I have been hacked ?

[Sina]

Hello everyone.

I had a trojen horse warning on one of my windows pc that is connected to linux box.

The linux box (Redhat 7 ) is the main gateway to the internet.

Now when I wnat to login to the linux box at the console, even as root or any other userid, after I type the login id, it simply prompts me for the login id again.

I do have a boot disket, that I can do linux single.

How can I fix this.

Thank you all

 

[marsd]

We really don't know.
If you go ahead and give us the output of multiple system
utilities we might get a start on your problem.


Try:
lsof -i -n
ps -auxw
lsmod

 

[Sina]

Thank you here it is.

lsof -i -n I get

/tmp/.lsof: /usr/lib/xl-i: No such file or directory

running ps -auxw

Segmentation fault

lsmod

I get
MOdule Size Used by

agpgart 18600 0 unused
usb-uhci 19052 0 unused
usbcore 42088 1 usb-uhci
3c95x 19820 0 unused

Any thing we can do here

 

[Cadwalader]

Linux.Slapper?

Hope I was of some help...
--OR--
Thanks for the help...
--Rich

 

[w1nn3r]

No, I was infected with the slapper file, its a p2p trojan but it didnt effect running system. on a side note, it installed the infected files to /tmp so if you set that to noexec you should be fine. Also, can you run: ps aux > process.txt and view the running processes that way. This is rather unusual...Not sure if i can offer any further assistance.

 

[marsd]

Never mind. I didn't read your first post well enough.
I've already posted on this in response to your other
query. This is more detail for you.

This puts the incident in context.

You should disconnect the machine from any network.
You should boot with a rescue disk.
You should mount your filesystems.
Now chroot to your root fs mnt point.
From here you should be able to issue commands
without having to type:
/mnt/mntpt#/bin/vi /mnt/mntpt#/etc/passwd,
which gets old quick

Check for the existence of your passwd and shadow files
and you may want to put together a script beforehand to automate the whole process.
If you were rooted and the system is badly damaged
you may be looking at a long rebuild. You can't be sure
that anything is 100%. Many system utilities are trojaned by rootkits, so the output of these is of dubious value.

If you find that you have an intact system, but that
your passwd's were changed or files were corrupted
I would restore a backup if possible or copy over
another /etc/passwd and /etc/shadow. I would then
download a copy of your modutils and install.
Then I would copy or compile a clean kernel and
modules and install. Then I would download chkrootkit
and write a script to find changed files from 'n'
date. If you were hacked your logs are probably wasted,
but it's worth a chance to check them.

In the end it may just be cheaper to reinstall after
salvaging your personal data.
In the future make sure you subscribe to the security
list for redhat and possibly bugtraq,stay patched, and
use a 2.4 kernel with netfilter and a strong ruleset.

Good Luck