topic Re: ROOT HACKED in Operating System - Linux

ROOT HACKED

Nobody's Hero — Thu, 28 Jul 2005 08:40:32 GMT

Last night my Linux RH9 server was hacked. Someoned gained access (don't) know how yet. But I tracked the IP address that they set up for proxy to Asia and Indonesia. My root account was changed and they created all kinds of new files in /sbin and in networking. Doesn't look like anything destructive however I still need to lock it down. This box has no services running on it. No rlogin, rexec, ftp etc....

Is there a product I can use or process to use to help eliminate this act of someone getting to my root account?

Re: ROOT HACKED

Steven E. Protter — Thu, 28 Jul 2005 08:48:40 GMT

Recommendations:

1) Leave the root account disabled when you don't need to use it. You can re-enable it from the console right before you need to use it.

2) tripwire: It can spot changes and alert you early in the process of being hacked. You can set it up to check on a daily basis or more often. I use it once a day.

3) checkrootkit - available from rpm or Linux distribution provider or yum. It helps spot the damage

4) Disable root access accept for console access. This is practical only if you have physical acess to the box.

SEP
Israel

Re: ROOT HACKED

Florian Heigl (new acc) — Thu, 28 Jul 2005 09:00:59 GMT

rkhunter and chkrootkit are both tools for detecting whatever they might have left.

for security auditing look into nessus.

for tracing accesses use tripwire

for gaining security, look at Your applications, as an example of steps involved:

chroot apache
in it's startup script create a port-forward
from port 80 to 8080
create a non-priveleged user for it.
set it to listen on 8080
give it an own tmpdir and another one for i.e. php sessions
THEN start to lock it down apache/php-wise :)

Re: ROOT HACKED

Nobody's Hero — Thu, 28 Jul 2005 09:08:03 GMT

Can't find the checkrootkit.
I am looking on rpmfind.net

Re: ROOT HACKED

Rick Garland — Thu, 28 Jul 2005 09:23:55 GMT

The best solution would be to strip the OS, reformat, reload the OS, install all these tools, update everything, then put on the network. Make sure all traces of intrusion are gone.

This is not always possible...

ckroot and tripwire are very good tools.

Re: ROOT HACKED

Florian Heigl (new acc) — Thu, 28 Jul 2005 12:22:50 GMT

as I wrote, it's called chkrootkit :)

Re: ROOT HACKED

John Poff — Thu, 28 Jul 2005 15:03:25 GMT

Robert,

You can get chkrootkit here:

http://www.chkrootkit.org/

JP

Re: ROOT HACKED

Bejoy C Alias — Thu, 28 Jul 2005 22:28:32 GMT

If possible check for vulnerabilities in ur installation by using some tools like nessus vulnerability scanner , which will tell u whether anything is open to the outside world and how u can fix it.