PDA

View Full Version : I think my linux box has been hacked.



Kimbler
11-26-2002, 04:22 AM
Well I seldom reboot the linux box since it sole purpose is Seq but I did this morning.

Much to my surprise when I did so it stopped at the command line loggin.....I normally have it go to xwindows automatically. then I noticed the hosthame is now "host7-null" which before has always been "localhost".

Checking in the etc/initab file I still have the line "id:5:initdefault:" which should make the system boot to xwindows.

Also onec I type startx I get a warning about "host7-null" not being in etc/hosts file.



Even when I reboot some thing...

I have nothing of value on any of my internet computers so there is no real danger except maybe time to reload things but I was wondering if anyone had any suggestions

Mr. Suspicious
11-26-2002, 04:51 AM
I have nothing of value on any of my internet computers so there is no real danger

Uhm... no real danger? Only because you have no data on the box? I beg to differ.

If your box(es) are being used to do unlawfull things you are in danger. Some examples of things people can do with a hacked box: Hack into the FBI or US gov computers using your box remotelly, distribute child porn via your webserver (your IP as URL) or execute DoS attacks on certain network elements using your box. All these are unlawfull and quite a few will eventually result in a sudden doorring, a surprice visit by your friendly neighberhood policeofficer and friends and possibly a few (un)pleasant nights (free meals!) in your county jailhouse.

Ofcourse these are extreme's, but I know one person in my neighberhood who'se been cut off from Internet by her ISP (and denied any further access in the future) because her PC was hacked and used to distribute 1,000,000,000 Viagra spam email messages (containing virii)

Kimbler
11-26-2002, 06:21 AM
Hmm... I didn't think of that. Thanks for the warning.

BlueAdept
11-26-2002, 10:26 AM
There are several known remote root access exploits. The one that seems to be used the most is the Apache exploit and the FTP exploit.

I had re-installed RH after my hard drive died. I got the base OS on it, but did not have time to do a restore before I went to work nor did I get my firewall working properly. I figured I would do it all after work, including doing up2date. When I got home, I was kind of shocked that someone had found my machine and hacked it.

I re-installed, restored my backup, and did UP2DATE. I do up2date every 2 weeks.

I really urge everyone to use up2date (just type it from a shell prompt). It is kind of like the windows update and will hopefully keep your system secure.

A good firewall is also critical. You dont want the whole world to access your telnet/ssh/ftp. If you dont know how to make one, this one is pretty good for a right-out-of-the-box firewall.

http://muse.linuxmafia.org/gshield.html

Kimbler
11-26-2002, 03:18 PM
Thanks Blue!

Ankan
11-28-2002, 11:57 PM
Here is a few tips.

1. Check your accounts logs as well the system logs for IP adresses that you know you havent accessed the box from. If anything out of order is there consider checking your system for trojans.

2. If something is wrong, unplugg your box from the net (You should do this before even point 1. This means, remove the eth cable from the eth card(s). This is the only way you can be totaly sure that noone else but you are in the system without making trouble finding the bastard while you try to secure the system. You operate via the keybaord and monitor.

3. Secure your system. I would advice you to disable all daemons that allows anyone to telnet into your box or any other way. Since you only use ShowEQ you dont need NFS, HTTPD, FTPD, TELNETD etc. etc.

4. If you wanna be really protective, download a portscanner detection stealth daemon. This one will check the ports you have. If anyone does a portscan towards you, the stealh detect system will throw the packets into /dev/null and add the bastards IP to the list of banned, as well notify you and the log about it. Almost every attack start with a portscan, because there are some stupid kids out there that really belive that noone will notice. Good and intelligent hackers will be far more carefull not using a portscanner, but on other hand, they will not try to hack illegal since they know they will be backtraced no matter what they do to try cover up their tracks.

5. Buy yourself a hardware router and make use of NAT. Thus setting your network to something like 192.168.0.x or 10.0.0.x network on the inside. And.. make sure you do not route the outside of the router to like port 23 towards your box on the inside if you really need to access your box on local network from like telnet.. or even perhaps the X daemon ports.

What ever you do, DO NOT install any software that detects intruder and spams the hell out of him back using different flame packet methods. Best way to handle an intruder is to shut him out and not letting him know whether he was discovered or not. That is why you unplugg the eth cable. it will only let the bastard know that he was diconnected, and not why.

Just so you guys know. An unprotected Linux box with direct access via a registered IP adress lasts about 2-3 minutes before discovered out on the Internet. Average time for hacking a fresh Unix/Linux box was 10 mins a while ago. When installing your box, do not have it plugged into access to the Internet directly unless you know router and firewall to your LAN is protecting you.

Btw. There is nothing such as a 100% break in safe system. Except.. no eth card or communication what so ever (Not even a monitor, since a person can sit across the street and pick up the frequenze from your monitor and see what is happening on your screen and thus get information) into the box. At same time, people who actually belive they can hack and not get caught, will be up for a suprise when they messed with the wrong person -that determined to hunt them down and make them pay. =)

moac
11-29-2002, 12:54 AM
Just so you guys know. An unprotected Linux box with direct access via a registered IP adress lasts about 2-3 minutes before discovered out on the Internet. Average time for hacking a fresh Unix/Linux box was 10 mins a while ago. When installing your box, do not have it plugged into access to the Internet directly unless you know router and firewall to your LAN is protecting you.

i have just done a few days ago, exactly what u say not to do.
i installed a fresh copy of RH7.2 and let it sit there overnight, connected to the net to continue my work the day after.

But it was behind a router, so do i have anything to worry about?
What logs do i have to check for misuse of my box?

Thanks for all the help and info guys.

Fatal
12-01-2002, 07:00 AM
Several things you can check.

First:
Check your /var/log/httpd-access files. You will see the box being scanned. Most likely you will see alot of folks trying to execute a command on a windows box thru http. /yawn

Example:
[Sun Dec 1 04:44:03 2002] [error] [client 211.97.70.241] File does not exist: /usr/local/www/data/html/scripts/root.exe
[Sun Dec 1 04:44:04 2002] [error] [client 211.97.70.241] File does not exist: /usr/local/www/data/html/MSADC/root.exe
[Sun Dec 1 04:44:05 2002] [error] [client 211.97.70.241] File does not exist: /usr/local/www/data/html/c/winnt/system32/cmd.exe


Lots and lots of that. Thats just to give you an idea of how many folks are hitting your box.

Now, check your /var/log/messages file. It shoudl show you things like:

Dec 1 07:45:05 linuxboxen su: fatal to root on /dev/ttyp0

If you see entries like that and it wasn't you logging in or going to SU mode, that's not good. Not good at all. Just because you DONT see a log entry, doesn;t mean someone hasn;t logged in to your box.


Check your user accounts. None have been modified? None added?

Scan your box for psybnc. If you have been hacked, its on there.

Once hacked, don't think you can fix it. Just reformat and start again. Turn off all the services you wont use. make it not respond to ICMP messages etc. It's a whirlwind out there. Once you're in it, you cant get out.

BlueAdept
12-01-2002, 07:43 AM
Originally posted by Fatal
Several things you can check.

First:
Check your /var/log/httpd-access files. You will see the box being scanned. Most likely you will see alot of folks trying to execute a command on a windows box thru http. /yawn

Example:
[Sun Dec 1 04:44:03 2002] [error] [client 211.97.70.241] File does not exist: /usr/local/www/data/html/scripts/root.exe
[Sun Dec 1 04:44:04 2002] [error] [client 211.97.70.241] File does not exist: /usr/local/www/data/html/MSADC/root.exe
[Sun Dec 1 04:44:05 2002] [error] [client 211.97.70.241] File does not exist: /usr/local/www/data/html/c/winnt/system32/cmd.exe

Lots and lots of that. Thats just to give you an idea of how many folks are hitting your box.


Heh...yea, that nimda is still very prevalent. I still get like 20 a day. Nothing to worry about for linux.



Now, check your /var/log/messages file. It shoudl show you things like:

Dec 1 07:45:05 linuxboxen su: fatal to root on /dev/ttyp0

If you see entries like that and it wasn't you logging in or going to SU mode, that's not good. Not good at all. Just because you DONT see a log entry, doesn;t mean someone hasn;t logged in to your box.


Check your user accounts. None have been modified? None added?

Scan your box for psybnc. If you have been hacked, its on there.

Once hacked, don't think you can fix it. Just reformat and start again. Turn off all the services you wont use. make it not respond to ICMP messages etc. It's a whirlwind out there. Once you're in it, you cant get out.

Anyone who isnt a script-kiddie will most likely cover their tracks by either clearing the logs or editing them to remove their entries.

The idiot who hacked my system removed the logs, but changed the root password and installed some stuff. It was definately a script kiddie who hacked mine (it was my fault for not completing the setup on my linux box before I had to go to work and for forgetting to start my firewall after I rebooted the system). I guess the guy figured that I would never be able to get into my box after he got root access. He left me some hacking scripts and hacking programs for me.

Fatal
12-01-2002, 03:43 PM
My post was definately in regards to script kiddies.

I highly doubt your box is ever going to be hacked by anyone not a script kiddie.

You have nothing they want and they have access to boxes with alot more resources than yours.

moac
12-01-2002, 04:47 PM
Thanx for all the info!

Cryonic
12-01-2002, 07:39 PM
The odds that someone other than a script-kiddie would hack your box are pretty slim, but even the better crackers still need machines to act as their jumping off point. Take a look at the recent DDoS of the Root nameservers. It is believed that it was an intentional, non-script-kiddie attack to test the infrastructure of the Net.