Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: hacked

  1. #11
    Senior Member
    Join Date
    May 2002
    Posts
    450
    I really cant help with what might have happened, it may well have been RedHat's update that cuased the problem, but very hard to say.

    If you system has been on the internet unprotected (ie firewall) for any length of time you may have been hacked, specially if you have broadband access and a static IP ...

    You may want to check out chkrootkit that can be obtained from http://www.chkrootkit.org ... this small script will, when run, check you system for common rootkits currently installed and used by crackers.

    If you are still in doubt, nebulus200's suggestion of pulling the machine off the internet and rebuilding is a sound suggestion, .... fresh install, update, harden then get it back online.

    Good luck.

  2. #12
    Hey nebulus200, i am impressed with your knowledge on this matter and was wondering if you could point me in the right direction to learn something such as this. I am eager.

  3. #13
    Senior Member
    Join Date
    Dec 2002
    Posts
    144
    Originally posted here by Phat_Penguin
    I really cant help with what might have happened, it may well have been RedHat's update that cuased the problem, but very hard to say.

    If you system has been on the internet unprotected (ie firewall) for any length of time you may have been hacked, specially if you have broadband access and a static IP ...

    You may want to check out chkrootkit that can be obtained from http://www.chkrootkit.org ... this small script will, when run, check you system for common rootkits currently installed and used by crackers.

    If you are still in doubt, nebulus200's suggestion of pulling the machine off the internet and rebuilding is a sound suggestion, .... fresh install, update, harden then get it back online.

    Good luck.
    i think i will not format first...can look around on what had really happened to my box...anyway i hv nothing important in it...
    BlAcKiE
    GearBlitz

  4. #14
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Penguin: Listen to nebulus!!!!!

    Firstly every file that was requested either 404ed, (not there), or 403ed, (access denied).
    Secondly, and I have no knowledge worth anything about linux but I can tell you that even if you had dirs such as c:\winnt\system32 you wouldn't have anything meaningful in them. The files that were being requested wouldn't run on your box. So even if they were there there would crash your machine at worst if they were executed.
    Thirdly, you said the symptoms began at 0715..... then you show your cron starting at...oh...0715.... funny that...<s>
    Lastly.... This is a classic attack on IIS.... since you are running Apache.... you are just fine.

    Nebulus: You say that the Apache logs are so much better than IIS, (and I don't want to get in a pissing match about "my OS is better than yours"..... ) but would you care to show me what information you were seeing in the Apache logs Penguin posted that I can't find in my IIS logs...... IIS can log in several different ways and at several levels of detail..... The logs Penguin posted are practically identical to the IIS logs I capture on my sites - right down to the order in which the info is logged.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #15
    thx for link Phat_Penguin
    that help me also lock down my box.
    That's why I spend so much time here at AO. Cause the people are great and so is the information))

  6. #16
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Tiger Shark:
    Hmm...maybe it was how the web servers were setup that I had to investigate or maybe it was the version (I think they were 4.0 not 5.0), not sure. It seemed that every IIS server I had to look at (for investigations) was missing very critical information like the HTTP return code and browser version; however, when I logged in and checked the IIS server I have to maintain (wasn't given a choice unfortunately), the log file in fact did contain pretty much the same information, so not sure what happened to those logs that I have looked at in the past...

    Point taken.

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  7. #17
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    nebulus: np.... I thought you could see something I couldn't....<s> maybe the logging was set up differently on the older boxes but IIS 4 & 5 have had the same basic options for logging - it's just a matter of chosing what you want to see....... And, IMO, you can't log enough stuff..... Well, up until the point where you have used all your storage....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #18
    Very Very nice observation and very good explination. to nebulus200

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •