topic Re: Hacking attack in Operating System - Linux

Hacking attack

Karsten Breivik_1 — Tue, 14 Dec 2004 08:39:51 GMT

Hi. I suspect a hacking attack on my Fedora2 server. I get segmentation fault on commands like ls and su. Is there a way of verifying the presence of an attack or a root kit?

And how did they get in? There are loads of services like telnet and Samba enabled on the server, but on the outside the firewall only SSH (tcp port 22), Apache web server (tcp port 80), Tomcat (tcp port 8080) and Postfix SMTP (tcp port 25) are exposed. What do I need to tighten?

Is there a remedy somewhere or am I looking at burning the midnight oil with a fresh install?

Re: Hacking attack

Vitaly Karasik_1 — Tue, 14 Dec 2004 08:54:09 GMT

the first step I recommend - it's disconnect linux box from network & reboot to single-user mode.

After it you may :

- go to security sites or take some book and learn about next steps - a long way

- a short way - run "rpm -Va" for verify system integrity - you will receive a list of changed programs/files.
In addition you can search&download&run utilities for rootkit detections.

Re: Hacking attack

Steven E. Protter — Tue, 14 Dec 2004 09:17:56 GMT

Recommandations.

Change the firewall configuration.

Block all protocols. Don't allow telent at all. If possible don't allow ftp. These two protocols use clear text authentication.

Test your firewall with the telnet hostname 78 (tests port 78).

Common current attacks:
Port 25 scripting to relay spam - watch /var/log/maillog
CGI script abuse. Use a formmail form to relay spam. watch maillog and access and error log for the webv server

Take a look at /etc/passwd Look for additional accounts added, especially uid zero accounts. If you find any of these, take the machine off the network.

I would suggest running Bastille security hardening on the box.

If you feel the box is compromised, back up your data and do a complete new OS install. Fedora Core 3 is now out.

Please post details of the actual attack for further assistance.

SEP

Re: Hacking attack

Ivajlo Yanakiev — Tue, 14 Dec 2004 09:44:54 GMT

Last time when I have segmentation fault It was virus.
YESSS VIRUS. try panda software for linux.
I think that panda is free trail :)

Tell me after that :))

trq to verify your rpm using
rpm -v

Re: Hacking attack

rmueller58 — Thu, 16 Dec 2004 09:38:20 GMT

Make sure if you don't have tripwire loaded, that you load it.. Tripwire is a HIDS package that came detect attempts on the host.

I've caught and thwarted several SSH exploit attempts..

It reports failure and successful logins..

Check CERT for any vulnerabilities for your aforementioned packages and Patch, Patch, Patch!!

Make sure SSH is current and you define a decent password policy. NO all, Alpha or Numeric, use a combination of Alpha, Numeric, and other such as (Some of these may act as escape shutdown any protocol with a login that throws a clear text login, telnet, ftp. If you need http or ftp logins use https or sftp or scp