On Tue, 2003-04-22 at 23:19, Matt Stamm wrote:
I beleive my Linux server has been hacked. All of the sudden my Samba server has disappeared, and I've noticed, from looking at the log files, that Sendmail is launching every hour!
Step 1: Keep calm. Panic never solved anything
You mentioned before that this is a test server you're running in your office, with just two samba users. Isn't your office behind a firewall?
Could it be that one of your coworkers who has
he knew something about linux and wanted to try his hand at administration?
If your machine really has been hacked, it looks extremely clumsy.
I'm trying to research this problem and I have
some questions...
I'm using Suse 8.1. I'm still fairly new to
Linux.
- Is there a better way to view the system log
files other than just viewing then in an editor?
The best way to view the logs of a hacked system is to boot from a secure medium, such as the "rescue system" option of the SuSE CDs. From there you can mount your partitions and view the logs without any trojaned binaries getting in the way.
- Isn't postfix installed, not sendmail?
Who can say, except the person who installed the system? postfix is the default.
- It appears an outsider installed the Red Hat
distribution of sendmail on my system.
It launches every hour on the hour but fails, outputting "service smtp unknown" to the "warn" log file. Has anyone seen this and what are they trying to accomplish?
As I said, extremely clumsy if it's a hack. It looks more like someone wanting to try his hand at administration but not really knowing what to do.
The red hat version of sendmail obviously expects to find an entry called "smtp" in /etc/services linked to port 22.
- The mail log file shows postfix launching
hourly starting several days
before sendmail was installed, then sendmail took over! Can postfix be used to access a system?
If there's a bug, but I can't remember hearing of one. The default installation should be reasonably secure
If you really have been hacked, you shouldn't try to fix your system. The best (read 'only') way to be sure of your system's integrity is to do a full re-install. Boot from a secure system and make backups of your data first, then install from scratch and get all
from SuSE before you start up your system again.
You may want to get an expert in to look over your system to try to determine how people got in. Maybe it was a weak
Anders,
Thanks for the response. My reply...
- No, this server was not behind a firewall. I'm
still learning Linux (that's why I've kept most
users off this system). I will definetly be
learning firewall next. The system has no firewall
and sits on a DSL line with a fixed IP address.
I've since learned that that makes it a sitting
duck for hacking ?!?!?!
- I don't beleive its a coworker because the two
users are myself and one other coworked. The
coworked uses Samba only from his Windows system.
I've already talked to him, its not him.
I also noticed the following interesting entires
in the log files...
in the "warn" log...
Apr 19 18:32:23 linux kernel: 199.170.68.4 sent an
invalid ICMP error to a broadcast.
Apr 19 18:32:24 linux kernel: 199.170.68.4 sent an
invalid ICMP error to a broadcast.
in the "messages" log...
Apr 19 23:16:24 linux useradd[3496]: new user:
name=mailnull, uid=47, gid=100,
home=/var/spool/mqueue, shell=/dev/null
Do these mean anything??
---------- Original Message
----------------------------------
From: Anders Johansson
a hitherto unknown security hole. I don't think anyone can really help you determine that over a mailing list.
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com