[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Re: [K12OSN] I got hacked.........

Here is my general advice on a hacked machine.

1) Report it to the proper authorities if you wish any prosecution to come out of it. Do not expect it to be a 1 shot youthful prank.

2) Do not use the 'compromised' system, and treat any other systems around as possible compromised systems.  Jim's advice of removing the compromised system's hard-drive and putting another one is good advice especially if you go through 1). 

3) Before putting the new system into production make sure that your system is running as few services as needed, has been upgraded to all the latest security errata, and is only running services that are needed. Make sure that every account has new passwords.. I think their may be some options to make password more paranoid.

4) From your explanation (which I understand is a 10,000 meter view of it), I really dont think it is ssh that is the problem. Problems it could be:
 a) people already had sniffed some accountfrom the telnet sessions and just logged in via that. 
 b) another service was compromised.. maybe php on the http server, someone had an easy to guess password, or some other remote exploit.
 c) if it is ssh, then it is most likely someone has a compromised client. This is where the black-hat changes the ssh client into one that logs passwords.. this happens a lot at universities/internet cafes. Some person logs into their box not knowing their every keystroke is logged.
 d) inside job. someone who has an account is 'playing'. I consider this to be something that should be dealt with swiftly...

4) Other things to do before bringing the new server up into service implement the following:
 a) firewall rules. log any suspicious activity
 b) turn on accounting (psacct).
 c) have logwatch and other cron programs run more than 1 per day
 d) see what services are running. On red hat linux you can do this with several commands:
  # to see what known services are running at
  # various run levels.
  chkconfig --list | grep [345]:on | sort
  # to see what services are listening to the
  # network
  netstat -natp | grep LISTEN
  # to see what your firewall is covering
  ipchains -L -v -n
  # final check of system level processes
  lsof -i -Fc | grep '^c' | cut -b2-20 | sort -u
  # run a check on the rpm database regularly
  rpm -Va

Unless you know some computer forensics (which I only know a very little) I would recommend against using the above for finding things. Most auto-root-kits install tools to circumvent this.

On Tue, 9 Apr 2002 10:11:23 -0400 (EDT) jam McQuil com wrote:


Cleaning up after a break-in is very difficult.  They've
probably replaced many of the utilities that you are using
to look around.  Things like ps, netstat, ls, ifconfig,
lsmod and many more are probably NOT the original versions.
They replace them, to hide processes that may be running.
Those processes are probably logging your keystrokes
or sniffing your network and finding passwords.

Time to buy another hard disk, and reload Linux on it.

Then, take the disk that has the comprimized OS on it, and
mount that as an additional filesystem, so you can go looking
around and learn what they've done.

Make sure you stay current with patches on the new disk, to 
prevent another break-in.

Jim McQuillan
jam Ltsp org

On Tue, 9 Apr 2002, Michael Cortes wrote:

> It would appear that someone used SSH to get into my system.  I decided to 
> install sshd and stop telnet'ing because of the security risk, as soon as I do 
> it, someone got in.
> Anyhow, here is what I suspect so far:
> 1. when they got in, they created the user "cgi"
> 2. they added "unset HISTFILE" and "unset HISTSAVE" to the root's 
> .bash_profile.  This casused root to not save the history so I couldn't see 
> what was run as root.
> 3. logging is not happening.  I have checked my log files and the last entries 
> are about the time I first detected the break in. 
> So my questions are:
> Did I do right by deleting the cgi user?  Was this user necessary?
> How do I turn on logging back on?  I have no idea where to look.
> What is a good/quick way to tell which users have no password set?
> Thank you,
> Michael Cortes
> Fort LeBoeuf School District
> 34 East 9th Street
> PO Box 810
> Waterford PA 16411-0810
> 814.796.4795
> Fax1 814.796.3358
> Fax2 978-389-1258
> _______________________________________________
> K12OSN mailing list
> K12OSN redhat com
> https://listman.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>


K12OSN mailing list
K12OSN redhat com
For more info see <http://www.k12os.org>

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]