[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] ver7.2 server was hacked - pls help

On Wed, Apr 23, 2003 at 09:32:18AM -0800, Istvan Hollo wrote:
> On the weekend our web server (SuSE 7.2 kernel 2.4.4-4GB) was hacked
> by some very clever guys.

I think that they were not clever. Clever guys do not even let you
notice that your server is hacked.

> They placed some programs which i can not remove anymore and which is
> even worse - the root's password also was changed (I can not start in
> single user mode - init 1 - password is wrong). A "sysadmin" user was
> created by the hacker and mtab also was changed.

> I'm afraid i have to reinstall the machine, but before i do it want to
> know what and how happened.

You should disconnect the server and reboot it from CD-ROM, examine the
system (making first a copy of the hard disk) and find out who the
hacker was. Since it probably was just one of those script kiddie you
have chances to get him. It will not be easy, because the hacker seems
to have deleted some log files:

| ~> finger istvan@xxxxxxxxxxxxx
| []
| Welcome to Linux version 2.4.4-4GB at bagira.ija.hu !
|  10:50am  up  2:54,  0 users,  load average: 0.00, 0.00, 0.00
| Login: holist                           Name: Istvan Hollo
| Directory: /home/holist                 Shell: /bin/bash
| Never logged in.
| No Mail.
| No Plan.

| ~> finger root@xxxxxxxxxxxxx
| []
| Welcome to Linux version 2.4.4-4GB at bagira.ija.hu !
|  11:02am  up  3:06,  0 users,  load average: 0.00, 0.00, 0.00
| Login: root                             Name: root
| Directory: /root                        Shell: /bin/bash
| Never logged in.
| New mail received Wed Apr 23 08:33 2003 (CEST)
|      Unread since Sun Apr 20 19:42 2003 (CEST)
| No Plan.


You should not reboot the system from its hard disk, because the root
kit which probably has been installed will hide the manipulated files
(afterwards you may look for files and directories with names like
" ", ". ", ".. ", "\/" and other irregular characters).
> If someone of you experienced with this and could give good advices
> about what to do and how i can analyse who logged it would be
> appreciated.

As far as I see, you have not applied all the patches of the many, many
security holes in the services you offer to the internet. For example:
there is a SSH daemon running on that server which has the ID-String
"SSH-1.5-1.2.33". As far as I now the security hole in that version has
been discovered and patched more than 2 years ago. So the hacker may
have entered your system by one of the exploits you can easily find in
the WWW. The same thing may apply to telnet, smtp, sunrpc and squid.

So I suppose that the server was hacked already long time ago (normally
a new system needs just a few hours to experience the first attacks, and
if a system has well known security holes...) and just now someone
wanted to reveal the damage to you.

By the way: I do not know, why you offer telnet *and* ssh, and services
like finger, print, sunrpc and squid-http to the internet. For security
one should only open the ports which really are intended to be used from
outside. And of course apply all security patches for the services one
is offering.

P.S.: You know that the hacker may read this mail on your system?

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here