help i've been hacked. :(
Smith, Albert
Albert.Smith at genexservices.com
Sat Aug 20 17:30:13 UTC 2005
From: redhat-list-bounces at redhat.com on behalf of Chris W. Parker
Sent: Fri 8/19/2005 5:15 PM
To: redhat-list at redhat.com
Subject: help i've been hacked. :(
Hello,
Currently the box is off the network but I have not been able to find
any clues as to how it was exploited (though it's probably through an
unpatched vulnerability).
The network card is continuously set to promiscuous mode and I cannot
shut off any services using the 'service' command. Also my grep binary
is destroyed periodically (about every minute or so).
If I take the card out of promiscuous mode with 'ifconfig eth0 -promisc'
almost all commands I do set it back. Typing 'cat' will set it back into
promiscuous mode (I can tell because one or more times the message
'promiscuous mode set' will appear on the screen), etc.
With 'netstat --inet -a' I can see a connection to an irc server.
What I need to find out is how far they've penetrated the network (have
they been able to sniff and compromise passwords?) and what the purpose
of the hack is. Is it to send spam? Is it to spread warez? etc.
The very last log line in /var/log/secure is 'SSHD[nnn]: Bad protocol
version identification `NICK mamef` from 82.77.26.80'. I thought maybe
'nick mamef' would hint at an exploit somewhere but Google didn't return
any useful info.
This box is just used as a webserver. My plan at this point is to take
the SSL keys off the server, verify that my backups from a few days ago
are working (php files and MySQL dump) and then reinstall with something
like FC4.
Also, I noticed that with 'ps -A' there are A LOT of awk and cat
proccesses. A lot of them say <defunct> next to their name.
What should I do? How can I figure out what's going on?
Thanks,
Chris.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
I would reboot the box get it into single user mode and do and look for new files and check your startup routines for changes. I would notify your network team that you have been hacked and that you are unsure if they left your box at the current moment and they can take a look if they have the sniffers setup where they went to next. I would start doing some forensics on your machine to see what was compromised, I would get your media togther because you might need to reinstall.
Albert Smith
Sr. Unix Systems Administrator
HPCSA, RHCT
Genex Services
440 E. Swedesford Rd.
Wayne, PA 19087
albert.smith at genexservices.com <mailto:albert.smith at genexservices.com>
(610) 964-5154
More information about the redhat-list
mailing list