Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am a newbie in using unix. I installed NIS server and Mail Server using qmail, and currently it seems that perhaps I got attacked, but I am not really sure. My computer is directly connected to the internet and when I called netstat -ptav, it showed an active Internet connection to IRC server (I think), which is oslo1.no.eu.undern:ircd . Anybody could advise me what I should do?
Thank you for your attention
when I called netstat -ptav, it showed an active Internet connection to IRC server (I think), which is oslo1.no.eu.undern:ircd .
oslo1.no.eu.undernet.org[0] is a IRC server, that is correct.
it seems that perhaps I got attacked, but I am not really sure.
Well, let's make sure then. What you need to do is the following:
1. make sure the box is (back) under your control,
2. check for signs of abuse,
3. verify the integrity of the box,
4. Take appropriate steps to make sure this doesnt happen again.
1. make sure the box is (back) under your control
Be able to control your box before you continue. Here's a script to help you:
Code:
#!/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
echo Network info |tee -a ./log; \netstat -aelnp 2>&1 |tee -a ./log
echo Process info |tee -a ./log; \ps auxwwwe 2>&1 |tee -a ./log
echo Opened files |tee -a ./log; \lsof -n 2>&1 |tee -a ./log
echo User info |tee -a ./log; \who -a 2>&1 |tee -a ./log
echo User info |tee -a ./log; \w -l 2>&1 |tee -a ./log
telinit 1 2>&1 |tee -a ./log
If all is well you're in runlevel 1. If not power down.
If you are, backup logfile to log.1 and run again, then power down.
If you run a router in front, make sure it logs traffic.
2. check for signs of abuse
Boot a LiveCD (or into runlevel 1 if you have none), remount the disks read-only and check out these files/logs:
- the previously saved ./logs,
- /etc/passwd /etc/shadow /etc/gshadow and look for accounts that where added,
- issue "last -50", "lastb", "faillog -a" and check for failed logins,
- look for setuid binaries in unusual places or with unusual names: find / -perm -04000 -o -perm -02000 -ls
- system logs (check out /etc/syslog.conf for locations and also include any ksymoops dir if you have one) and application logs for any anomalous activity.
3. verify the integrity of the box.
- If you previously installed, configured and ran a filesystem integrity checker like Aide, Samhain or even tripwire now would be a good time to check. If you didn't you don't need to install one now: too late.
- Any distribution that uses the rpm package manager can easily verify package contents (rpm -V). If you don't use rpm, find out what your distro's package manager can do for you wrt verification. The scope for package managers is narrow: they can only check what's installed.
- Check your system with Chkrootkit and Rootkit Hunter. If you didn't install those and you have no other box to download and compile it on use the LiveCD (not recommended): or set up your firewall to deny inbound traffic before you go to runlevel 3.
Post back any info. If you want to include logs (scrub your IP first!) and they're large, compress and offer a (temporary) D/L location. If you can't manage that you are allowed to attach it and send it me by email if the size is over two megs I'd appreciate an early warning before DoSsing my mailbox:-]
* It would be helpful if you will in your OS/distribution/release info in your profile or give that information up front.
* Also, using the "-n" flag with netstat will make it *not* resolve IP addresses which makes netstat faster giving you output which can come in handy when you've got a slow resolver or a huge list of connections to work with.
Thanks you for your reply. Yes, I think the box is under my control, and I dont't think there are any strange behaviours with the log files and account files, such as /etc/passwd, /etc/shadow ,and /etc/gshadow.
I also executed "last -50", "lastb", "faillog -a" but it all seemed natural.
One thing that captured my mind is the firewall setting. I am using ipchains, and I already set up some chains for forward option, but I haven't set up the chains for output option. I thought that setting it using forward option will be enough, but perhaps I was wrong. I am trying to set it up using output option now. Any comments?
I just found it yesterday, but I am afraid that I would have to wait. I used lsof, ps and netstat, and I found that there was actually one process that was connected to an IRC server using my friend's login name, at least that's what I think. I saved the logs, and I am planning to ask my friend if he did execute some programs which are connected to IRC, but unfortunately, he is out of town and out of reach too, so I guess I would have to wait.
Anyway about step 4, what should I do? I think you explained only three steps before.
Thank you in advance.
What I do is (if your box has a rootkit installed you would only see what the cracker wants you to see):
* plug a sniffer and filter for irc traffic: ethereal, tcpdump you will see all traffic.
* strace -p <pid_of_process> -o logfile : you would see all system calls
These two steps wouldn't show you how the possible cracker( maybe only your friend as you say) got in:
About step 4 to be sure this doesn't happen again, you have to find how it happened first (which is the most complicated step, look in log files, if they have not been modified.. integrity) then correct your error, maybe make a test yourself. That's basic quality managment which is synonym of logic..
You see the common problem here: integrity If you're not sure you found the cause, you can't be sure you're still not compromised then reinstall and install an integrity checker on a clean box , otherwise analysis can lead to partial/wrong results.
* plug a sniffer and filter for irc traffic: ethereal, tcpdump you will see all traffic.
If you're going down that road and you haven't run any recent version of Chkrootkit it would be good to *first* check if any network devices are in promiscuous mode already (/sbin/ip link show).
* strace -p <pid_of_process> -o logfile : you would see all system calls
Like you said, if syscalls are subverted in the kernel you wont see a thing. There's some tools to check (depending on the rootkit and method used) for rootkit existence. Some of them are in Chkrootkit and Rootkit Hunter (upcoming versions of Chkrootkit and Rootkit Hunter should show improvements wrt to detection), some of them are external tools like unhide, skdet, skdetect, checkIDT, checksysmap. Note compiling tools should always be done on another, verified clean, box. If unsure, just boot a LiveCD. This will not give you current process, network or user info but a clean view of the system.
@zaraasran: (this isn't directed at you alone,) I cant understand what keeps ppl from reading a post from start to end and answering all stuff in full and systematically, maybe you could enlighten me. Of course it's your own decision, but if you followed my reply and executed the tasks I asked you to it would have been much more efficient.
I think this is for unSpawn:
Well, I am very grateful for your advice and opinion, and I would like to do the things that you've said systematically. But to be honest, I don't know about everyone else, but in my case, since I am a newbie, I don't really understand most of the terms that you've said in your post and I was a little bit ashamed if I had to ask such "trivial" matters. Therefore, I checked out some articles on the Internet, and I tried some new functions that I just figured out. I didn't even know that there is a function called traceroute. Well, I think that's about it. I am sorry for that, but please be patient and guide me. I do really want to become a Linux expert, but I think that will take time.
since I am a newbie, I don't really understand most of the terms that you've said in your post
Next time please ask for clarification. I mean, that's what we're here for: to help you help yourself, innit?
and I was a little bit ashamed if I had to ask such "trivial" matters.
IMHO there are no stupid questions. *Not* asking, that's stupid.
I am sorry for that, but please be patient and guide me.
No need to apologise. Apparently it's me being too technical. There are however good reasons why I posted the steps (and in that order) in my first reply. So if you think you can't proceed please try to post questions before wandering off. Anyway. Seems you show the right attitude by looking for info yourself and trying out stuff. Heh. That's more than some people do. Don't let things or people scare you off. Just take your time and try to finish those last steps nx5000 and me posted about.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
