ver7.2 server was hacked - pls help
Hello Guru's, On the weekend our web server (SuSE 7.2 kernel 2.4.4-4GB) was hacked by some very clever guys. They placed some programs which i can not remove anymore and which is even worse - the root's password also was changed (I can not start in single user mode - init 1 - password is wrong). A "sysadmin" user was created by the hacker and mtab also was changed. When i try to login and type the username than Enter -> the "pasword" question is not coming but the screen is hanging. It means we can not log in anymore. Which is interesting, this is our mail server also and we can send/receive mails but via samba is not possible to connect to the shared drives. I'm afraid i have to reinstall the machine, but before i do it want to know what and how happened. If someone of you experienced with this and could give good advices about what to do and how i can analyse who logged it would be appreciated. TIA, istvan Istvan HOLLO GlobalTech Hungary Informatikai Kft. phone : +36 28 590 500 fax : +36 28 590 501 email : istvan.hollo@ija.hu www : www.thegt.com www.ija.hu
hello istvan, you can boot from your susecd in rescue-mode, mount your drives and now you should see what happend. cu mario
-----Original Message----- From: Istvan Hollo [mailto:istvan.hollo@ija.hu] Sent: Wednesday, April 23, 2003 7:32 PM To: suse-security@suse.com Subject: [suse-security] ver7.2 server was hacked - pls help
Hello Guru's,
On the weekend our web server (SuSE 7.2 kernel 2.4.4-4GB) was hacked by some very clever guys. They placed some programs which i can not remove anymore and which is even worse - the root's password also was changed (I can not start in single user mode - init 1 - password is wrong). A "sysadmin" user was created by the hacker and mtab also was changed.
When i try to login and type the username than Enter -> the "pasword" question is not coming but the screen is hanging. It means we can not log in anymore. Which is interesting, this is our mail server also and we can send/receive mails but via samba is not possible to connect to the shared drives.
I'm afraid i have to reinstall the machine, but before i do it want to know what and how happened. If someone of you experienced with this and could give good advices about what to do and how i can analyse who logged it would be appreciated.
TIA, istvan
Istvan HOLLO
GlobalTech Hungary Informatikai Kft. phone : +36 28 590 500 fax : +36 28 590 501 email : istvan.hollo@ija.hu www : www.thegt.com www.ija.hu
On Wed, Apr 23, 2003 at 09:32:18AM -0800, Istvan Hollo wrote:
On the weekend our web server (SuSE 7.2 kernel 2.4.4-4GB) was hacked by some very clever guys.
I think that they were not clever. Clever guys do not even let you notice that your server is hacked.
They placed some programs which i can not remove anymore and which is even worse - the root's password also was changed (I can not start in single user mode - init 1 - password is wrong). A "sysadmin" user was created by the hacker and mtab also was changed.
I'm afraid i have to reinstall the machine, but before i do it want to know what and how happened.
You should disconnect the server and reboot it from CD-ROM, examine the system (making first a copy of the hard disk) and find out who the hacker was. Since it probably was just one of those script kiddie you have chances to get him. It will not be easy, because the hacker seems to have deleted some log files: | ~> finger istvan@213.163.35.38 | [213.163.35.38/213.163.35.38] | | Welcome to Linux version 2.4.4-4GB at bagira.ija.hu ! | | 10:50am up 2:54, 0 users, load average: 0.00, 0.00, 0.00 | | Login: holist Name: Istvan Hollo | Directory: /home/holist Shell: /bin/bash | Never logged in. | No Mail. | No Plan. | ~> finger root@213.163.35.38 | [213.163.35.38/213.163.35.38] | | Welcome to Linux version 2.4.4-4GB at bagira.ija.hu ! | | 11:02am up 3:06, 0 users, load average: 0.00, 0.00, 0.00 | | Login: root Name: root | Directory: /root Shell: /bin/bash | Never logged in. | New mail received Wed Apr 23 08:33 2003 (CEST) | Unread since Sun Apr 20 19:42 2003 (CEST) | No Plan. :-) You should not reboot the system from its hard disk, because the root kit which probably has been installed will hide the manipulated files (afterwards you may look for files and directories with names like " ", ". ", ".. ", "\/" and other irregular characters).
If someone of you experienced with this and could give good advices about what to do and how i can analyse who logged it would be appreciated.
As far as I see, you have not applied all the patches of the many, many security holes in the services you offer to the internet. For example: there is a SSH daemon running on that server which has the ID-String "SSH-1.5-1.2.33". As far as I now the security hole in that version has been discovered and patched more than 2 years ago. So the hacker may have entered your system by one of the exploits you can easily find in the WWW. The same thing may apply to telnet, smtp, sunrpc and squid. So I suppose that the server was hacked already long time ago (normally a new system needs just a few hours to experience the first attacks, and if a system has well known security holes...) and just now someone wanted to reveal the damage to you. By the way: I do not know, why you offer telnet *and* ssh, and services like finger, print, sunrpc and squid-http to the internet. For security one should only open the ports which really are intended to be used from outside. And of course apply all security patches for the services one is offering. Bye, Hatto P.S.: You know that the hacker may read this mail on your system?
El mié, 23 de 04 de 2003 a las 14:32, Istvan Hollo escribió:
I'm afraid i have to reinstall the machine, but before i do it want to know what and how happened. If someone of you experienced with this and could give good advices about what to do and how i can analyse who logged it would be appreciated.
For backups of data and things like that you can boot with a CD and in maintenance mode copy things to another disk, or repair files that give you problems to backup what you have there comfortably. With that kind of access you could try to see what happened, but there are a lot of possibilities... now that you mentions Samba, in my LUG I am an user was hacked, and the main suspect is samba, he don't has it patched, and had no firewall, so the latest samba vulnerability could have been exploited (the intruder seems to have applied the patch to fix samba, and then installed backdoors and things like that... but left all logged in the /root/.bash_history). That kind of things could be what happened in your machine, but really clever guys don't left that kind of traces. But I think that the best is reformat/reinstall the machine, you can't be sure what have been changed in your disk. About your users, be careful in what you can backup and what not (i.e. passwords and mailboxes maybe yes, most dot files, scripts, shells, etc maybe not)
participants (4)
-
Gustavo Muslera -
Hatto von Hatzfeld -
Istvan Hollo -
Mario Neubert