help! machine was hacked and cannot reboot or shutdown.

I am unable to reboot/shutdown my machine after I found that
it was hacked by someone from romania. I am running FC2, kernel 2.6.7-1. Currently, I have changed the firewall rule. I turned off requests by all means, no ssh, www, etc. And do not trust eth0 either. So I cannot login
to this machine from outside, but I still feel uncomfortable to work right now. I guess there must be some program running monitoring me.
Since I just cannot reboot or shutdown the machine except for turnning off the power.

What shall I do now? I have no much experience fighting with damn BS hackers!

Thanks so much for your advice.

First try switching to run level 1 using:
init 1
If it works, run the checks I describe below. If you have a file integrity scanner like Tripwire, then run a check now. If you have chkrootkit/rootkit hunter installed, then run a check as well. Also take a look at the currently running processes for anything suspicious with with ps aux. Try looking for any suspicious daemons with netstat -pantu or lsof -i.

Second, pull the plug. Download a 'live' cdrom distro like knoppix, knoppix-std, or FIRE on a differnet computer and burn it to a cdrom. Then set the BIOS on the compromised machine to boot off the cdrom. Then boot the cdrom (DO NOT BOOT THE COMPROMISED SYSTEMS KERNEL). Once the cdrom distro is up and running, mount the harddrive on the compromised system as read-only. You can then feel free to analyze the system without worrying about a rootkit. Checkout /etc/passwd and the system logs on the compromised drive. Also look for any suspicious files or directories and run a check for SUID root files.

Also you have not said exactly why you think you were hacked aside from not being able to shutdown the system, are there any other reasons?

drat... beat me.

when i tried to reboot/shutdown the machine, i got this:
[===== SucKIT version 1.3a, Jul 1 2003 <http://sd.g-art.nl/sk> =====]
[====== (c)oded by sd <sd@cdi.cz> & devik <devik@cdi.cz>, 2002 ======]
RK_Init: idt=0xffffb000, FUCK: IDT table read failed (offset 0xffffb000)

i also checked the system log, and found the guy was from Romania.
i will try the method you mentioned later as i am away from my machine now.

by the way, after turning off all trust devices and trusted services, is it safe to use the machine for a short while?
i mean, before i feel comfortable to formally work in that system again.

thanks for your message very much!

Quote:

Originally posted by Capt_Caveman First try switching to run level 1 using: init 1 If it works, run the checks I describe below. If you have a file integrity scanner like Tripwire, then run a check now. If you have chkrootkit/rootkit hunter installed, then run a check as well. Also take a look at the currently running processes for anything suspicious with with ps aux. Try looking for any suspicious daemons with netstat -pantu or lsof -i. Second, pull the plug. Download a 'live' cdrom distro like knoppix, knoppix-std, or FIRE on a differnet computer and burn it to a cdrom. Then set the BIOS on the compromised machine to boot off the cdrom. Then boot the cdrom (DO NOT BOOT THE COMPROMISED SYSTEMS KERNEL). Once the cdrom distro is up and running, mount the harddrive on the compromised system as read-only. You can then feel free to analyze the system without worrying about a rootkit. Checkout /etc/passwd and the system logs on the compromised drive. Also look for any suspicious files or directories and run a check for SUID root files. Also you have not said exactly why you think you were hacked aside from not being able to shutdown the system, are there any other reasons?

No. It would appear that the cracker installed sucKIT ( a common rootkit) on your system. It's possible to un-install sucKit, but a full re-install from trusted media is really the only option once your systems security has been compromised like this (as TruckStuff pointed out). If you need files off the system, I'd highly recommend booting with the cdrom distro, mount the compromised harddrive and backup only files that you can visually inspect (no binaries).

Once you re-install, I'd highly recommend immediately updating the security patches on the system or you'll very likely find sucKIT on there again.

thanks. i think i'd better reinstall the system.
what kind of security patches do i need to install?
are there rpm packages?

Quote:

Originally posted by Capt_Caveman No. It would appear that the cracker installed sucKIT ( a common rootkit) on your system. It's possible to un-install sucKit, but a full re-install from trusted media is really the only option once your systems security has been compromised like this (as TruckStuff pointed out). If you need files off the system, I'd highly recommend booting with the cdrom distro, mount the compromised harddrive and backup only files that you can visually inspect (no binaries). Once you re-install, I'd highly recommend immediately updating the security patches on the system or you'll very likely find sucKIT on there again.

There are RPMs available for upgrading vulnerable packages here. Though you can configure your system to automatically download and install updates nightly use YUM. It's standard on Fedora Core and you can turn it on using: chkconfig yum on. You can manually perform upgrades using: yum upgrade.

i have reinstalled the system. in order to avoid any further attack, i want to
turn off all requested services and devices, will this be safe enough?
i only need to work on that machine locally.

thanks.

Turn off all services, turn on the firewall, make sure passwords are reasonably complex and that you've changed all passwords on that system, make sure all security updates have been installed, and don't use sensitive passwords on un-encrypted communications (use encyption whenever possible...like ssh instead of telnet, https instead of http, etc). That should significantly help, but if you want to tighten security even further, checkout the section on hardening in unSpawn's security references thread (towards the top of the forum).

many thanks! after i turn off all services and devices, does it mean the system
can be only accessed locally? i wish only by keying passwd via my kbd can do it ;-)
is it possible?

Shutting of all remote access services (telnet, ssh, etc) should prevent direct access to the machine. Though your system will never be truely inaccessible until you remove any network connections, as even looking at websites can be a threat if there's malicious html/javascript on the page. But that should significantly reduce the risk.

reinstallation over.
will be more careful in the future.

thanks for all your help

I have just fallen prey to this very thing

If that's the case, then a format and full re-installation is necessary. What services were you running before the compromise? Was your system fully updated?

I left the poor box facing the internet, forever on, with only a firewall to protect it. I was significantly behind in my updates. It's largely my fault i guess.