Hacker on my system ?

23/10/2006, 11h31

Hi,

Since this week-end, I have big problems on my RHEL3 server, with sshd
:
- I can no more connect from clients whith ssh. I was able to connect
from 2 years,
- I have 2 new lines in my sshd_config : "DString sweetgeorgiana" and
"DVersion openssh-.3.6p2...",
- I deleted these 2 lines last Saturday evening, and they came back on
Sunday,
- between Saturday and Sunday, I restarted my sshd, and was able to
connect,
- I have a process which abnormally opens the port 417 : this process
is called "ssh/bin/initsshd -p 417", directly connected to "init". The
command line of this process does not begin by "/". I performed a find
/ -name initsshd without finding it,
- I also killed this process on Sunday morning, and is now back on
Monday morning,
- I have reboot on Sunday, after examination of /etc/init.d, but I saw
nothing special.

Does somebody knows what happens to me ? And could I reprotect my
server, if I am really hacked ?

TIA

Sylvain

23/10/2006, 17h41

sdonnet@ddo-org.com writes:

>Hi,

>Since this week-end, I have big problems on my RHEL3 server, with sshd
>:
>- I can no more connect from clients whith ssh. I was able to connect
>from 2 years,
>- I have 2 new lines in my sshd_config : "DString sweetgeorgiana" and
>"DVersion openssh-.3.6p2...",
>- I deleted these 2 lines last Saturday evening, and they came back on
>Sunday,
>- between Saturday and Sunday, I restarted my sshd, and was able to
>connect,
>- I have a process which abnormally opens the port 417 : this process
>is called "ssh/bin/initsshd -p 417", directly connected to "init". The
>command line of this process does not begin by "/". I performed a find
>/ -name initsshd without finding it,
>- I also killed this process on Sunday morning, and is now back on
>Monday morning,
>- I have reboot on Sunday, after examination of /etc/init.d, but I saw
>nothing special.

>Does somebody knows what happens to me ? And could I reprotect my
>server, if I am really hacked ?

Sounds to me like you have been cracked.

backup your crucial stuff.
Wipe the disk
reinstall the operating system
Change ALL passwords
use find to scan the reinstalled backup for suid root programs.

23/10/2006, 19h30

sdonnet@ddo-org.com writes:

> Does somebody knows what happens to me ? And could I reprotect my
> server, if I am really hacked ?

Reformat and reinstall operating system from original media, apply all
updates before opening any internet facing service.

Sounds like you may well be owned.

Best Regards,
--
Todd H.
http://www.toddh.net/

23/10/2006, 20h45

Todd H. wrote:
> Reformat and reinstall operating system from original media, apply all
> updates before opening any internet facing service.
>
> Sounds like you may well be owned.
>
> Best Regards,

consider installing an IDS to track what changes when

--
try a random act of kindness today -- you just might surprise even
yourself

24/10/2006, 08h53

Todd H. a écrit :

> sdonnet@ddo-org.com writes:
>
> > Does somebody knows what happens to me ? And could I reprotect my
> > server, if I am really hacked ?
>
> Reformat and reinstall operating system from original media, apply all
> updates before opening any internet facing service.
>
> Sounds like you may well be owned.
>
> Best Regards,
> --
> Todd H.
> http://www.toddh.net/

Thanks for your support. I was hoping that corrections could be done...
I am going to prepare a reinstallation...

Sylvain

24/10/2006, 17h10

sdonnet@ddo-org.com writes:

> Todd H. a écrit :
>
> > sdonnet@ddo-org.com writes:
> >
> > > Does somebody knows what happens to me ? And could I reprotect my
> > > server, if I am really hacked ?
> >
> > Reformat and reinstall operating system from original media, apply all
> > updates before opening any internet facing service.
> >
> > Sounds like you may well be owned.
> >
> > Best Regards,
> > --
> > Todd H.
> > http://www.toddh.net/
>
> Thanks for your support. I was hoping that corrections could be
> done...

Unfortunately it's just not feasible or advisable. The problem is
that it's impossible to gauge the depth of the penetration. Even if
you scan and find 10 problems and fix them, there could be several
others that your scanner, root kit detector, etc doesn't know about.
As such, it's always "best practice" to format and start from original
media.

> I am going to prepare a reinstallation...

Yeah, sadly as much as it is a pain in the butt, it's still the
fastest way to get to a known state again.

--
Todd H.
http://www.toddh.net/

24/10/2006, 18h28

comp@toddh.net (Todd H.) writes:

>sdonnet@ddo-org.com writes:

>> Todd H. a écrit :
>>
>> > sdonnet@ddo-org.com writes:
>> >
>> > > Does somebody knows what happens to me ? And could I reprotect my
>> > > server, if I am really hacked ?
>> >
>> > Reformat and reinstall operating system from original media, apply all
>> > updates before opening any internet facing service.
>> >
>> > Sounds like you may well be owned.
>> >
>> > Best Regards,
>> > --
>> > Todd H.
>> > http://www.toddh.net/
>>
>> Thanks for your support. I was hoping that corrections could be
>> done...

>Unfortunately it's just not feasible or advisable. The problem is
>that it's impossible to gauge the depth of the penetration. Even if
>you scan and find 10 problems and fix them, there could be several
>others that your scanner, root kit detector, etc doesn't know about.
>As such, it's always "best practice" to format and start from original
>media.

>> I am going to prepare a reinstallation...

>Yeah, sadly as much as it is a pain in the butt, it's still the
>fastest way to get to a known state again.

It is however also crucial that you scan the stuff you reinstall as well.
When I was broken into I found files scattered all over the file system--
/tmp, /dev/, /home, ....
which were suid shells-- ie anyone knowing about them if they had any entry
at all onto the machine could simply run that program and be root.

Ie, scan all of the files you restore for suid
find / -perm +6000 -ls
check each one to see if it should be suid. su is fine. /tmp/banana is not.

24/10/2006, 18h44

Unruh <unruh-spam@physics.ubc.ca> writes:

> It is however also crucial that you scan the stuff you reinstall as well.
> When I was broken into I found files scattered all over the file system--
> /tmp, /dev/, /home, ....
> which were suid shells-- ie anyone knowing about them if they had any entry
> at all onto the machine could simply run that program and be root.
>
> Ie, scan all of the files you restore for suid
> find / -perm +6000 -ls
> check each one to see if it should be suid. su is fine. /tmp/banana
> is not.

This is a good anecdote as why reformating is a good first step before
the reinstall.

--
Todd H.
http://www.toddh.net/

23/10/2006, 11h31	#1
sdonnet@ddo-org.com Messages: n/a Hébergeur:	Hacker on my system ? Hi, Since this week-end, I have big problems on my RHEL3 server, with sshd : - I can no more connect from clients whith ssh. I was able to connect from 2 years, - I have 2 new lines in my sshd_config : "DString sweetgeorgiana" and "DVersion openssh-.3.6p2...", - I deleted these 2 lines last Saturday evening, and they came back on Sunday, - between Saturday and Sunday, I restarted my sshd, and was able to connect, - I have a process which abnormally opens the port 417 : this process is called "ssh/bin/initsshd -p 417", directly connected to "init". The command line of this process does not begin by "/". I performed a find / -name initsshd without finding it, - I also killed this process on Sunday morning, and is now back on Monday morning, - I have reboot on Sunday, after examination of /etc/init.d, but I saw nothing special. Does somebody knows what happens to me ? And could I reprotect my server, if I am really hacked ? TIA Sylvain

23/10/2006, 17h41	#2
Unruh Messages: n/a Hébergeur:	Re: Hacker on my system ? sdonnet@ddo-org.com writes: >Hi, >Since this week-end, I have big problems on my RHEL3 server, with sshd >: >- I can no more connect from clients whith ssh. I was able to connect >from 2 years, >- I have 2 new lines in my sshd_config : "DString sweetgeorgiana" and >"DVersion openssh-.3.6p2...", >- I deleted these 2 lines last Saturday evening, and they came back on >Sunday, >- between Saturday and Sunday, I restarted my sshd, and was able to >connect, >- I have a process which abnormally opens the port 417 : this process >is called "ssh/bin/initsshd -p 417", directly connected to "init". The >command line of this process does not begin by "/". I performed a find >/ -name initsshd without finding it, >- I also killed this process on Sunday morning, and is now back on >Monday morning, >- I have reboot on Sunday, after examination of /etc/init.d, but I saw >nothing special. >Does somebody knows what happens to me ? And could I reprotect my >server, if I am really hacked ? Sounds to me like you have been cracked. backup your crucial stuff. Wipe the disk reinstall the operating system Change ALL passwords use find to scan the reinstalled backup for suid root programs.

23/10/2006, 19h30	#3
Todd H. Messages: n/a Hébergeur:	Re: Hacker on my system ? sdonnet@ddo-org.com writes: > Does somebody knows what happens to me ? And could I reprotect my > server, if I am really hacked ? Reformat and reinstall operating system from original media, apply all updates before opening any internet facing service. Sounds like you may well be owned. Best Regards, -- Todd H. http://www.toddh.net/

23/10/2006, 20h45	#4
Jeff B Messages: n/a Hébergeur:	Re: Hacker on my system ? Todd H. wrote: > Reformat and reinstall operating system from original media, apply all > updates before opening any internet facing service. > > Sounds like you may well be owned. > > Best Regards, consider installing an IDS to track what changes when -- try a random act of kindness today -- you just might surprise even yourself

24/10/2006, 08h53	#5
sdonnet@ddo-org.com Messages: n/a Hébergeur:	Re: Hacker on my system ? Todd H. a écrit : > sdonnet@ddo-org.com writes: > > > Does somebody knows what happens to me ? And could I reprotect my > > server, if I am really hacked ? > > Reformat and reinstall operating system from original media, apply all > updates before opening any internet facing service. > > Sounds like you may well be owned. > > Best Regards, > -- > Todd H. > http://www.toddh.net/ Thanks for your support. I was hoping that corrections could be done... I am going to prepare a reinstallation... Sylvain

24/10/2006, 17h10	#6
Todd H. Messages: n/a Hébergeur:	Re: Hacker on my system ? sdonnet@ddo-org.com writes: > Todd H. a écrit : > > > sdonnet@ddo-org.com writes: > > > > > Does somebody knows what happens to me ? And could I reprotect my > > > server, if I am really hacked ? > > > > Reformat and reinstall operating system from original media, apply all > > updates before opening any internet facing service. > > > > Sounds like you may well be owned. > > > > Best Regards, > > -- > > Todd H. > > http://www.toddh.net/ > > Thanks for your support. I was hoping that corrections could be > done... Unfortunately it's just not feasible or advisable. The problem is that it's impossible to gauge the depth of the penetration. Even if you scan and find 10 problems and fix them, there could be several others that your scanner, root kit detector, etc doesn't know about. As such, it's always "best practice" to format and start from original media. > I am going to prepare a reinstallation... Yeah, sadly as much as it is a pain in the butt, it's still the fastest way to get to a known state again. -- Todd H. http://www.toddh.net/

24/10/2006, 18h28	#7
Unruh Messages: n/a Hébergeur:	Re: Hacker on my system ? comp@toddh.net (Todd H.) writes: >sdonnet@ddo-org.com writes: >> Todd H. a écrit : >> >> > sdonnet@ddo-org.com writes: >> > >> > > Does somebody knows what happens to me ? And could I reprotect my >> > > server, if I am really hacked ? >> > >> > Reformat and reinstall operating system from original media, apply all >> > updates before opening any internet facing service. >> > >> > Sounds like you may well be owned. >> > >> > Best Regards, >> > -- >> > Todd H. >> > http://www.toddh.net/ >> >> Thanks for your support. I was hoping that corrections could be >> done... >Unfortunately it's just not feasible or advisable. The problem is >that it's impossible to gauge the depth of the penetration. Even if >you scan and find 10 problems and fix them, there could be several >others that your scanner, root kit detector, etc doesn't know about. >As such, it's always "best practice" to format and start from original >media. >> I am going to prepare a reinstallation... >Yeah, sadly as much as it is a pain in the butt, it's still the >fastest way to get to a known state again. It is however also crucial that you scan the stuff you reinstall as well. When I was broken into I found files scattered all over the file system-- /tmp, /dev/, /home, .... which were suid shells-- ie anyone knowing about them if they had any entry at all onto the machine could simply run that program and be root. Ie, scan all of the files you restore for suid find / -perm +6000 -ls check each one to see if it should be suid. su is fine. /tmp/banana is not.

24/10/2006, 18h44	#8
Todd H. Messages: n/a Hébergeur:	Re: Hacker on my system ? Unruh <unruh-spam@physics.ubc.ca> writes: > It is however also crucial that you scan the stuff you reinstall as well. > When I was broken into I found files scattered all over the file system-- > /tmp, /dev/, /home, .... > which were suid shells-- ie anyone knowing about them if they had any entry > at all onto the machine could simply run that program and be root. > > Ie, scan all of the files you restore for suid > find / -perm +6000 -ls > check each one to see if it should be suid. su is fine. /tmp/banana > is not. This is a good anecdote as why reformating is a good first step before the reinstall. -- Todd H. http://www.toddh.net/

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email