help i've been hacked. :(
Chris W. Parker
cparker at swatgear.com
Sat Aug 20 22:39:48 UTC 2005
Eris Caffee <mailto:eris-redhat-list at eldalin.com>
on Saturday, August 20, 2005 12:04 PM said:
> For example, check to see
> if your /tmp directory is mounted with the noexec and nosuid options.
> Just enabling those options can prevent a lot of cracks since many
> attacks rely on being able to exploit a weak cgi script to upload a
> program into /tmp and run it.
Key #1.
> And, of course, cgi scripts are frequently a way for attackers to gain
> access to your system.
[snip]
> You can use the list to see if you had any versions
> of packages with known security holes, and you can use the logs,
> especially the web server logs, to see if there were any strange web
> requests around the time the crack occurred, such as someone running
> a cgi-script with lot's of garbage characters on the request line.
Key #2.
Okay, so I looked into the /tmp directory and found ./shell.pl and ./.x.
Upon further investigation I found http://linuxfr.org/~alis/ which
details almost completely the same thing that happened to my sever.
It turns out a known vulnerability in Cacti (which takes advantage of a
misconfigured /tmp directory I presume) was used to gain access to the
system.
However, the difference between my server and the one detailed in the
webpage is that I do not have anything in the /dev/shm directory nor do
I have a user called www-data.
I'm "assuming" at this point that the assailant(s) did not get as far as
the webpage describes.
According to my httpd log files it looks like the attack happened on Aug
16th. I didn't notice anything was wrong until Aug 19th when PuTTY
started popping up a new DSA(?) SSH key for a server I'd been accessing
for a very long time. It struck me as odd that even though I'm accessing
the same server as usual, it would be creating a new key.
The author of the webpage suspects that his server was used to send spam
since he did not find any large data files (e.g. warez). I'm not sure if
my server was used for anything at all.
However, it's entirely possible that the Cacti exploit was only used to
get into the box and the perp didn't intend to send spam or warez at
all. Instead they may have had other things in mind.
At this point I have not checked for a rootkit, though I plan to do that
before I wipe the box.
I also plan to segment the network so that even if the webserver is
compromised the perp cannot sniff the rest of the network traffic and
steal passwords/data. At least, that's how I think it would work.
Let me know your thoughts.
Thanks,
Chris.
More information about the redhat-list
mailing list