On Tue, 2003-04-22 at 23:19, Matt Stamm wrote:
I beleive my Linux server has been hacked. All of the sudden my Samba server has disappeared, and I've noticed, from looking at the log files, that Sendmail is launching every hour!
Step 1: Keep calm. Panic never solved anything
You mentioned before that this is a test server you're running in your office, with just two samba users. Isn't your office behind a firewall?
Could it be that one of your coworkers who has
he knew something about linux and wanted to try his hand at administration?
If your machine really has been hacked, it looks extremely clumsy.
I'm trying to research this problem and I have
some questions...
I'm using Suse 8.1. I'm still fairly new to
Linux.
- Is there a better way to view the system log
files other than just viewing then in an editor?
The best way to view the logs of a hacked system is to boot from a secure medium, such as the "rescue system" option of the SuSE CDs. From there you can mount your partitions and view the logs without any trojaned binaries getting in the way.
- Isn't postfix installed, not sendmail?
Who can say, except the person who installed the system? postfix is the default.
- It appears an outsider installed the Red Hat
distribution of sendmail on my system.
It launches every hour on the hour but fails, outputting "service smtp unknown" to the "warn" log file. Has anyone seen this and what are they trying to accomplish?
As I said, extremely clumsy if it's a hack. It looks more like someone wanting to try his hand at administration but not really knowing what to do.
The red hat version of sendmail obviously expects to find an entry called "smtp" in /etc/services linked to port 22.
- The mail log file shows postfix launching
hourly starting several days
before sendmail was installed, then sendmail took over! Can postfix be used to access a system?
If there's a bug, but I can't remember hearing of one. The default installation should be reasonably secure
If you really have been hacked, you shouldn't try to fix your system. The best (read 'only') way to be sure of your system's integrity is to do a full re-install. Boot from a secure system and make backups of your data first, then install from scratch and get all
from SuSE before you start up your system again.
You may want to get an expert in to look over your system to try to determine how people got in. Maybe it was a weak
Anders,
Thanks for the response. My reply...
- No, this server was not behind a firewall. I'm
still learning Linux (that's why I've kept most
users off this system). I will definetly be
learning firewall next. The system has no firewall
and sits on a DSL line with a fixed IP address.
I've since learned that that makes it a sitting
duck for hacking ?!?!?!
- I don't beleive its a coworker because the two
users are myself and one other coworked. The
coworked uses Samba only from his Windows system.
I've already talked to him, its not him.
I also noticed the following interesting entires
in the log files...
in the "warn" log...
Apr 19 18:32:23 linux kernel: 199.170.68.4 sent an
invalid ICMP error to a broadcast.
Apr 19 18:32:24 linux kernel: 199.170.68.4 sent an
invalid ICMP error to a broadcast.
in the "messages" log...
Apr 19 23:16:24 linux useradd[3496]: new user:
name=mailnull, uid=47, gid=100,
home=/var/spool/mqueue, shell=/dev/null
Do these mean anything??
---------- Original Message
----------------------------------
From: Anders Johansson
a hitherto unknown security hole. I don't think anyone can really help you determine that over a mailing list.
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Wednesday 23 April 2003 16:11, Matt Stamm wrote:
- No, this server was not behind a firewall. I'm still learning Linux (that's why I've kept most users off this system). I will definetly be learning firewall next. The system has no firewall and sits on a DSL line with a fixed IP address. I've since learned that that makes it a sitting duck for hacking ?!?!?!
To say the least :) It's never a good idea to put a live system on the internet until you have at least the basics down. And that goes triple for a system running samba, or any other type of file sharing.
- I don't beleive its a coworker because the two users are myself and one other coworked. The coworked uses Samba only from his Windows system. I've already talked to him, its not him.
ok, it was just a thought. You should always start by eliminating the simple answers. I usually don't and frequently end up with egg on my face :)
I also noticed the following interesting entires in the log files...
in the "warn" log...
Apr 19 18:32:23 linux kernel: 199.170.68.4 sent an invalid ICMP error to a broadcast. Apr 19 18:32:24 linux kernel: 199.170.68.4 sent an invalid ICMP error to a broadcast.
in the "messages" log...
Apr 19 23:16:24 linux useradd[3496]: new user: name=mailnull, uid=47, gid=100, home=/var/spool/mqueue, shell=/dev/null
Do these mean anything??
Well, it means a user has been added, which means that whoever was on your system on April 19 had root access. I would suggest a full reinstall. Take the machine off the internet as soon as possible, if you haven't already, back up any data you want to save, and do a full reinstall. Even if the person who cracked your machine wasn't very good (since you can read those lines in the log it means he didn't even try to clean up after himself), you still can't trust any programs on that machine. And before you put the machine back on the net, get all security patches, and look at firewalls. Look twice at firewalls. And look at all passwords you use, to make sure you don't use simple words, or combinations of words. Passwords like that can be cracked very quickly. And don't put *any* services on the net which uses plaintext passwords.
Hi, I have also a SUSE 8.1 with a samba server on the net, and I haven't configure a firewall, what should I activate on the firewall with YAST. I am very new in this stuff so I better prevent now before someone damages all my work. Thanks Jose Anders Johansson wrote:
On Wednesday 23 April 2003 16:11, Matt Stamm wrote:
- No, this server was not behind a firewall. I'm still learning Linux (that's why I've kept most users off this system). I will definetly be learning firewall next. The system has no firewall and sits on a DSL line with a fixed IP address. I've since learned that that makes it a sitting duck for hacking ?!?!?!
To say the least :) It's never a good idea to put a live system on the internet until you have at least the basics down. And that goes triple for a system running samba, or any other type of file sharing.
- I don't beleive its a coworker because the two users are myself and one other coworked. The coworked uses Samba only from his Windows system. I've already talked to him, its not him.
ok, it was just a thought. You should always start by eliminating the simple answers. I usually don't and frequently end up with egg on my face :)
I also noticed the following interesting entires in the log files...
in the "warn" log...
Apr 19 18:32:23 linux kernel: 199.170.68.4 sent an invalid ICMP error to a broadcast. Apr 19 18:32:24 linux kernel: 199.170.68.4 sent an invalid ICMP error to a broadcast.
in the "messages" log...
Apr 19 23:16:24 linux useradd[3496]: new user: name=mailnull, uid=47, gid=100, home=/var/spool/mqueue, shell=/dev/null
Do these mean anything??
Well, it means a user has been added, which means that whoever was on your system on April 19 had root access. I would suggest a full reinstall. Take the machine off the internet as soon as possible, if you haven't already, back up any data you want to save, and do a full reinstall. Even if the person who cracked your machine wasn't very good (since you can read those lines in the log it means he didn't even try to clean up after himself), you still can't trust any programs on that machine.
And before you put the machine back on the net, get all security patches, and look at firewalls. Look twice at firewalls. And look at all passwords you use, to make sure you don't use simple words, or combinations of words. Passwords like that can be cracked very quickly. And don't put *any* services on the net which uses plaintext passwords.
On Wednesday 23 April 2003 16:31, Jose Sanchez wrote:
Hi, I have also a SUSE 8.1 with a samba server on the net, and I haven't configure a firewall, what should I activate on the firewall with YAST. I am very new in this stuff so I better prevent now before someone damages all my work.
Well, if you just go through the setup of the firewall in YaST and *not* select any ports, it will pretty much block everything. After that, all you have to do is make sure the firewall is actually running. Check with rcSuSEfirewall2 status. Run rcSuSEfirewall2 start if it isn't. If you are running servers that you absolutely must have on the Internet, make sure you understand the security implications of each before you do. Running servers is easy. Running them securely takes work. I'm very far from a security expert, but there is one piece of advice that I think noone will dispute. Study *before* doing.
Ok, thanks for the advice I will do so. Jose Anders Johansson wrote:
On Wednesday 23 April 2003 16:31, Jose Sanchez wrote:
Hi, I have also a SUSE 8.1 with a samba server on the net, and I haven't configure a firewall, what should I activate on the firewall with YAST. I am very new in this stuff so I better prevent now before someone damages all my work.
Well, if you just go through the setup of the firewall in YaST and *not* select any ports, it will pretty much block everything. After that, all you have to do is make sure the firewall is actually running. Check with rcSuSEfirewall2 status. Run rcSuSEfirewall2 start if it isn't.
If you are running servers that you absolutely must have on the Internet, make sure you understand the security implications of each before you do. Running servers is easy. Running them securely takes work. I'm very far from a security expert, but there is one piece of advice that I think noone will dispute. Study *before* doing.
On Wednesday 23 April 2003 09:30, Anders Johansson wrote:
On Wednesday 23 April 2003 16:11, Matt Stamm wrote:
- No, this server was not behind a firewall. I'm still learning Linux (that's why I've kept most users off this system). I will definetly be learning firewall next. The system has no firewall and sits on a DSL line with a fixed IP address. I've since learned that that makes it a sitting duck for hacking ?!?!?!
To say the least :) It's never a good idea to put a live system on the internet until you have at least the basics down. And that goes triple for a system running samba, or any other type of file sharing.
- I don't beleive its a coworker because the two users are myself and one other coworked. The coworked uses Samba only from his Windows system. I've already talked to him, its not him.
ok, it was just a thought. You should always start by eliminating the simple answers. I usually don't and frequently end up with egg on my face :)
I also noticed the following interesting entires in the log files...
in the "warn" log...
Apr 19 18:32:23 linux kernel: 199.170.68.4 sent an invalid ICMP error to a broadcast. Apr 19 18:32:24 linux kernel: 199.170.68.4 sent an invalid ICMP error to a broadcast.
Looks as though you are getting RFC un-compliant packets generated on your network. I'd utilize ethereal and verify this. Utilize the following filters: icmp or icmp.checksum_bad == 1 These should let you know what ICMP traffic you are getting as well how many you are getting with bad CRC's.
in the "messages" log...
Apr 19 23:16:24 linux useradd[3496]: new user: name=mailnull, uid=47, gid=100, home=/var/spool/mqueue, shell=/dev/null
Do these mean anything??
Looks like a sendmail installation.
Well, it means a user has been added, which means that whoever was on your system on April 19 had root access. I would suggest a full reinstall. Take the machine off the internet as soon as possible, if you haven't already, back up any data you want to save, and do a full reinstall. Even if the person who cracked your machine wasn't very good (since you can read those lines in the log it means he didn't even try to clean up after himself), you still can't trust any programs on that machine.
And before you put the machine back on the net, get all security patches, and look at firewalls. Look twice at firewalls. And look at all passwords you use, to make sure you don't use simple words, or combinations of words. Passwords like that can be cracked very quickly. And don't put *any* services on the net which uses plaintext passwords.
-- Thomas Jones Linux-Howtos Administrator
On Wednesday 23 April 2003 22:42, Thomas Jones wrote:
Looks like a sendmail installation.
heh
The /var/spool/mqueue directory is part of Base Operating System (BOS) Runtime.
Yeah? My copy of the OS/400 V4R3 manual leaves that directory undefined.
Check that this directory is mode 0x700 and UID is 0; as well as the GID 0. This is the default permission configuration of sendmail. Find it out via the -n switch of the ls command(for numeric format).
Also, check that this is indeed the queue directory as defined by "Q" in the sendmail.cf configuration file.
What if it isn't? Send the hacker to a sendmail configuration seminar?
If this happened to be "hacker" of sorts, he must have altered various system files.
i.e. a hacked-up /dev/null
Otherwise, he would not be able to remotely login. /dev/null doesn't return very many prompts to a tty. ;)
That's right, if he logs in as root he cannot create another user account with /dev/null as $HOME because then he wouldn't be able to log in as root again.
Thomas Jones Linux-Howtos Administrator
Hmmmm
On Wednesday 23 April 2003 15:54, Anders Johansson wrote:
On Wednesday 23 April 2003 22:42, Thomas Jones wrote:
Looks like a sendmail installation.
heh
The /var/spool/mqueue directory is part of Base Operating System (BOS) Runtime.
Yeah? My copy of the OS/400 V4R3 manual leaves that directory undefined.
Check that this directory is mode 0x700 and UID is 0; as well as the GID 0. This is the default permission configuration of sendmail. Find it out via the -n switch of the ls command(for numeric format).
Also, check that this is indeed the queue directory as defined by "Q" in the sendmail.cf configuration file.
What if it isn't? Send the hacker to a sendmail configuration seminar?
If it isn't the ame directory, then the configuration file has been altered. If accounting has been activated, then Matt should be able to find out who altered it and at what time. Not very many of todays distribution installations, activate "acct" by default though.
If this happened to be "hacker" of sorts, he must have altered various system files.
i.e. a hacked-up /dev/null
Otherwise, he would not be able to remotely login. /dev/null doesn't return very many prompts to a tty. ;)
That's right, if he logs in as root he cannot create another user account with /dev/null as $HOME because then he wouldn't be able to log in as root again.
$HOME should be the /var/spool/mqueue. I am assuming that it in fact does
exist. And is a valid directory structure. Interesting scenario though.
It may behoove him to research into inode(4). Thes following structures may be
of some help.
Thomas Jones Linux-Howtos Administrator
Hmmmm
-- Thomas Jones Linux-Howtos Administrator
participants (4)
-
Anders Johansson
-
Jose Sanchez
-
Matt Stamm
-
Thomas Jones