001, 03:54 AM   #8
nabil
Member
 
Registered: Feb 2001
Location: MI, USA
Distribution: Debian Linux 100% GNU
Posts: 210

Original Poster
Rep: Reputation: 31
I did have it installed already, but unfortunantly I though I had it configured right, but was not cause it was not working all along..Just checked root email and found messages about tribwire **** Error: Tripwire database for viper not found. ****
**** Run /etc/tripwire/twinstall.sh and/or tripwire --init. ****
It looks like the worst was that I had some users email disapearing as in read before they did...Alos displaying Virtual server (C4DU) everytime I try to login in to my box...I was able to delete his account and kill toor account also revomved all file ownership from toor back to root..
I don't feel confortable though...I will reinstall this weekend...At least I am able to backup all sendmail and apache configuration files...
BTW: I beleive he brook in thru Webmin " the popular remote web based system configuration and administration program running under port 10000.
 
Old 02-07-2001, 06:15 AM   #9
devnull
Member
 
Registered: Feb 2001
Posts: 84

Rep: Reputation: 15
Looks to me like you have installed the tripwire rpm but you did not run the twinstall-script in /etc/tripwire. To gain the full effect of tripwire you have to install your UNIX/LINUX-Box, install all the extra stuff you want, adjust your configfiles and THEN run the tripwire --init command! But read also the documentation on tripwire!

You should think about building up a security policy for your site.
What about a firewall? At least a small one with ipchains?
Also have a look at intrusion-detection software like portsentry (along with logcheck). I think portsentry would have blocked the hackers attack!

If you want to do a reinstall (recommendable) make a complete backup of all important filesystems (/root, /etc, /usr/lib, /boot, etc.) after that and keep them in a save place.

Check for all suid-files, remove telnet, rsh, rcp etc..
What services are running on your box? You need them all?
There are a lot of things you can do, to drive a script-kiddie mad :-)

Don't blame RedHat for what has happend. Every Linux-Distro is not very secure if it is installed out-of-the-box. Also SuSe (i don't like it).
You as the admin of your site are responsible on how good your system is. That means also, you have to check for security-updates, bug-fixes etc.
Also keep in mind, that all those GUI stuff like webmin makes a hackers life more convieniant.

BTW: it was not a european domain (i should know that) the attack was launched from. "br"=Brazil
But maybe the hacker was just fooling you with that ;-)
 
Old 02-07-2001, 07:52 AM   #10
mjakob
Member
 
Registered: Feb 2001
Posts: 69

Rep: Reputation: 15
Ya, last time I had a box get hacked, the guy dropped a cute little root kit in my box. It replaced EVERYTHING! Even the ls command was replaced. Without a good tripwire report, it's tough to know what to trust and what not to trust. When you can't trust your ls command, it's time to nuke the system.

-Mark
 
Old 02-07-2001, 04:51 PM   #11
nabil
Member
 
Registered: Feb 2001
Location: MI, USA
Distribution: Debian Linux 100% GNU
Posts: 210

Original Poster
Rep: Reputation: 31
The thing is when you run a web server and email server and must have telnet and ftp ports open, then it is hard to maintain a firewall to control that. My mistake was running webmin which how he got in thru in first place. Really the only thing which I seriously need to start thinking about is a good backup and restore plan...That's most important than a firewall..cause there always would be some one smart enough to break thru any firewall..either that or might as well close all ports and have a useless server. Any way, I am glad I caught it in time before he was able to destroy all my system and users files...
It looks ok now except it shows "Virtual Server (C4DU) when trying to telnet instead of REDHAT 7.0....see for your self telnet:64.188.241.141..Does anybody know where to change that for now..I will reinstall everything on Saturday anyway....My environment is pretty small so it would be very easy to reinstall and reconfigure everything...
 
Old 02-07-2001, 05:04 PM   #12
mjakob
Member
 
Registered: Feb 2001
Posts: 69

Rep: Reputation: 15
In the real world, you wouldn't run you webserver/ftpserver on the same machine as your firewall. You would run the smalles machin possible as a firewall and place the real servers behind them on a masqueraded network. Then, you would use ipportfw to forward port 80 to your webserver, 21 to your FTP server, so on and so on. Most hacking that gets done would get done on your firewall, which should be easy to restore since the filesystem should rarely change at all. I have built firewalls with 2 identical drives with identical filesystems and only hooked up one and left the other in the case un-attached to anything. When bad things happen, I can swap drives in less than five minutes and still have the damaged drive intact to see just what the hacker did and how he did it. It's cheap insurance.

--Mark
 
Old 02-07-2001, 05:07 PM   #13
mjakob
Member
 
Registered: Feb 2001
Posts: 69

Rep: Reputation: 15
/etc/redhat-release should read "Red Hat Linux release 7.0 (Guinness)"

Check to see what yours says.

--Mark
 
Old 02-07-2001, 05:38 PM   #14
nabil
Member
 
Registered: Feb 2001
Location: MI, USA
Distribution: Debian Linux 100% GNU
Posts: 210

Original Poster
Rep: Reputation: 31
Thanks mjakob ! for the advice...but I am really not that pro in linux, tho I do ok in setting up stuff...I would really like to setup a firewall... I do have extra 486 that I can use..Would you help out in how I would do that or direct me to a good site that has some step by step on how to design that.. I would really appreciate it....I would host you own domain for you with email support for free if you could help me out...My server is dedicated 24X7 on the net with about 3 Web sites and email and about 5 to 10 users...Dual P-III 500 with 10,000 rpm scsi hard drives..

Let me know if you feel like helping out..I can provide you with a shell account if you wanna do it remotely....
 
Old 02-07-2001, 05:51 PM   #15
mjakob
Member
 
Registered: Feb 2001
Posts: 69

Rep: Reputation: 15
I don't mind helping someone out at all. Helping someone is another form of learning. If you want to set up a firewall, set up a machine with 2 network cards and load Linux up on it. Give me a shell account and I'll work with you on it. If you have multiple IP addresses that you can use, you could hook them up side by side so you server is still functional until the firewall is ready, and then move the server behind the firewall. They say a 486 will work fine as a firewall, but I have had bad luck getting NICs and things to work fine. If you've got it, go ahead and try to set it up. Otherwise, try and get ahold of an old pentium something or other. Email me if need help.

--Mark
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
RHEL3 Mounting USB after reboot and between reboots: root and non-root users Luis Nunes Linux - Hardware 0 07-20-2005 08:32 AM
Boot Error: Root file system /dev/root adtomar Linux - Networking 0 12-27-2004 10:50 AM
IntelliMouse thumb buttons work as root, broken as non-root user, wheel works always digital vortex Linux - Hardware 7 03-02-2004 04:14 PM
root files: create as root:root or root:wheel? pcass Linux - Security 1 02-07-2004 04:14 PM
Why does kppp.desktop require root userid for non-root user? rdaves@earthlink.net Linux - Networking 4 08-27-2001 09:18 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration