My linux box was hacked, & root password changed.. what to do?

[ryen]

I just installed RH Linux 7.2 a week or two ago, so I'm fairly new. In the initial setup, i set my firewall to the "medium" level. Yesterday, I booted up into linux, logged in as root, then left the house for a few hours. I think I had the wu-ftp server running (i think it started automatically on boot-up) and I did not have Apache running. When I came back, i did some command (can't remember) and it said I had mail, so i typed "mail" and read the first message.. it was long, and had various error-type messages in it, and said the final-destination address was "hack3ru@yahoo.com".. i thought that was weird. I then went into my "/Root" (i think) directory, and there was a new folder called "cool" which I hadn't ever created. I opened it up, and there were various files, including a few c source files, and I believe their compiled counterparts. I think one was called pscan, or sscan, or something like that. In the /Root directory, there was a "aw.tgz" file, and a file simply called "a"..... BTW, i opened up some of the source files, and they had various printf's with messages like "back door successful" and "error, possible firewall" and stuff like that. My root password was changed, and I think they were using my computer to access other computers, because my cable modem was blinking like crazy. Now I can't log in as root, and even if I could, I would worry that someone could easily access my computer through those, or possibly other hidden files on my computer. Should I format and re-install linux? I don't want to set it up as a server only to have some hidden back-door thing going on. ANY help would be appreciated, I'm not that knowledgable with Linux yet. Thanks,
-Ryen

 

[makki]

reboot the system and type linux 1 at lilo prompt
after coming up type passwd to change root password as your
desired.

 

[MrTom]

it sounds like the hacker isn't very good as you have easily been able to find traces.
it's a shame to have been hacked so recently after installing linux. you are going to have to do a fresh install - reformat the whole lot and start over

there are probably some tools in redhat which you should try to use to prevent this happening again. i don't use redhat but i assume there must be some kind of update program (like in windows) which will dload the latest security patches for you.

also if you don't need an ftp server then disable it - or only run it when you need it and disable anonymous access. if you don't know about ssh and scp then read up on them.

redhat might have also installed some other servers which you don't want running. you can either disable these or set up your firewall.
the best way to set up the firewall is to just block *everything* and then open up stuff as you need to.

there's not much you can do to see what your machine was being used for. if the hacker was very bad then you might find stuff in your /root/.bash_history files or other user history files but it will probably be very boring anyway.

 

[davelobster]

Similar thing happened to my mate.
I agree with MrTom. Wipe it all and start again.
Best way to stop it happening in future to stop this happening again (and quite easy since you have a cable modem). Go to Linuxdocs.org and read the ipchains (or iptables if you prefer) firewalling docs.
Then set one up for yourself.
It's actually worth buying a book on this (well, I think so anyway). The New Riders website lists an excellent one (with a downloadable ipchains firewall).
Have done it myself and it's very good. Can turn on logging of the firewall and see who's trying to connect to your machine. (You'll be surprised how many hits there are!).

 

[Tels]

If you have a spare machine (any crappy - (working) p100 will do, even without monitor, keyboard or mouse) grab a cd image of SmoothWall from

http://www.smoothwall.org

It's open source linux, (modified to be a firewall, dhcp etc only) but very reliable. I run a whole network behind it and it takes 5 mins to configure. I'm not selling it but I suggest you take a look, if you are learning Linux, at least do it behind a firewall you know works for sure....

Obviously hackers love cable connections for DoS attacks - Let's all work together to prevent DoS attacks!

Tels
Win2000 Network Administrator

 

[babusya]

Brand new Red Hat 7.2 goes along with version of wu-ftpd that has some serious security bugs. Update your wu-ftpd or
use ncftpd server that is considered more secure.
My 7.2 box was also hacked thru wu-ftpd. Hopefully, I don't
see any other hacking activity after I replaced wu-ftpd with ncftpd.

But ncftpd is not free. It's only for education purposes.
My RH is in .edu domain

 

[ryen]

Awesome, thanks a lot everyone. I guess I'll format, reinstall, and put up a firewall. I really appreciate all the help.

One thing I'm just a little confused about is how to reinstall with my dual-boot system. Do i just use fdisk (from a windows boot disk) to delete the linux partition, and then reinstall? Or do I need to format it somehow? I should know this, but unfortunately I don't. Thanks again,
-ryen

 

[davelobster]

Just reinstall from scratch with the original CD.
You'll have the option to wipe out all existing linux partitions.

 

[garwain]

Formatting is the only option, since you will never know for sure what has been done...

just go through the regular install process, and use the same linux partitions, telling it to format everything (except maybe /home if that's a partition)

after the install is complete, it's best to update the system
> rhn_register #will set up an account on the RedHat Network
> up2date -u #will update all packages that are not current.

 

[rickb928]

Just for info, the estimated average time for a plain-vanilla RedHat box to be compromised after connection to the Internet is down to 9 hours... Sad commentary...

I've had every one of mine whacked over the years, and only once did I avoid a reinstall. Mostly bind and ftp hacks. The Adore rootkit was most popular. We detected every single one with our MRTG server... The traffic pattern changed noticeably, tipping us off to a compromise.

But the NT server running mail for us took weeks to clean up. They got ftp and ran warez on it for 3 months before we wised up. It can be worse.

Rick
Rick

 

[w1nn3r]

Just some basic security steps you can take, disable root login via telnet, Only allow SSH2, disable any services you may not be using(SENDMAIL), take out wu-ftpd and replace it with ncftpd. A few other steps i personally take is disable su ability(chmod 700 /bin/su) and set all the /home dirs to nosuid in fstab. These tiny steps will add alot of increased security to your system. Theres also portsentry which will add ALOT of extra security to your system.

 

[iwasinnamuknow]

i reccomend the Bastille scripts. they are a set of perl scripts, very easy to run which use a series of questions to secure every possible hole in redhat (specially made for redhat) which you don't totally need open. it will shutdown every unecessary security hole in your system and also send email reports if anything strange happens.

you can see the site here:

http://www.bastille-linux.org/

hope this help and that you haven't lost faith in the open-source community. if you find my advice useful, please rate me.