LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-21-2006, 02:13 AM   #16
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57

1 month (at least) with a compromise webserver , you should really take it offline and reinstall.
No need to try to remove or kick these session, your machine is compromise, you d.o.n.t know what is really running. Using kill -9 would kill the process. lsof might help.

Next time consider using tripwire/samhain/... so that at least you know which files have been modified by the cracker.

More generally, read the LQ Security Reference post at the beginning of this forum so that next time, you have something to analyse. Now its hopeless.
 
Old 02-21-2006, 02:52 AM   #17
jomen
Senior Member
 
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,687

Rep: Reputation: 54
Please - you really should not leave this machine online any longer.
You might not even be able to "kick" anyone off that machine anymore. It could also well be that the system tells you you "kicked" someone off - but really you did not...there is noting you can trust anymore on that machine!
If there are root-logins which you don't know anything about, they are able to do virtually anything - and probably already have done something to ensure that they are able to keep their access to this machine - and likely use it to send spam out to the world or whatever. If you leave the machine online you are acting really inresponsible because this compromized machine is very probably doing harm to others by now in the form of using your machine to send faked email or using it to crack other machines using your ip and name and/or the names of all the users on your machine BTW.
You have like 30 e-mail-boxes on there. It's not hard to back them up and reuse the data on a new install.
You will find advice on that even here if you ask. But you can do that while being offline.
The worst case: if they notice you trying to kick them off "their" machine they could just say to themselves: Well - lets see who the boss is - if we are not going to use that machine - nobody is - especialy not the person who really is (rather: was) root...
rm -rf /var/mail && rm -rf /home/* && rm -rf /
And there you are - without your precious mailboxes and they even cleaned out the machine for you...

Last edited by jomen; 02-21-2006 at 02:53 AM.
 
Old 02-21-2006, 03:00 AM   #18
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
I think in this cases, we should help the user to reinstall his system.
This is in general easy to do with Linux. Administrators are scared of loosing anything while reinstalling, its why they wait, they wait. And their machine become a zombie, effectively harming others.

Just for fun, to the OP, can you compare the output of this command
Code:
for i in `ls /proc/*/cmdline`; do cat $i; echo -e "\n"; done
with the output of this command:
Code:
ps aux
 
Old 02-22-2006, 12:56 AM   #19
istvank
Member
 
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34

Original Poster
Rep: Reputation: 15
You know what is unbelievable! I seen that my server is under attack, but I was unable to do anything. And now I'm certain: if your're under attack, you're f%^&#d. I was hacked by bruteforce, which took, I don't know... 2 months?? At least what I can do, is to use passwords that I can't remember, so I have to save them on a flash drive or write them in my agenda. The flash drive is not safe, I might loose data. If I do backups I increase the risk to expose my passwords DB. If I write them in my agenda, that's something primitve, anybody can look in my agenda an see my passwords... Slowly but surely I become paranoic. Now among you there are a few who knows things. Please take a look at my questions:
- How can I restrict root to log in(ssh/telnet)? I mean no root login, just normal login and than su
- How can I limit the number of attepts of unsuccessful logins(ssh/telnet/ftp)?
- If I restore all my qmail accounts, is there a possibility that my hacker to know all the email passwords??
- When I reinstall, I will use an other root password. What else do I have to change? I have Qmail, SAMBA(only for the LAN) and vsftpd.
- How the hell was I picked by hackers out of millions of servers???
 
Old 02-22-2006, 12:56 AM   #20
istvank
Member
 
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34

Original Poster
Rep: Reputation: 15
Don't worry! Today I'm going to reinstall my server!
 
Old 02-22-2006, 03:23 AM   #21
jomen
Senior Member
 
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,687

Rep: Reputation: 54
One is really f%^&#d as you put it, from the moment he sees a root-login and knows it is not legitimate.
From that moment on you can't be sure that anything you do is actually done or has the effect it is supposed to have.
Quote:
How can I restrict root to log in(ssh/telnet)? I mean no root login, just normal login and than su
right on the first page of this thread: http://www.linuxquestions.org/questi...d.php?t=340366 (it is a sticky thread from the security forum BTW) you will find useful info on this - especially what jayjwa said
Quote:
How can I limit the number of attepts of unsuccessful logins(ssh/telnet/ftp)?
NO telnet! ssh does all these things too and better!
On the 3-rd page of the thread I mentioned AAnarchYY mentioned "authfail" and it looks like the thing you want - this is a quite comprehensive thread and you should take some time for it and related matters.
Quote:
If I restore all my qmail accounts, is there a possibility that my hacker to know all the email passwords??
Not only the possibility - I'd take this as given fact and change all passwords and instruct the users to NOT change it back to the old ones again (and implement a poilicy to ensure strong passwords while you are at it).

For sure you need to have a firewall running!
Quote:
How the hell was I picked by hackers out of millions of servers???
Because it seemed worth it - or it was easy - or both...or just plain bad luck? - no, there is no such thing...
You might have had services running which gave info about your machine to anyone and made it look a good target - this includes the qmail and samba but starts at the prompt someone is given when trying to connect.

You should also try to do an analysis of what happened - because it can help you with the next setup when you know how they got in - but I doubt that you will find anything after that long a time.
Keep the system up to date / watch for and install security updates...

On http://www.grc.com/ (ShieldsUp) for example there is a - probably limited - opportunity to get your machine checked over the net.

Take care!

Last edited by jomen; 02-22-2006 at 03:28 AM.
 
Old 02-23-2006, 12:36 AM   #22
istvank
Member
 
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34

Original Poster
Rep: Reputation: 15
Server is reinstalled. It doesn't work of course, but I'll will figure it out somehow with the help of a few enthusiastic friends.
But I have a complain and this is a general phanomen on linux forums. When a newbie asks a question it is so hard to answer straight, like: look for x.y file, it should be here or there, edit it, look for this parameter, if doesn't exist, create it, and give this value to it.
Why do I have to read 1000 topics than and up with Google looking for a straight answer?
I'm frustrated...
 
Old 02-23-2006, 01:01 AM   #23
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,288

Rep: Reputation: 378Reputation: 378Reputation: 378Reputation: 378
Unfortunately, life is seldom that simple (even on Windows ). This is particularly true when it comes to security. Maintaining a secure system isn't just about plugging in some magic values in some configguration files. There are things you can configure to make your system more secure (read the sticked thread at the top of this forum for some good advice), but you as the administrator have to take an active role. By the time your machine is the victim of a root compromise, as was the case this time, it's already too late.

By in large, I think you've gotten some good advice in this thread. We're not trying to be abtruse or frustrate you, but merely to tell you what the commonly accepted best way of handling things is. Let me reiterate--security and incident response are complicated topics that don't lend themselves to quick fixes in case of problems. If your media player was broken or your X server stopped working, someone could probably give you the recipe you desire. In your case, the only trustworthy recipe available is reinstall and follow the advice here to make sure this never happens again.

Also, FWIW I've been in your shoes dealing with a rooted system. It's not fun, I know. Fortunately I had a friend to help me out, since I was still a real n00b at that point (several years ago, and sometimes I think I'm still a real noob ). What I'm trying to say is that we're trying to help you as best we can, and your freustration is not abnormal.
 
Old 02-23-2006, 02:53 AM   #24
istvank
Member
 
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34

Original Poster
Rep: Reputation: 15
Now I'm really starting get pissed off.
The last -i command after clean install, with a huge root password:
root pts/3 80.86.108.34 Thu Feb 23 08:17 still logged in
root pts/2 80.86.108.34 Thu Feb 23 08:03 still logged in
root pts/0 81.12.248.100 Thu Feb 23 07:58 still logged in
reboot system boot 147.117.12.0 Thu Feb 23 07:43 (01:02)
root pts/2 81.12.248.100 Wed Feb 22 19:04 - 21:53 (02:48)
root pts/0 81.12.248.100 Wed Feb 22 18:52 - 20:05 (01:12)
reboot system boot 41.89.4.0 Wed Feb 22 18:50 (13:55)
root pts/3 81.12.248.100 Wed Feb 22 18:34 - down (00:14)
root pts/2 80.86.108.34 Wed Feb 22 17:24 - down (01:24)
root pts/0 81.12.248.100 Wed Feb 22 17:17 - down (01:30)
reboot system boot 106.211.11.0 Wed Feb 22 17:16 (01:32)
root pts/3 81.12.248.100 Wed Feb 22 16:58 - 17:10 (00:12)
root pts/1 81.12.248.100 Wed Feb 22 16:55 - down (00:18)
reboot system boot 253.22.14.0 Wed Feb 22 16:52 (00:21)
root pts/5 81.12.248.100 Wed Feb 22 15:39 - down (01:11)
root pts/2 81.12.248.100 Wed Feb 22 15:32 - down (01:19)
root pts/2 212.10.13.0 Wed Feb 22 14:52 - 14:59 (00:06)(not friendly)
root pts/4 80.86.108.34 Wed Feb 22 14:50 - down (02:00)
root pts/3 118.229.4.0 Wed Feb 22 14:44 - 14:56 (00:12)(not friendly)
root pts/3 213.166.7.0 Wed Feb 22 14:29 - 14:35 (00:05)(not friendly)
root pts/2 211.103.10.0 Wed Feb 22 14:28 - 14:52 (00:24)(not friendly)
root pts/1 59.41.13.0 Wed Feb 22 14:27 - down (02:23)(not friendly)
root :0 0.0.0.0 Wed Feb 22 14:27 - down (02:23)(what is this)
reboot system boot 47.105.7.0 Wed Feb 22 14:27 (02:23)
root pts/2 246.158.7.0 Wed Feb 22 14:17 - 14:25 (00:07)(not friendly)
root pts/1 40.77.12.0 Wed Feb 22 14:13 - 14:25 (00:11)(not friendly)
root :0 0.0.0.0 Wed Feb 22 14:13 - 14:25 (00:11)(what is this again)
istvan pts/1 248.48.15.0 Wed Feb 22 14:12 - 14:13 (00:01)(not friendly)
istvan :0 0.0.0.0 Wed Feb 22 14:12 - 14:13 (00:01)(again?)
root pts/1 115.140.3.0 Wed Feb 22 14:05 - 14:12 (00:06)(not friendly)
root :0 0.0.0.0 Wed Feb 22 14:05 - 14:12 (00:07)(what?)
reboot system boot 76.39.5.0 Wed Feb 22 13:58 (00:27)

This is very similar last -i as before formatting and reinstalling.
Somebody please explain this last -i result...
 
Old 02-23-2006, 03:04 AM   #25
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
Quote:
Originally Posted by istvank
Server is reinstalled.
Good, it didn't take you so long to reinstall it in fact!
The only problem I see (from a constructive/perfectionnist point of view) is that you don't really know how they get in or do you?
Did you have a simple root password? Or could someone have found this password (a friend gave it by email to another friend, this email got hacked,..)?
If you want to have a secure password policy, you can:
Password MUST contain:
->lowercase letters
->uppercase letters
->numbers or punctuations
Don't use a word
Dont only do things like "s3cr3t", it is known by bruteforcers,

To generate a pseudo random passord:
Code:
dd if=/dev/urandom bs=16 count=1 | uuencode -
then write it on your agenda, put it under your pillow . NOT on your pda!

Don't reuse a password
Don't use the same password as for your email or anyother machines
Change your password every 1 month (boring I know)


As soon as you have reinstalled (that means NOW), install an integrity checker, do it !!
Run nessus on your box.
Take very care if you use php in apache.

Good luck.
 
Old 02-23-2006, 03:52 AM   #26
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
Quote:
root pts/1 115.140.3.0 Wed Feb 22 14:05 - 14:12 (00:06)(not friendly)
This adress is a "whole network" address so it should not be possible to set an interface to this address. There is something I don't understand, maybe some program corrupt your file.
what gives
Code:
last -o
?

Quote:
root :0 0.0.0.0 Wed Feb 22 14:05 - 14:12 (00:07)(what?)
This is you doing an su

Do you have a firewall? does it show connections from this addresses?
 
Old 02-23-2006, 04:20 AM   #27
jomen
Senior Member
 
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,687

Rep: Reputation: 54
The answer you where getting - I can only speak for me - was indeed not a recipe for a couple of reasons.
1.) I don't own a server (nice ambiguity - but it is neighter one) - but I do know some things on how to set one up - that is why I pointed you to the information instead of copying+pasting a config-file - which also would need explanation BTW (as to why this setting here and not another for example...)
This was not to offend you but to help - it is my opinion that the best help to others is in teaching them how to help themselves...everything else is far less effective.
2.) this is then the next reason: you should know something about your setup - or know where to find information in case you don't.
Giving a recipe which does not work out for you (...there are a hundred reasons for this) and which would largely consist of information already out there would make you none the wiser and - in a sense - the person who gave the recipe would be to blame if it does not work out (...for the above mentioned hundred reasons...).
3.) the most important question (ssh) is indeed directly answered where I directed you

...on to the more constructive part...

root pts/1 115.140.3.0 Wed Feb 22 14:05 - 14:12 (00:06)(not friendly)
whois does not return anything on this - could be on your local network?

root pts/1 40.77.12.0 Wed Feb 22 14:13 - 14:25 (00:11)(not friendly)
login from an american provider - ten minutes after you booted a freshly installed system?

In this case there has to be a serious bug in some of the programs - or someone knows the password...
Or sshd is running and set up to give access without one? I dont know - look!
You should only go online with a system which is finished setting up - I mean no services running until you are all updated and configured

root :0 0.0.0.0 Wed Feb 22 14:05 - 14:12 (00:07)(what?)
that is you logged in locally


root pts/1 59.41.13.0 Wed Feb 22 14:27 - down (02:23)(not friendly)
this comes from a chinese provider

whois 212.10.13.0
Cable-provider in Denmark

whois 118.229.4.0
Provider in the UK

whois 211.103.10.0
provider in China

whois 59.41.13.0
another chinese provider

Last edited by jomen; 02-23-2006 at 04:22 AM.
 
Old 02-23-2006, 05:03 AM   #28
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
wow you have friends all over the world!
I really hope you installed a few things from the sticky POST, like integ checker, rkhunter,..
 
Old 02-23-2006, 08:00 AM   #29
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally Posted by jomen
In this case there has to be a serious bug in some of the programs
There used to be a bug in older versions of Redhat/Fedora/Mandrake that would display false IPs in the output of the last command, but that only would appear for local X logins via gdm. So I don't believe that's what we're seeing here, could be some unknown bug though...

root :0 0.0.0.0
As stated, it's a local X session login for root. The :0 represents the X display number.

It would be really informative to install on a system without a network connection and see if any IPs appear. Also, did you fully update once you've installed?
 
Old 02-24-2006, 01:19 AM   #30
istvank
Member
 
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34

Original Poster
Rep: Reputation: 15
The thing which is bothering me is that, if I look at the bright side, maybe I should not reinstall my server. But at least I don't see still logged on hostile IP-s.
There is no way on earth that somebody hacked in to my system because of weak root password and you cannot guess a password which is more that 15 characters long(and is not my name). Plus after I set up my internet connection the 1st thing was yum -y update. That is true, that all of the hostile IP-s in the log are before the system update, which makes me think that there are exploits for CentOS 4.2 x86_64. This is pretty weird because CentOS is an OS based on RHEE source.
I couldn't find any "Accepted password for root" in the /var/log/secure from hostile IP-s, which make me believe that the system is safe and I'm sure that there won't be any hostile IP-s connected to may server, even if I drop the firewall, only because of the strong passwords and the system kept up-to-date.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
No UTMPX entry, You must EXEC "login" for the lowest "shell" ooihc Solaris / OpenSolaris 7 03-12-2007 02:09 PM
I am getting "MODE NOT SUPPORTED" message when i login to suse 9.3 RAHUKUMAR Linux - Hardware 11 01-05-2006 10:22 PM
FC4 install errors, "diabling IRQ #10" "nobody cares" error message??? A6Quattro Fedora 6 07-20-2005 12:49 PM
error message when pressing "Next" "BIOS Problems" , help ! HeRCuLeSX Fedora 3 07-21-2004 02:37 PM
Howto disable "Graphical Login" or "Standard Login?" the_gripmaster Red Hat 1 07-08-2004 02:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration