Linux server being hacked

[barbour6599]

I have a Linux 9 server with one ethernet card connected with a public IP for SSH and FTP access. I am experiencing problems with a hacker who gains root access and alters samba and installs "psybnc" I have locked down all ports using iptables and all of my external ports scans only show 21 and 22 open. I also stopped X11 forwarding on sshd. Any suggestions as to what loophole the hacker is using to come in?

 

[Deleted]

If all the ports are closed than the attacker is most likely getting in using SSH

1. Check your logs /var/logs
2. Check the /etc/passwd for any new users
3. Install Tripwire

http://unixjunky.com

 

[barbour6599]

There is nothing in the logs which shows they have logged in using SSH. All logins that appear in messages and in secure are legitimate coming from internal IP addresses or from the vendor. I have turned off root logins for SSH. I think they are coming in via X-windows and even though I have turned off port 6000 on the firewall, netstat says the X-11 is still listening on port 6000.

 

[Deleted]

Portscan your machine from an outside source using nmap. See if port 6000 is open.

http://unixjunky.com

 

[barbour6599]

I execute nmap -p 6000 <ip-address> from my public web server and it says it is closed. I inserted lines in the bashrc file to record the username, date, and then execute whoami everytime it is processed. If a regular user i.e. me logins on ssh it will show username date username. If I su to root is shows username date root. If I open a terminal from the desktop it says root date root. I am seeing the last one in connection with my intrustion which leads me to believe it is coming in via X-windows.

 

[GOstlund]

Have you tried changing how X is listening? Can you not set it to listen only on localhost as opposed to *:6000? I don't work much with X as I'm mostly a CLI guy, but I seem to recall that you have to have the X-server running to use X, but can you also change the port? Something else to consider is that there may be an app running on your computer that has an active, outbound connection to a computer the hacker controls and he could be making his way into the system over that. Simple enough to create an ssh tunnel that will listen on the remote side and connect locally...

----------
HTH
Gavin Ostlund

 

[thedaver]

OK, someone should say...

STEP 1: GET THE MACHINE OFF THE NETWORK!!!!!!

Step 2: do anything else to check for problems.

Smart hackers remove logs where possible to avoid detection.

Hosting Solutions for Home or Business.

http://www.surfinbox.com/hosting/

 

[lgarner]

If he's gained root access, I wouldn't trust this server any further. But, what the heck, it's already compromised, right?

I'd set up another system as a log server. Configure your compromised system to send its logs to the new one. Block all access to the new one except udp 514. Hackers can certainly change log files, but if it's logging remotely and there's no way for them to get to the loghost, you should have something to look at.

Also, you say that "All logins ... (are) ... from internal IP addresses or from the vendor". Do you know for sure that the hacker is external?

 

[marsd]

Pull the cable and do the right thing.

http://www.chkrootkit.org/

I'd actually pull the existing drive, reinstall on a new
and do forensics on the old with a clean install. Or just
use one of the full-featured cd-bootable/runnable distros.

 

[stefanwagner]

And are you sure you need X11 on the server?

seeking a job as java-programmer in Berlin:

http://home.arcor.de/hirnstrom/bewerbung

 

[plamb]

sounds like he might have installed a backdoor in your system

 

[thedaver]

.... Which is why the first step in intrusion forensics is to PULL THE MACHINE OFF THE NETWORK (unless you absolutely cannot afford to do so, a position that has only been validated in a limit few instances of entrapment of the intruder or criticality of the system's operation vs. the magnitude of the hack.)

Hosting Solutions for Home or Business.

http://www.surfinbox.com/hosting/

 

[wybnormal]

the first step is to get a trace of the server before anything else is done. Once the machine is compromised, it does not matter if you pull the connection right away or one hour later but it DOES matter to see what exactly is going to or from the server.

If in fact the machine is compromised, then it's best to whack it and restore the data from a backup. You can never really be sure if the server and/or the data is bogus or corrupted at this point. Of course, the question now is how far back is the data on the backups compromised?

Many kits will replace key files like netstat and ifconfig so when you run it, the results will look normal even though they are not in reality.

Log files can easily be altered but unless the hacker is very clean in his/her work, this is detectable with some effort on your part.

When you set up a remote syslog server ( and you are now right?), the files should be set to be appended only with a rotation to archive them and delete the originals when the rotation takes place. You should also lock down the user permissions of the log files. THink hard about an alternative syslogd replacement such as syslog-ng. Encryption of log files is a pro/con solution. You gain some security but you lose the ability to easily read them at a moments notice or to easily parse them. Tunneling the log files to the remote server is useful over an unsecured network.. SSH works well for this or STUNNEL can work but I prefer SSH. Make sure you configure iptables on the remote syslog server.

MikeS

Find me at

http://www.packetattack.com

&quot;Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots.&quot;
Sun Tzu