HPE Community
Operating System - Linux
1832489 Members
4149 Online
110043 Solutions
New Discussion

ROOT HACKED

 
Nobody's Hero
Valued Contributor

‎07-28-2005 01:40 AM

‎07-28-2005 01:40 AM

ROOT HACKED

Last night my Linux RH9 server was hacked. Someoned gained access (don't) know how yet. But I tracked the IP address that they set up for proxy to Asia and Indonesia. My root account was changed and they created all kinds of new files in /sbin and in networking. Doesn't look like anything destructive however I still need to lock it down. This box has no services running on it. No rlogin, rexec, ftp etc....

Is there a product I can use or process to use to help eliminate this act of someone getting to my root account?
UNIX IS GOOD
0 Kudos
Reply
7 REPLIES 7
Steven E. Protter
Exalted Contributor

‎07-28-2005 01:48 AM

‎07-28-2005 01:48 AM

Re: ROOT HACKED

Recommendations:

1) Leave the root account disabled when you don't need to use it. You can re-enable it from the console right before you need to use it.

2) tripwire: It can spot changes and alert you early in the process of being hacked. You can set it up to check on a daily basis or more often. I use it once a day.

3) checkrootkit - available from rpm or Linux distribution provider or yum. It helps spot the damage

4) Disable root access accept for console access. This is practical only if you have physical acess to the box.

SEP
Israel
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Florian Heigl (new acc)
Honored Contributor

‎07-28-2005 02:00 AM

‎07-28-2005 02:00 AM

Re: ROOT HACKED

rkhunter and chkrootkit are both tools for detecting whatever they might have left.

for security auditing look into nessus.

for tracing accesses use tripwire

for gaining security, look at Your applications, as an example of steps involved:

chroot apache
in it's startup script create a port-forward
from port 80 to 8080
create a non-priveleged user for it.
set it to listen on 8080
give it an own tmpdir and another one for i.e. php sessions
THEN start to lock it down apache/php-wise :)

yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
Reply
Nobody's Hero
Valued Contributor

‎07-28-2005 02:08 AM

‎07-28-2005 02:08 AM

Re: ROOT HACKED

Can't find the checkrootkit.
I am looking on rpmfind.net
UNIX IS GOOD
0 Kudos
Reply
Rick Garland
Honored Contributor

‎07-28-2005 02:23 AM

‎07-28-2005 02:23 AM

Re: ROOT HACKED

The best solution would be to strip the OS, reformat, reload the OS, install all these tools, update everything, then put on the network. Make sure all traces of intrusion are gone.

This is not always possible...

ckroot and tripwire are very good tools.
0 Kudos
Reply
Florian Heigl (new acc)
Honored Contributor

‎07-28-2005 05:22 AM

‎07-28-2005 05:22 AM

Re: ROOT HACKED

as I wrote, it's called chkrootkit :)
yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
Reply
John Poff
Honored Contributor

‎07-28-2005 08:03 AM

‎07-28-2005 08:03 AM

Re: ROOT HACKED

Robert,

You can get chkrootkit here:

http://www.chkrootkit.org/

JP
0 Kudos
Reply
Bejoy C Alias
Respected Contributor

‎07-28-2005 03:28 PM

‎07-28-2005 03:28 PM

Re: ROOT HACKED

If possible check for vulnerabilities in ur installation by using some tools like nessus vulnerability scanner , which will tell u whether anything is open to the outside world and how u can fix it.
Be Always Joy ......
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.