1839210 Members
3155 Online
110137 Solutions
New Discussion

Re: Hacking attack

 
SOLVED
Go to solution
Karsten Breivik_1
Frequent Advisor

Hacking attack


Hi. I suspect a hacking attack on my Fedora2 server. I get segmentation fault on commands like ls and su. Is there a way of verifying the presence of an attack or a root kit?

And how did they get in? There are loads of services like telnet and Samba enabled on the server, but on the outside the firewall only SSH (tcp port 22), Apache web server (tcp port 80), Tomcat (tcp port 8080) and Postfix SMTP (tcp port 25) are exposed. What do I need to tighten?

Is there a remedy somewhere or am I looking at burning the midnight oil with a fresh install?

poi
4 REPLIES 4
Vitaly Karasik_1
Honored Contributor

Re: Hacking attack

the first step I recommend - it's disconnect linux box from network & reboot to single-user mode.

After it you may :

- go to security sites or take some book and learn about next steps - a long way

- a short way - run "rpm -Va" for verify system integrity - you will receive a list of changed programs/files.
In addition you can search&download&run utilities for rootkit detections.
Steven E. Protter
Exalted Contributor
Solution

Re: Hacking attack

Recommandations.

Change the firewall configuration.

Block all protocols. Don't allow telent at all. If possible don't allow ftp. These two protocols use clear text authentication.

Test your firewall with the telnet hostname 78 (tests port 78).

Common current attacks:
Port 25 scripting to relay spam - watch /var/log/maillog
CGI script abuse. Use a formmail form to relay spam. watch maillog and access and error log for the webv server

Take a look at /etc/passwd Look for additional accounts added, especially uid zero accounts. If you find any of these, take the machine off the network.

I would suggest running Bastille security hardening on the box.

If you feel the box is compromised, back up your data and do a complete new OS install. Fedora Core 3 is now out.

Please post details of the actual attack for further assistance.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Ivajlo Yanakiev
Respected Contributor

Re: Hacking attack

Last time when I have segmentation fault It was virus.
YESSS VIRUS. try panda software for linux.
I think that panda is free trail :)

Tell me after that :))

trq to verify your rpm using
rpm -v

rmueller58
Valued Contributor

Re: Hacking attack

Make sure if you don't have tripwire loaded, that you load it.. Tripwire is a HIDS package that came detect attempts on the host.

I've caught and thwarted several SSH exploit attempts..

It reports failure and successful logins..


Check CERT for any vulnerabilities for your aforementioned packages and Patch, Patch, Patch!!

Make sure SSH is current and you define a decent password policy. NO all, Alpha or Numeric, use a combination of Alpha, Numeric, and other such as (Some of these may act as escape shutdown any protocol with a login that throws a clear text login, telnet, ftp. If you need http or ftp logins use https or sftp or scp