I have been HACKED. Help a newbie please! 1

[linuxtricks]

I tried to su to root on my Linux box (directly connected to internet with only 1 NIC)... and I was unable to.
I can not login at all from the machine locally.
I can only ssh in from my other machine... (but cannot su).

I had a feeling my machine was hacked into.

I checked the /home directory... and there is a username there that I did not create.

I checked out the logs as well... and noticed there was a new user created:

new group: name=uwp6, gid=507
new user: name=uwp6, uid=507, gid=507, home=/home/uwp6, shell=/bin/bash
password for (uwp6/507) changed by ((null)/0)
blah blah...

I'm not sure how to get to the bottom of this. I am asking this group for a bit of advice/tips I can use to find out what/who/how he got in...
Thanks in advance for the support!














<i>try not!</i>

<i>do... or do not. there is no try!</i>

 

[steve1]

There are a LOT of ways to &quot;get hacked&quot;. One popular way is by using simple passwords. Passwords you should NEVER use are:

SHORT<BROKEN BY BRUTE FORCE
ones made up of dictionary words<BROKEN BY BRUTE FORCE from a dictionary
ones that mean something to you<broken by brute force using knowledge about you
ones you have written down<broken by reading it.
passwords that relate to the user<TOO OBVIOUS! (DEC, for example, was laughed at for YEARS because the password to their system account on vaxes was MANAGER! Get it? System Manager!

BTW to make matters worse, outside of the dictionary attack, ALL of these methods were advertised on Wargames.

Another popular way is a trojan horse. Write a program that looks like the login program, but send the password to the author. This requires only low level access.
A friend of mine once used this method to break into a university. It was too simple.

Another popular way is having a readable password file. This can be exploited so many ways that it isn't funny. It is SO easy and popular, that the Unix world decided to change things a bit almost a decade ago. Some systems may STILL have passwords in their /etc/passwd file though.

One way to exploit the problem above is by using poorly designed CGI scripts, or exploiting bugs in system daemons or programs that have the setuser bit set. By changing parameters, or causing part of them to crash, or causing a total crash, they either get FULL rights, or have access to material to get full rights. Maybe this is what they did, as it is the simplest, and the FAST way to gain access from this is to change the system password.

On my old server, one person tried to break into it by exploiting bugs in common CGI scripts! HEY, that system wasn't even CGI enabled, and I NEVER used those scripts! I told my host about it, but they didn't care. I wanted to see him/her in jail for just attempting. BTW, I found out about the attempts by checking web logs.

As for solving the problem?

1. Take it off the network.
2. At level 1(?) change the system password. I haven't had to do this yet, but it can be done?
3. Look at the new users account, to figure what s/he did or was trying to do. IRADICATE IT when finished.
4. Verify that there are NO passwords in the passwd file. They should be set to * by convention. If not, then try to upgrade. Upgrading over the internet CAN be done, but one wrong move, and things start failing. Better to just upgrade.
5. Verify that NO daemons are started under root, unless they have to be, and that default users are not root.
6. investigate all daemons and cgi-scripts for flaws. These can be found on their respective sites. ALSO, look at their logs!
7. Deactivate all daemons you won't need.
8. When satisfied, bring it back up. (pray if religious)

Hope this helps

Steve

 

[linuxtricks]

Great. Thanks for the help. At least now I have some direction to take.

The machine is still online. As I mentioned, it is ONLY connected to the internet and is not connected to the rest of my internal lan which is protected by an OpenBSD firewall. I have noticed, by checking in the logs of my firewall... that my own linux server (that was hacked) was attempting to connect to my internal LAN coming from port 53 (DNS). I guess the hacker noticed that I access my Linux server all the time and tried to hop networks but my firewall blocked everything. He was using the DNS port to make this attempt.

I don't want to take the machine offline yet because:
1.)it is not affecting the rest of my network
2.)my web server,dns,email servers are running (and they seem to be ok)
3.)I want to catch this fool in the act... and TRACE where he is coming from.
4.)I have all the data I need (web stuff, etc.) backed up.

I wish I had the knowledge to track this guy. =(

My plan is to format this machine... and start from scratch with it - eventually (but only because I have to now).

Any more ideas of how I can go about tracing this hacker?
thanks again for the support!

-halfcircles

 

[boebox]

Tripwire, Logcheck and Tiger are all great security programs that help keep track of your system. Linux Journal has a good section on these in October's issue.

Tony

 

[gerald]

Try rebooting your machine with a boot disk in single user mode and changing your root password.

If you are able to do that, but still cant su to root, try logging in with ssh as the root user directly. You cant login as root with telnet, but you can with ssh. There may be a problem with the su executable. (like maybe your hacker changed it...ahhh...what a weenie that hacker is...)

Also try checking your daemons with more than 1 utility.
I once had a problem where I couldnt figure out why my network usage was going thru the roof, but nothing out of the ordinary was reported with the ps command. Just showed my standard httpd, proftpd and qmail daemons running with only a couple of instances.

Then after a few days of banging my head (and spending thousnads of dollars on bandwidth) I happened to try the pstree command and found that there was a massive spamming going on from my server, and ps had been modified by a hacker to not report the processes. But they left the pstree command alone since it is not used as much.

Regards,
Gerald

 

[linuxtricks]

boebox, thank you. I will check into those utilities.

gerald, thank you also. First things first right!? I will reboot the machine into single user mode!!!

Now I just have to figure out how. No probem. I think I remember reading a write up on Linuxnewbie about doing just that. After I log into single user mode and change the password, I will check my processes to see what this hacker is up to.
Again, what can I look for in my logs to find out where this hacker is coming in from? I would love to catch his butt!
Thanks again.

 

[redsevens]

I agree about not having a readable password file. But I don't know how to do it! I'd be tempted to just type

chmod 000 /etc/passwd

but I would be afraid of the consequences if I'm wrong. What's the appropriate way to do this?

 

[gerald]

Ok. Once you can get in as root, you want to check some files and see if they have a modified date after the date that you installed the OS. (a real good hacker would hide that as well, but its worth a look...)
You want to look at these files:

find
sh
bash
csh
du
crontab
fix
ifconfig
inetd
killall
login
ls
ps
pstree
netstat
passwd
pidof
rsh
syslogd
tcpd
top

-------------

if you find that any of them have been modified recently, replace them with new copies of known-good executables.
(be sure to save them somewhere first though, preferably on a floppy disk or other removable media, they may be useful to have around in the longrun)

also once you verify that the find command is intact (replace it if there is any question)
go to your root directory and use find to search for some files on your system, such as:
find -name linsniffer
find -name sniffchk
find -name sniff

basically you want to take a close look at any files you find with the word sniff in the filename. Normally this indicates a trojan horse is at play on your system.


then you can search the log files for certain hacker words which are alot of times part of their system calls, just because they like people to marvel at their hacker genius i guess... *shrug*

search for words like r00t (with 2 zeros) rewt, suid, sewid, and the all-popular Suid-Rewt. sometimes the actual executable that they call will be indiscrete, but they will use a parameter that is not so discrete. Here is what I found running on my system recently:

lcd SuId-ReWt

which upon investigation, opened up a special single-user type shell for the hacker to login basically undetected...

-----------
if you really want to catch him, you should check out a website called antionline.com which is full of stories of how people caught their hackers, and has tons of information on the different known exploits for almost every operating system.

catching a hacker alot of times involves many hours of work, but there is no better feeling as a sysadmin...



Regards,
Gerald

 

[gerald]

Redsevens:

I believe what Steve was talking about, in reference to readable password files, is having the actual passwords stored in the /etc/passwd file. Even though when that is the case, the passwords are encrypted, it just makes the hackers job 1000 times easier to crack it.

What you want to do is use a shadow password file, so that in the /etc/passwd file, all that appears in the password field is a *, and the actual passwords are stored in a shadow file such as /etc/shadow which is only readable by root.

/etc/passwd needs to be readable by so many things in linux that it is not really practical to lower the permissions.
It can be done if you need to have ultimate security, but unless you work for the CIA or something you dont want to go there. Alot of common linux software will crash.

Regards,
Gerald

 

[linuxtricks]

Update: I unplugged the machine from the internet!

Originally, I though there might be no harm with leaving the machine plugged in to the internet because it was not connected to any other machine on my network. I wanted to try and catch the hacker [red]red-handed[/red]. But after reading a lot of feedback from you guys, it seems there's no telling what someone can find out on a system given he has root access and all the time he wants.

The very best thing to do... is take the machine offline.

I am working on finding the write up on how to get into single user mode so I can change the root password. I will keep you posted on how I do.
Thanks friends!

 

[ngev1234]

Hi Halfcircles,

You can get in single mode by rebooting your Linux, afterward type at the LILO prompt

linux 1

(Here linux is label of your kernal image. You can find out the list of images by typing <TAB> at LILO. And 1 is telling what you want to get in 1-st runlevel.)

For more info read the BootPrompt-HOWTO

Best N.

 

[boebox]

lilo>boot single works also!

Tony

 

[linuxtricks]

Ok. At the &quot;Lilo>&quot; prompt, I typed in [red]linux 1[/red] and it worked and got me into single user mode. (redhat 6.2) -thanks ngev1234 for the HOWTO.

Upon bootup, I was dropped at a bash# prompt. I was then able to change the root password and delete the newly created &quot;hacker&quot; user account on the system. I noticed the hacker added an entry to rc.local pointing to a directory in /dev/chr/something something. This directory seemed to be new altogether.
Also, the following files seemed to have been modified recently:
login
find
and crontab.

I am sure there are still a bunch of things to check, and I am still having problems with the system. For one:
I rebooted the machine, and my NIC doesn't seem to want to initialize now. I get: delaying initialization for eth0.
Then, after that goes away, I get a bunch of DNS notices flashing on the screen. Something to the effect of it can't resolve the DNS hostname or something. yeeeash. Hackers suk!

 

[gerald]

Ok, first you might want to make a backup of the current state of your system before proceeding just in case.

Next, you want to install a new copy of crontab, and then as root run:
crontab -e
and delete any suspicious looking jobs.
if you dont have a whole lot of users you might want to do the same thing for each user since not all malicious code needs to be run as root.

Then you want to replace login and find too.

You can probably get all of these directly off of your installation CD, but if you have problems let me know what distribution/version you are using and I will point you in the right direction.

Once you have find replaced with a valid copy, go to your root directory and run:

find -name |grep sniff
find -name |grep rewt
find -name |grep trojan
find -name |grep suid

make a list of whatever it finds, and remove them (make a copy first if you did not make a system backup)

Once you get rid of all of those goodies if there are any, make sure you change your root password to something really hard, somewhere around 15 characters or more using letters(upper and lowercase), numbers and other symbols.

Next, you will most likely need to upgrade your operating system if you want to prevent it from happening again. It sounds like you have been hit with a simple 'rootkit' trojan which most newer versions of linux are protected against unless of course the hacker had your root password first, in which case either you were probably either using a simple password or using the same password for root on a standard user on the system, or your ditribution is not using good password handling schemes.

Regards,
Gerald

 

[gerald]

Oh yeah, as far as the NIC problem goes I will need to know which distro you are using before I can give you a pointer there.
One thing you can try is to shut the system down, remove the NIC, boot the system and if it happens to ask you if you want to remove the configuration, say yes then shutdown again, reinstall the NIC and reboot again (hopefully it will automatically reconfigure)

But clear out your crontab and replace login at a minimum before you try to put it back online.

Regards,
Gerald