Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

RHL 6.2 hacked after 18 hours online

Status
Not open for further replies.
abovebrd

abovebrd

IS-IT--Management
May 9, 2000
690
US

I would like to get some advise.

This weekend I noticed a strange user account on my system.
After a little digging it appears that my system was hacked and compromised after being online for only 18hours. It appears the cracker must have explointed a weekness in the default OS.

The machine is offline right now. I was able get some information about the cracker. Such as a ip address in /var/log/messages and a few interesting things in /home/crackeruseraccount/.bash_history

Does anyone have any suggestions as to what i should look for. I would really like to know how they where able to get in and create a new user account ?




-Danny






 
Sort by date Sort by votes
Bad thing.
Actually it happens quite often (I made that experience, too). You might try to contact the distributor and ask for advice, but they'll not help you without a support contract... Another thing might be looking at or any other site featuring the latest exploits or weaknesses of certain software.
Finally to your logfiles. Most hackers do not use IP spoofing so try to contact the abuse@_hackersdomain_ or someone responsible for his netblock.
I fear that's all you can do concerning this hack. Next time you set up a machine be sure to armor the linux and to use only a small collection of programms - a minimal installation. regards
chenn
 
Upvote 0 Downvote
Hiya Danny

you didnt say whether this was a production server or a home server.
I would recommend trashing the whole os, backing up what you require and reinstalling

Once you have installed 6.2 again, have a look at and run that Bastille script to secure the box

Also if your interested in what the little bugger changed, have a look at (Its a coroners toolkit to see what files have been tampered with)

Good luck

Dan
 
Upvote 0 Downvote
It was just a test system I had set up in my lab. Basically a generic Intel box. I was just testing a couple of things related to Apache configs. Nothing really lost, just my piece of mind. (Nothing really important)
Ha Ha Ha !
I was able to get the IP address of the punk or punkette used. Unforuantly it orignates from overseas. So I do not think contacting the ISP will do any good.

I really want to find out what was changed before I trash the OS. i will take allok at the links listed above. Thanks for the input




-Danny






 
Upvote 0 Downvote
Any self respecting ISP (even overseas) would need to look into this matter it forwarded to them... I would say that you should still contact the ISP if you can...

AV
tnedor@yahoo.com
 
Upvote 0 Downvote
never put a box online without checking updates from the vendor, in this case, ftp://updates.redhat.com/ . subscribe to advisory lists, if an exploit comes out, a vendor will normally patch that week or next, just disable the service till then.
 
Upvote 0 Downvote
There are alot of things you can do to secure your box. One of them is to configure portmapping. In your /etc/host.allow file enter the service and IP address of those people allowed to access those services. In your /etc/hosts.deny file set that to ALL. Also, do a chkconfig --list and see what services are on. Most people by default install every service and turn them all on. There is no need for this and you open yourself up for a script kiddie. Remember, IF YOU DO NOT NEED TO RUN A SERVICE: SHUT IT OFF. Next cd /etc and look at your inetd.conf file. Put a # in front of all services in inetd that you do not need. ie. linuxconf, swat, finger, identd, ftp, telnet etc. I also recommend shutting off ftp and telnet. Then install ssh or sftp or ftp pro. These are secure services that require keys to establish communications.

There is a whole list of things that can be done. Also, download and install autorpm. This will make sure that all new packages are downloaded and installed in a timely manner.

warmongr
 
Upvote 0 Downvote
Tht IP will probably do you no good, as 99% of all cracks come from another cracked machine. If you insist on using Redhat for a server (don't flame me, I have no bias) for ease of use or whatever reason, you'll have to lock it down tight, because as far as my knowledge and experience goes as a security professional, redhat is very common and so are the exploits for it. I'll bet that it was compromised using a cheesy Wu-FTP exploit (it's the most common). check out Lance Spitzner's paper on securing Redhat. It's mirrored in PDF here: If you're looking for ease of use and very good security you may want to check out OpoenBSD the OS is rock solid, easy to set up, pretty well documented, and supports common services. Granted the software support is not even close to what Redhat has to offer, but it's an alternative. (I am in no way bashing Redhat, I have many customers that use it, just like any OS, it just has to be tweaked.)
 
Upvote 0 Downvote
Also, you may want to consider running snort I use it and wrote a simple shell script to parse the log file and report to html. works great to show scan attempts, etc..
 
Upvote 0 Downvote
Thanks guys.

I was just looking for a rock solid unix type operating system. I am well versed in SCO. I'll check out openbsd.

Also snort sounds very interesting, I also check that out

-Danny






 
Upvote 0 Downvote
I don't know much about SCO, I workmainly with solaris and OpenBSD (totally different I know) but I love OpenBSD, I'd probably run it exclusively if my company didn't own a million copies of Solaris 7 and 8. It's much less hassle and much less work to secure, and being an ISP the solaris boxes need much more maintence than the OpenBSD boxes.
 
Upvote 0 Downvote
SCO is a system V variant.
3.2 kernal



-Danny






 
Upvote 0 Downvote
well it gets better

I have logged atleats 16 different IP addresses that have / are port scanning my firewall and internet router. This is in the last 4 days. I checked as few of them and they seem to be coming from all over.

Unforuantly I am running a simple appliance firewall that lacks in features.

how would i deploy a untility such as snort ? Could snort be proxied thru a firewall ?

-Danny






 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

grazinggoat2
  • Locked
  • Question
Old PIDS after script runs
Replies
0
Views
162
grazinggoat2
grazinggoat2
lslamp
  • Locked
  • Question
Bash Onliner ... 1
Replies
2
Views
242
lslamp
lslamp
kurio71
  • Locked
  • Question
Favicons not Working after Redirection 1
Replies
7
Views
240
ChrisHirst
ChrisHirst
audiopro
  • Locked
  • Question
Closing Connections After Image Has Loaded
Replies
0
Views
110
audiopro
audiopro
omonoiatis9
  • Locked
  • Question
Tomcat connections not closed on RHEL server after failover
Replies
1
Views
140
ady2012
ady2012

Part and Inventory Search

Sponsor

Back
Top