Marco Lum wrote:
Please help, I Can't found where he can get in~~!
Hm, unfortunately he/she knew, what to do and where to find funny things!
!!!! Emediately unplug the server, plugin a backup server and analyse the system and don't switch off after that. !!!!<< Looked for the sources on the mentioned websites: The hacker installed you a sniffer and can trace all your activity and passwds!
On the backupserver log all connections! Don't shut it down - many activities can be resolved in tmp and memory (they still reside on that system). After analysing the intrusion and finding traces to the hacker you can setup your box new! A hacker first wants to gain access and then install irc/and or/news/and or/an own warez or whatever ftp/and or/hacks to hack other servers. If you got rootkitted a netstat -tap | grep LISTEN or | grep ESTABLISHED will not help to find out (scan the server with another PC to find open ports instead). First, which services, damons and versions did you run? Which distro do you use?
Short Checklist<<
- check accounts in e/tc/passwd and /etc/shadow - check state of network connections with "netstat -tap" - check state of network devices with "ifconfig" for promiscous mode - check logfiles (see later) - check last users and logins with "last" - check time of server - this may bring you problems, if this server syncs your net - check configs of inetd/xinetd and other services - find hack directorys like "..." or " " with e.g.: find / -name "..." - find last modified files with "ls -latrc" and check prm-db (see later) - probe for trojans or rootkits
Check for rootkits!<< If you got rootkitted all analysetools and some system commands are useless, because they are replaced and disfunctional! Here's a small hint how to use:
Look at http://www.chkrootkit.org/ for further usage! Download chkrootkit.tar.gz from above website! tar xvfz chkrootkit.tar.gz cd chkrootkit make ./chkrootkit > /root/chkrootkit.log less /root/chkrootkit.log Look, what you get as output and google for hints if you got one!
Check your rpm-db<<
rpm -Va > /root/system.checked
check your logfiles, especially look at the /var/log/xferlog for suspiciois ftp transfers<<
mkdir /var/intl cp /root/system.checked /var/intl cp /root/chkrootkit.log /var/intl fgrep -i attempt /var/log/messages >/var/intl/attempt-log fgrep -i connect /var/log/messages >/var/intl/connects-log fgrep -i refused /var/log/messages >/var/intl/refused-log fgrep -i accepting /var/log/messages >/var/intl/accepted-log fgrep -i su: /var/log/messages >/var/intl/su-log fgrep -i unauthorized /var/log/messages >/var/intl/unauthorized-log fgrep -i sshd /var/log/messages >/var/log/sshd-log fgrep -i illegal /var/log/sshd-logs >/var/intl/ssh-illegal-log fgrep -i failed /var/log/sshd-logs >/var/intl/ssh-failed-log aide --check>/var/intl/aide.log tar kuip /var/intl/ -f intruders.tar mount /dev/fd0 /mnt/floppy cp intruders.tar /mnt/floppy example of an log at an intruded server:
less connects-log<<
Jun 10 18:30:16 server in.telnetd[41354]: connect from hack@123.45.67.89
last<<
jens ttyp3 ppp-39.ba.net Tue Jun 10 20:01 - crash (00:01) You find hints on who did something, if he/she wasn't nice enough to remove all traces.
check running processes<<
ps -ax > processes-log Look in processes-log for suspicious filenames.
Here you can find additional infos:<<
examples of intruded system's logfiles: http://www.rz.rwth-aachen.de/kommunikation/security/s30.php#logfiles a longer howto deintrude: http://www.cert.org/tech_tips/intruder_detection_checklist.html http://www.cert.org/tech_tips/root_compromise.html http://www.cert.org/tech_tips/unix_configuration_guidelines.html Philippe