Help - Been Hacked!!
I beleive my Linux server has been hacked. All of the sudden my Samba server has disappeared, and I've noticed, from looking at the log files, that Sendmail is launching every hour! I'm trying to research this problem and I have some questions... I'm using Suse 8.1. I'm still fairly new to Linux. - Is there a better way to view the system log files other than just viewing then in an editor? - Isn't postfix installed, not sendmail? - It appears an outsider installed the Red Hat distribution of sendmail on my system. It launches every hour on the hour but fails, outputting "service smtp unknown" to the "warn" log file. Has anyone seen this and what are they trying to accomplish? - The mail log file shows postfix launching hourly starting several days before sendmail was installed, then sendmail took over! Can postfix be used to access a system? Any insight into this problem would be greatly appreciated! Thank you, Matt
On Tue, 2003-04-22 at 23:19, Matt Stamm wrote:
I beleive my Linux server has been hacked. All of the sudden my Samba server has disappeared, and I've noticed, from looking at the log files, that Sendmail is launching every hour!
Step 1: Keep calm. Panic never solved anything You mentioned before that this is a test server you're running in your office, with just two samba users. Isn't your office behind a firewall? Could it be that one of your coworkers who has the root password thought he knew something about linux and wanted to try his hand at administration? If your machine really has been hacked, it looks extremely clumsy.
I'm trying to research this problem and I have some questions...
I'm using Suse 8.1. I'm still fairly new to Linux.
- Is there a better way to view the system log files other than just viewing then in an editor?
The best way to view the logs of a hacked system is to boot from a secure medium, such as the "rescue system" option of the SuSE CDs. From there you can mount your partitions and view the logs without any trojaned binaries getting in the way.
- Isn't postfix installed, not sendmail?
Who can say, except the person who installed the system? postfix is the default.
- It appears an outsider installed the Red Hat distribution of sendmail on my system. It launches every hour on the hour but fails, outputting "service smtp unknown" to the "warn" log file. Has anyone seen this and what are they trying to accomplish?
As I said, extremely clumsy if it's a hack. It looks more like someone wanting to try his hand at administration but not really knowing what to do. The red hat version of sendmail obviously expects to find an entry called "smtp" in /etc/services linked to port 22.
- The mail log file shows postfix launching hourly starting several days before sendmail was installed, then sendmail took over! Can postfix be used to access a system?
If there's a bug, but I can't remember hearing of one. The default installation should be reasonably secure If you really have been hacked, you shouldn't try to fix your system. The best (read 'only') way to be sure of your system's integrity is to do a full re-install. Boot from a secure system and make backups of your data first, then install from scratch and get all the security patches from SuSE before you start up your system again. You may want to get an expert in to look over your system to try to determine how people got in. Maybe it was a weak password, maybe it was a hitherto unknown security hole. I don't think anyone can really help you determine that over a mailing list.
On Tue, 2003-04-22 at 23:34, Anders Johansson wrote:
The red hat version of sendmail obviously expects to find an entry called "smtp" in /etc/services linked to port 22.
hm. port 25, obviously. And there should be one in SuSE too, so perhaps /etc/services has been wiped?!
On Tue, 22 Apr 2003 14:19:27 -0700
"Matt Stamm"
- Isn't postfix installed, not sendmail?
- It appears an outsider installed the Red Hat distribution of sendmail on my system. It launches every hour on the hour but fails, outputting "service smtp unknown" to the "warn" log file. Has anyone seen this and what are they trying to accomplish?
Not necessarily Postfix also provide a sendmail command (see man sendmail). It looks like some program is trying the send mail hourly but your Postfix server is not up. You should check the size of the sendmail binary against the one in the Postfix RPM to make sure. Charles -- "Computers may be stupid, but they're always obedient. Well, almost always." -- Larry Wall (Open Sources, 1999 O'Reilly and Associates)
"Matt Stamm"
wrote: - Isn't postfix installed, not sendmail?
- It appears an outsider installed the Red Hat distribution of sendmail on my system. It launches every hour on the hour but fails, outputting "service smtp unknown" to the "warn" log file. Has anyone seen this and what are they trying to accomplish?
Not necessarily Postfix also provide a sendmail command (see man sendmail). It looks like some program is trying the send mail hourly but your Postfix server is not up. You should check the size of the sendmail binary against the one in the Postfix RPM to make sure.
Charles
Maybe you could see what is going into the outbound queues? Maybe the payload will tell something about whats going on? -Jim-
On Wed, 2003-04-23 at 00:16, Jim Norton wrote:
Maybe you could see what is going into the outbound queues? Maybe the payload will tell something about whats going on?
My guess is that it's most likely cron trying to send mail to root about some problem. But that doesn't explain how red hat's version of sendmail get on there
On 23 Apr 2003 00:18:31 +0200
Anders Johansson
But that doesn't explain how red hat's version of sendmail get on there
That was just his speculation. He totally panicked as soon as he saw the word sendmail in /var/log/warn. Charles -- "Calling EMACS an editor is like calling the Earth a hunk of dirt." -- Chris DiBona on Dirt (Open Sources, 1999 O'Reilly and Associates)
On Wed, 2003-04-23 at 00:23, Charles Philip Chan wrote:
On 23 Apr 2003 00:18:31 +0200 Anders Johansson
wrote: But that doesn't explain how red hat's version of sendmail get on there
That was just his speculation. He totally panicked as soon as he saw the word sendmail in /var/log/warn.
Read the previous messages from Matt. He saw sendmail in YaST's package manager, and in the description it said that the vendor was Red Hat
On 23 Apr 2003 00:31:04 +0200
Anders Johansson
Read the previous messages from Matt. He saw sendmail in YaST's package manager, and in the description it said that the vendor was Red Hat
Unless if I missed the post, he never said anything about seeing it in YaST. All he said was: "- It appears an outsider installed the Red Hat distribution of sendmail on my system. It launches every hour on the hour but fails, outputting "service smtp unknown" to the "warn" log file. Has anyone seen this and what are they trying to accomplish?" I presume he was just somehow equating sendmail with Redhat since sendmail is their default mail system. Matt: please clear this up. Charles -- "It's God. No, not Richard Stallman, or Linus Torvalds, but God." (By Matt Welsh)
On Wed, 2003-04-23 at 00:44, Charles Philip Chan wrote:
On 23 Apr 2003 00:31:04 +0200 Anders Johansson
wrote: Read the previous messages from Matt. He saw sendmail in YaST's package manager, and in the description it said that the vendor was Red Hat
Unless if I missed the post, he never said anything about seeing it in YaST.
You must have missed it. Subject: [SLE] Samba problem - addl note Date: Mon, 21 Apr 2003 13:16:01 -0700 <snip> - I also noticed, while browsing Yast software install and remove, that Sendmail was installed on Saturday morning. It's listed in Yast as a "Red Hat" distribution. Our office is closed on Saturday. Could this be a sign of some sort of intrusion??
On Tue, 22 Apr 2003 14:19:27 -0700
"Matt Stamm"
I beleive my Linux server has been hacked. All of the sudden my Samba server has disappeared,
What is the result of: rcsmb restart Charles -- I've run DOOM more in the last few days than I have the last few months. I just love debugging ;-) (Linus Torvalds)
On Tuesday 22 April 2003 22:19, Matt Stamm wrote:
I beleive my Linux server has been hacked. All of the sudden my Samba server has disappeared, and I've noticed, from looking at the log files, that Sendmail is launching every hour!
I feel your pain; the week before last involved 90 hours of reconstruction on a customer's Raq that they hadn't secured properly.
I'm trying to research this problem and I have some questions...
I'm using Suse 8.1. I'm still fairly new to Linux.
- Is there a better way to view the system log files other than just viewing then in an editor?
Tricky. Strictly speaking, *anything* on that box is now essentially untrustworthy; any system binary could have been Trojaned so as to cause further damage on execution. In practice, it's *probably* safe enough trying to export the logfiles to a secure machine and having a look through them there. (I'd look through logs using 'more' or 'less', and then pipe through grep for anything specific.) But, tbh, the first thing any script kiddie past neophyte stage will do is to edit the logs to remove their own traces. It's still worth a look, though - in my case, the RaQ was running pam.d, and the intruder hadn't learnt to doctor /var/log/auth, so they left traces in that file. Additionally, look for any files named .bash_history - it's surprising how many people will break in and forget to eliminate the command history, or create a new account and forget to remove the bash_history. (again, in my case, a file called /sbin/.bash_history was a bit suspect, and contained all the information I needed to identify the intruder, track him to a small company in Jakarta, and report him to his admin.)
- It appears an outsider installed the Red Hat distribution of sendmail on my system. It launches every hour on the hour but fails, outputting "service smtp unknown" to the "warn" log file. Has anyone seen this and what are they trying to accomplish?
Could be anything. If they've got a hidden crond somewhere, they could be mailing copies of /etc/passwd to a third party; or could be trying to but failing due to a duff rootkit. Try looking for suspect files in places you wouldn't expect. Do you have a definite intrusion time? Let's say, for example, that you're pretty sure they broke in over a day ago, but less than 2 days ago. "find -mtime -2 -mtime +1 | grep -v logs > /root/modified.txt" The above command (run from / !) will run through all the files in the filesystem, list all the files that have been modified over 1 day ago but less than 2 days ago - except for the log files, which will always be in the list otherwise - and will output the file list to a file named 'modified.txt' in the /root directory. (and if you've got a time in minutes, substitute 'mmin' for 'mtime'.)
- The mail log file shows postfix launching hourly starting several days before sendmail was installed, then sendmail took over! Can postfix be used to access a system?
I'd guess that Postfix is unlikely to be the intrusion point. As mailservers go, it's one of the more secure ones, and doesn't have sendmail's somewhat chequered history with regard to security. If you're running inetd, are telnet, ftp, rlogin, rsh or sundry other services running? If so, they're far more likely to be the culprits. What does 'netstat -tupan' give you? Can you see anything listening on well-known ports like 21, 23, 25, or 513-515, then you may well be listening on ports you weren't expecting. Furthermore, you might be able to gain a clue as to what's been installed on your box. With my unwanted guest, I noticed that there was a service listening on UDP port 3049 that shouldn't be there, and so I looked on Google and found the following; http://www.securityfocus.com/archive/82/259719 Although the box didn't look too badly damaged on the surface, every ELF binary in /bin, /usr/bin and /usr/lib/gcc was 8k larger than it should be on a newly-installed RaQ; meaning that the system binaries were Trojaned.
Any insight into this problem would be greatly appreciated!
What you should do is reinstall the machine from scratch, I'm afraid. If you have to delay the downtime until a convenient point, then try to stop the machine from infecting anything else in the meanwhile. If you feel confident, then try to backup any volatile user data to a safe place; but your machine is basically poisoned - your only safe solution is to purge it. Good luck, Gideon. (Standard disclaimer; anyone with better or more complete information is welcome to correct me.)
The 03.04.22 at 23:45, Gideon Hallett wrote:
I'd guess that Postfix is unlikely to be the intrusion point. As mailservers go, it's one of the more secure ones, and doesn't have sendmail's somewhat chequered history with regard to security.
But it could be the intended target: it could be someone trying to get an open relay. -- Cheers, Carlos Robinson
On Wednesday 23 April 2003 02:43, Carlos E. R. wrote:
The 03.04.22 at 23:45, Gideon Hallett wrote:
I'd guess that Postfix is unlikely to be the intrusion point. As mailservers go, it's one of the more secure ones, and doesn't have sendmail's somewhat chequered history with regard to security.
But it could be the intended target: it could be someone trying to get an open relay.
If someone's trying to get an open relay, there are any number of ways of getting one (or a mail relay of some sort) that are easier and less risky than breaking into a machine. For a start, how many tens of thousands of old formmail.pl installs are there cluttering up the 'net? (not to mention unpatched Exchange servers ...) cheers, Gideon. (we hatess formmail, my preciouss. Evil and nasssty and tricksy, it is.)
participants (6)
-
Anders Johansson
-
Carlos E. R.
-
Charles Philip Chan
-
Gideon Hallett
-
jrn@oregonhanggliding.com
-
Matt Stamm