Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
Re: [suse-security] Apache Gain Remote Shell Access
  • From: "Philippe Vogel" <filiaap@xxxxxxxxxx>
  • Date: Thu, 4 Sep 2003 04:23:10 +0200
  • Message-id: <00eb01c3728b$806948b0$52ef5b86@xxxxxxxxxxxxxxxxxx>
> Marco Lum wrote:
> > Please help, I Can't found where he can get in~~!

Hm, unfortunately he/she knew, what to do and where to find funny things!

>>!!!! Emediately unplug the server, plugin a backup server and analyse the
system and don't switch off after that. !!!!<<
Looked for the sources on the mentioned websites: The hacker installed you a
sniffer and can trace all your activity and passwds!

On the backupserver log all connections!
Don't shut it down - many activities can be resolved in tmp and memory (they
still reside on that system).
After analysing the intrusion and finding traces to the hacker you can setup
your box new!

A hacker first wants to gain access and then install irc/and or/news/and
or/an own warez or whatever ftp/and or/hacks to hack other servers.
If you got rootkitted a netstat -tap | grep LISTEN or | grep ESTABLISHED
will not help to find out (scan the server with another PC to find open
ports instead).

First, which services, damons and versions did you run?
Which distro do you use?

>>Short Checklist<<

- check accounts in e/tc/passwd and /etc/shadow
- check state of network connections with "netstat -tap"
- check state of network devices with "ifconfig" for promiscous mode
- check logfiles (see later)
- check last users and logins with "last"
- check time of server - this may bring you problems, if this server syncs
your net
- check configs of inetd/xinetd and other services
- find hack directorys like "..." or " " with e.g.: find / -name "..."
- find last modified files with "ls -latrc" and check prm-db (see later)
- probe for trojans or rootkits

>>Check for rootkits!<<
If you got rootkitted all analysetools and some system commands are useless,
because they are replaced and disfunctional!
Here's a small hint how to use:

Look at http://www.chkrootkit.org/ for further usage!

Download chkrootkit.tar.gz from above website!
tar xvfz chkrootkit.tar.gz
cd chkrootkit
make
./chkrootkit > /root/chkrootkit.log
less /root/chkrootkit.log

Look, what you get as output and google for hints if you got one!

>>Check your rpm-db<<

rpm -Va > /root/system.checked

>>check your logfiles, especially look at the /var/log/xferlog for
suspiciois ftp transfers<<

mkdir /var/intl
cp /root/system.checked /var/intl
cp /root/chkrootkit.log /var/intl
fgrep -i attempt /var/log/messages >/var/intl/attempt-log
fgrep -i connect /var/log/messages >/var/intl/connects-log
fgrep -i refused /var/log/messages >/var/intl/refused-log
fgrep -i accepting /var/log/messages >/var/intl/accepted-log
fgrep -i su: /var/log/messages >/var/intl/su-log
fgrep -i unauthorized /var/log/messages >/var/intl/unauthorized-log
fgrep -i sshd /var/log/messages >/var/log/sshd-log
fgrep -i illegal /var/log/sshd-logs >/var/intl/ssh-illegal-log
fgrep -i failed /var/log/sshd-logs >/var/intl/ssh-failed-log
aide --check>/var/intl/aide.log
tar kuip /var/intl/ -f intruders.tar
mount /dev/fd0 /mnt/floppy
cp intruders.tar /mnt/floppy

example of an log at an intruded server:

>>less connects-log<<

Jun 10 18:30:16 server in.telnetd[41354]: connect from hack@xxxxxxxxxxxx

>>last<<

jens ttyp3 ppp-39.ba.net Tue Jun 10 20:01 - crash (00:01)

You find hints on who did something, if he/she wasn't nice enough to remove
all traces.

>>check running processes<<

ps -ax > processes-log

Look in processes-log for suspicious filenames.

>>Here you can find additional infos:<<

examples of intruded system's logfiles:

http://www.rz.rwth-aachen.de/kommunikation/security/s30.php#logfiles

a longer howto deintrude:

http://www.cert.org/tech_tips/intruder_detection_checklist.html
http://www.cert.org/tech_tips/root_compromise.html
http://www.cert.org/tech_tips/unix_configuration_guidelines.html

Philippe



< Previous Next >