Has someone hacked my server? Has someone gotten root on my machine?
Hi all! (Please note that I am VERY new to linux and the only reason I have gotten a linux machine up and running is the user-friendliness of suse linux. Thanks SuSE!) This is one depressed linux newbie here. I have suddenly and for no apparent reason started to have a *LOT* of problems with my little linux box (a Pentium II, 233mhz, 128mb ram) which has suse linux 8.0 installed. I wonder why I can have so many problems differening in nature, all at the same time. I noticed two days ago that I could not check my email which resides on the server via IMAP. I have had the machine up and running for about 2 months without the need to reboot, serving pages via apache, running mysql and also UW Imap with sendmail. I also run WEBMIN on the server and access nearly all of the functions via webmin, which has always worked perfectly. I also have samba running on it. When I had those emails problems I decided to reboot the machine, thinking that it may have become unstable. Rebooting caused problems. The machine started to shut down but then stopped, like it had frozen. I logged on via webmin which was still running, thankfully, and sent another reboot command to the server, and it then rebooted. Startup also froze, this time at "Starting sound" (I can't remember the exact command.) I wrote to this group and was told to try and disable the sound driver. I renamed the sound file (via webmin) and rebooted. This time it rebooted and started up. It is now running, but very strangely. When the machine comes up, Apache isn't running, I start apache via webmin and get an error - but seconds later apache starts up anyway. KDE is loaded on the server, when I issue a "telinit 3" from webmin nothing happens at all. If I issue a "ps -A" command webmin hangs. When I open a shell window on the server in KDE I am immediately greeted with an error message: bash: /bin/ls: Permission denied linux:~$ Then, regardless of what command I use I get this: if I enter the command "ls" I get this: bash: /bin/ls: Permission denied linux:~$ Whatever command I type, I'm told "Permission denied." I can't SU into superuser mode, this is what happens when I su: linux:~$ su Password: [I enter my su password] [1]+ Stopped su linux:~$ linux:/home/dan # So I really have no idea of what is going on. Has some hacked my box and gotten root? :-( :-( What should I do now? Backup htdocs and database and then format and reinstall the whole lot? Any help would be greatly appreciated. Dan the man.
So I really have no idea of what is going on. Has some hacked my box and gotten root? :-( :-(
What should I do now? Backup htdocs and database and then format and reinstall the whole lot?
It's very, very sick. The fact you can't get at the ls command as root suggests something horrible has happened. Unless it's been left really vulnerable, I wouldn't immediately suspect the box has been cracked, since most crackers would either silently take over the box so they could use it, or they'd just trash it completely. Subtlely breaking it in various ways isn't the norm, although it is possible. Do you have any reason to believe a hardware fault has occured? Any history of overheating with that box? Has it received a knock recently which might have dislodged some memory? Any reason to think the hard disk might have started to die? Basically, it's not going to tell you much in the state it's in. If you can get to a position where you can get your data to safety, that would be a very sensible thing to do. You might be able to get the thing running more sensibly by booting a Linux distro from CD or floppy, mounting the hard disk and having a look around. But as a newbie, this might be more trouble than it's worth, and you probably wouldn't be able to spot the signs which tell you what's happened anyway. A reinstall looks like the best option in the absence of any better advice. My suspicions would lay with the hardware though. Happily running Linux boxes don't just go belly up like that without a good reason. -- "...our desktop is falling behind stability-wise and feature wise to KDE ...when I went to Mexico in December to the facility where we launched gnome, they had all switched to KDE3." - Miguel de Icaza, March 2003
Dan Eskildsen wrote:
So I really have no idea of what is going on. Has some hacked my box and gotten root? :-( :-(
Machines with public IPs should be updated regularly, or they will get cracked, especially if they happen to provide a bigger number of public services. It's best to do the update automatically, every night. http://susefaq.sourceforge.net/you.html#AEN1666 # without this, it does not work with SuSE 8.1 export DISPLAY=linux # download patches yast2 online_update .auto.get # install downloaded patches yast2 online_update .auto.install # uncomment the line corresponding to your SuSE version # 8.0 # rm -rf /var/lib/YaST/patches/* # 8.1 # rm -rf /var/lib/YaST2/you/* -- Linux/Unix Systems Engineer http://www.genesys.ro Phone +40723-267961
participants (3)
-
Dan Eskildsen -
Derek Fountain -
Silviu Marin-Caea