hack attempt on my server...What do you do about this?

Andy Green fedora at warmcat.com
Sat Jul 17 22:03:15 UTC 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 17 July 2004 20:40, Jonathan T. Steadman wrote:

> Sorry this is yet another lame question, but I am new to hosting web
> server ect. just kinda experimenting actually and in my logs i came
> across some garbage (its at the bottom of this email) what do you do

Interesting... I had a guy from interbusiness.it doing same on a server of 
mine.

I had already added this to /etc.crontab

10 * * * * root hostname ; date; txf ; top -b -n1 ; tail /var/log/messages

I also changed the MAILTO line to this in the same file

MAILTO=andy at warmcat.com

and set up postfix to be able to send mail (but not receive it in this case).

I saved this as /usr/bin/txf and made it executable

#!/bin/bash
RX=`cat /proc/net/dev | grep eth0 | cut -d: -f2 | cut -d' ' -f1`
TX=`cat /proc/net/dev | grep eth0 | cut -d: -f2 | tr -s ' ' | cut -d' ' -f9`

if [ -e /var/cache/txf-rx-last ] ; then
RXOLD=`cat /var/cache/txf-rx-last`
else
RXOLD=0
fi
if [ -e /var/cache/txf-tx-last ] ; then
TXOLD=`cat /var/cache/txf-tx-last`
else
TXOLD=0
fi

if [ -e /var/cache/txf-rx-last ] ; then
RXNV=`cat /var/cache/txf-rx-nonvolatile`
else
RXNV=0
fi
if [ -e /var/cache/txf-tx-last ] ; then
TXNV=`cat /var/cache/txf-tx-nonvolatile`
else
TXNV=0
fi

echo $(( ($RX-$RXOLD) + ($RXNV) )) >/var/cache/txf-rx-nonvolatile
echo $(( ($TX-$TXOLD) + ($TXNV) )) >/var/cache/txf-tx-nonvolatile

printf "since       Month      Reboot  Last Check\n"
printf "   RX: %8dMB  %8dMB  %8dMB\n" $((($RXNV+($RX-$RXOLD))/1000000)) 
$(($RX/1000000)) $((($RX -$RXOLD)/1000000))
printf "   TX: %8dMB  %8dMB  %8dMB\n" $((($TXNV+($TX-$TXOLD))/1000000)) 
$(($TX/1000000)) $((($TX -$TXOLD)/1000000))
printf "TOTAL: %8dMB  %8dMB  %8dMB\n" 
$((($RXNV-($RX-$RXOLD)+$TXNV-($TX-$TXOLD))/1000000)) $((($RX+$TX)/1000000)) 
$(((($TX+$RX) - ($TXOLD+$RXOLD))/1000000))

echo $RX >/var/cache/txf-rx-last
echo $TX >/var/cache/txf-tx-last


I'm not saying the program list is optimal, but with is I get hourly 
notification

1) That my remote server is up - this already allowed me to contact my host a 
few minutes after it missed a mail and to complain about lost connectivity 
quickly.

2) To see what the bandwidth is like.  On my host there is a generous monthly 
allocation and then it starts costing bodyparts.  This allows me to track 
hour by hour what's happening.  I can catch a DDoS inside an hour if I'm 
awake or within a few hours if I'm asleep, either way before it can do any 
real damage to the bandwidth allowance.  (You can expect 2-4MBytes/hr 
bandwidth even if you are doing nothing, from ARP and router traffic on the 
same subnet.)

3) To catch runaway processes.  I made a mistake in a batch file that runs as 
a cronjob, they never completed and started piling up.  top will show such 
things up, as well as memory leaks, swap situation and so on.

4) tail /var/log/messages caught the failed ssh login attempts on the next 
hourly checkin.  I moved sshd to another, unusual port and since then I 
didn't see anything.  Another powerful technique is to use iptables to filter 
on source address, unfortunately for ssh this is not very safe in case you 
are unable to make contact from that source IP for some reason.  But if you 
expect email from only one upstream server, for example, filtering on source 
IP is ultrapowerful since spammers get dropped but your real mail keeps on 
trucking.


Logwatch should also send you stuff daily.  With this level of email contact 
from the server, and the nightly yum service set up, you can have some 
confidence that the server is still up and happy, and in a bad case get a 
fast idea that there is a problem.  (Of course if you are hacked by a smart 
guy, there is nothing you can do, and he will probably leave everything else 
running anyway to avoid detection).  The hassle of getting the emails is low 
since 99% of the time you glance and delete since all is well.


For your particular case, there is a very low chance you were broken into 
successfully, since even an idiot would have scrubbed the logs.

- -Andy

- -- 
Automatic actions for USB cameras, cardreaders, memory sticks, MP3 players
http://warmcat.com/usbautocam
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA+aIojKeDCxMJCTIRAldkAJ45GKvT87MkifFgX9H1kpU1GA+0/gCfYWz0
gwc0jFguoklednNzZcyS7fU=
=5k/u
-----END PGP SIGNATURE-----

More information about the fedora-list mailing list