On Wed, Apr 23, 2003 at 09:32:18AM -0800, Istvan Hollo wrote:
On the weekend our web server (SuSE 7.2 kernel 2.4.4-4GB) was hacked by some very clever guys.
I think that they were not clever. Clever guys do not even let you notice that your server is hacked.
They placed some programs which i can not remove anymore and which is even worse - the root's password also was changed (I can not start in single user mode - init 1 - password is wrong). A "sysadmin" user was created by the hacker and mtab also was changed.
I'm afraid i have to reinstall the machine, but before i do it want to know what and how happened.
You should disconnect the server and reboot it from CD-ROM, examine the system (making first a copy of the hard disk) and find out who the hacker was. Since it probably was just one of those script kiddie you have chances to get him. It will not be easy, because the hacker seems to have deleted some log files: | ~> finger istvan@213.163.35.38 | [213.163.35.38/213.163.35.38] | | Welcome to Linux version 2.4.4-4GB at bagira.ija.hu ! | | 10:50am up 2:54, 0 users, load average: 0.00, 0.00, 0.00 | | Login: holist Name: Istvan Hollo | Directory: /home/holist Shell: /bin/bash | Never logged in. | No Mail. | No Plan. | ~> finger root@213.163.35.38 | [213.163.35.38/213.163.35.38] | | Welcome to Linux version 2.4.4-4GB at bagira.ija.hu ! | | 11:02am up 3:06, 0 users, load average: 0.00, 0.00, 0.00 | | Login: root Name: root | Directory: /root Shell: /bin/bash | Never logged in. | New mail received Wed Apr 23 08:33 2003 (CEST) | Unread since Sun Apr 20 19:42 2003 (CEST) | No Plan. :-) You should not reboot the system from its hard disk, because the root kit which probably has been installed will hide the manipulated files (afterwards you may look for files and directories with names like " ", ". ", ".. ", "\/" and other irregular characters).
If someone of you experienced with this and could give good advices about what to do and how i can analyse who logged it would be appreciated.
As far as I see, you have not applied all the patches of the many, many security holes in the services you offer to the internet. For example: there is a SSH daemon running on that server which has the ID-String "SSH-1.5-1.2.33". As far as I now the security hole in that version has been discovered and patched more than 2 years ago. So the hacker may have entered your system by one of the exploits you can easily find in the WWW. The same thing may apply to telnet, smtp, sunrpc and squid. So I suppose that the server was hacked already long time ago (normally a new system needs just a few hours to experience the first attacks, and if a system has well known security holes...) and just now someone wanted to reveal the damage to you. By the way: I do not know, why you offer telnet *and* ssh, and services like finger, print, sunrpc and squid-http to the internet. For security one should only open the ports which really are intended to be used from outside. And of course apply all security patches for the services one is offering. Bye, Hatto P.S.: You know that the hacker may read this mail on your system?