LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Syndicated Linux News (https://www.linuxquestions.org/questions/syndicated-linux-news-67/)
-   -   LXer: What To Do If You Think Your Linux Server Was Hacked (https://www.linuxquestions.org/questions/syndicated-linux-news-67/lxer-what-to-do-if-you-think-your-linux-server-was-hacked-832148/)

LXer 09-14-2010 02:40 PM
LXer: What To Do If You Think Your Linux Server Was Hacked
 
Published at LXer:

There are a number of things you can do if you think your Linux box was hacked. A common myth is to simply and quickly reinstall the OS, however that is the exact opposite of what you want to do, at least initially. What you want to do ASAP is take the box offline. Before you do that, you have an option, you can get some data on what's running and what IPs are currently connected.

Read More...

Hangdog42 09-15-2010 07:29 AM
This article should be mandatory reading for anyone connecting to the Internet.

H_TeXMeX_H 09-15-2010 08:19 AM
Quote:
Originally Posted by Hangdog42 (Post 4098169)
This article should be mandatory reading for anyone connecting to the Internet.

I don't really agree with everything that is said, unless it is a server that is being attacked (yes, the article is for a Linux server). If it is my computer I'd take it offline ASAP, running the commands it says are only if you want to report the event (which is often a good idea, but also often completely useless). I've never had anyone respond to me by saying "thank you for your report, we will analyze it and take measures against the offender", in fact they don't even e-mail back, and I bet they don't even care unless it is an important server at an important company.

Now, you'll probably end up running those commands before you even realize that you've been hacked, just save the output then take it offline and continue with the rest.

Overall, I guess it's a decent summary.

Hangdog42 09-15-2010 11:51 AM
Quote:
, running the commands it says are only if you want to report the event
Uh, no. Those commands are to help you investigate what happened so that you can prevent it from happening again. If you just nuke and re-install, you have no clue what went wrong and stand a good chance of putting the same vulnerability back in place. Commands like netstat, ps and lsof can help you look for stuff that shouldn't be there.


Quote:
I've never had anyone respond to me by saying "thank you for your report, we will analyze it and take measures against the offender", in fact they don't even e-mail back, and I bet they don't even care unless it is an important server at an important company.
While I agree with you 99% of the time, I just had a very odd occurrence a couple of weeks ago. My SSH server was getting nailed by some clown who had slowed down the attack to avoid my firewall restrictions (it blocks after 4 attempts in 2 minutes). Just for yucks, I looked up the ISP (Codero) and reported it. About an hour later I got an email back from their abuse people and they had hunted down the clown and took care of the problem. We need more people like that.

H_TeXMeX_H 09-15-2010 12:02 PM
Quote:
Originally Posted by Hangdog42 (Post 4098432)
Uh, no. Those commands are to help you investigate what happened so that you can prevent it from happening again. If you just nuke and re-install, you have no clue what went wrong and stand a good chance of putting the same vulnerability back in place. Commands like netstat, ps and lsof can help you look for stuff that shouldn't be there.
I see, well to report it you also need the offender's IP at least. I know they won't need lsof or ps, they don't care about that.

Quote:
Originally Posted by Hangdog42 (Post 4098432)
While I agree with you 99% of the time, I just had a very odd occurrence a couple of weeks ago. My SSH server was getting nailed by some clown who had slowed down the attack to avoid my firewall restrictions (it blocks after 4 attempts in 2 minutes). Just for yucks, I looked up the ISP (Codero) and reported it. About an hour later I got an email back from their abuse people and they had hunted down the clown and took care of the problem. We need more people like that.
That's rare, I never got anything like that.


All times are GMT -5. The time now is 07:00 PM.