On Mon, 24 Nov 2003, Antun Balaz wrote:
Hi to all, it seems that I have a serious problem, although I updated my SuSE 8.1 server quite recently (all security updates were applied).
I have two questions:
1) What to do right now to prevent any misconduct of my server? 2) How to clean up the server?
Description of the problem: one of my users (mvasilic) noticed that someone from IP 81.196.122.7 logged to his account (that IP originates from Romania, and we are in Serbia). Close inspection shows that indeed someone was logged to our server from that IP, and obviously was running some kind of a rootkit:
1. Get the machine offline. Now. 2. No, don't plug it back online. 3. Verify how they got in to the user's account: - 'xhost +' and no firewall on port 6000? - On this machine. - On machine with X server (beware of MS X-servers!) - Passwords typed on insecure machines. - Same password on multiple systems, where another system may be taken. - Username/password borrowed by others. This is a script-kiddie. It's highly unlikely that they've cracked their way in through a service the way things look here. Then they'd own the account owning the service. 4. They've owned a user. Is there any indication that they've gotten a root user. Does the user in question _have_ root access? Check carefully. They obviously haven't had time to clean up thoroughly, check /var/log/messages etc. 5. If you're 100% sure it's only the user, clean up for that user: - New password - Remove crontab - Remove ~/.ssh, ~/.shosts, ~/.rhosts, etc. - Remove at jobs 6. If you're not 100% sure, reinstall and configure from scratch is your one and only answer, with new passwords for all users, etc, etc, etc. 7. Plug back online. BTDT, -Bjørn -- Bjørn Tore Sund Phone: (+47) 555-84894 Stupidity is like a System administrator Fax: (+47) 555-89672 fractal; universal and Math. Department Mobile: (+47) 918 68075 infinitely repetitive. University of Bergen VIP: 81724 teknisk@mi.uib.no Email: bjornts@mi.uib.no http://www.mi.uib.no/