Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Hacked Red Hat 7.3

  1. #1
    Junior Member
    Join Date
    Dec 2002
    Posts
    23

    Hacked Red Hat 7.3

    I have a Red Hat 7.3 server, and I have just noticed after reviewing log files that someone has obtained root access to my server. I have an ip address, and changed the root password. I have also noticed that I have two /sbin/nologin scripts in /sbin. So, I tried logging in under a system service, and found each of these services were able to log in with superuser access. I am fairly familiar with linux, and have run it as a deskop for a couple of years, but I am new at running it in a server environment. Do any of you have ideas as to what my next step should be, and any other places to look for possible backdoors. Thank you very much.

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Hrm. Let's see:

    - disconnect the server from the internet
    - check for hidden files/directories EVERYWHERE (use that nifty find command)
    - check the /etc/passwd and /etc/shadow.
    - check any .bash_profiles for any extra info
    - check .bash_history files for command histories (might indicate where the "hole" is)
    - check your services config files for any "unusual" stuff
    - check logs in /var/log
    - check your existing processes ps -aux

    Anyone else think of other locations or ideas?

    Once you've done that you should consider i) kernel upgrade if you haven't done it ii)patches to any services running iii) secure lockdown iv) chrooting directory access v) HIDS (host based IDS like Tripwire).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Junior Member
    Join Date
    Dec 2002
    Posts
    23
    thank you msmittens, I am familiar with the securing linux document on tldp, but do you know of any other current helpful documents that focus on linux security.

  4. #4
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    There is a tool available called Bastille you may want to check out.

    The Bastille Hardening System attempts to "harden" or "tighten" Unix operating systems. It currently supports the Red Hat, Debian, Mandrake, SuSE and TurboLinux Linux distributions along with HP-UX and Mac OS X. We attempt to provide the most secure, yet usable, system possible.
    This may help you out after you have cleaned up.

    Cheers:
    DjM

  5. #5
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    Originally posted here by MsMittens
    Anyone else think of other locations or ideas?
    Before unplugging from the network a netstat -a may be useful.

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  6. #6
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    Id say even someone has had root then your box is pretty much screwed.
    It would be very easy for someone to install a root kit in many places.

    If you dont have local account you may be able to restore it to a secure state, but Id say get the files you need for your webserver,c heck them throughly then wipe, reinstall, and lock down!

    Like MsMittens reccomended I would get and HIDS and NIDS since youve been compromised once its likely the intruder(s) will attempt to return.
    That which does not kill me makes me stronger -- Friedrich Nietzche

  7. #7
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Originally posted here by t3gilligan
    thank you msmittens, I am familiar with the securing linux document on tldp, but do you know of any other current helpful documents that focus on linux security.
    Might want to try Thymus' Guide to Securing Slackware. While it's specific to Slack, there should be some insights that can be used. Also, Red Hat's Security Guide for RH 8 might be of use. There is no, AFAIK, RH 7.3 security guide but RH's 7.3 Customization Guide might help somewhat.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  8. #8
    Junior Member
    Join Date
    Dec 2002
    Posts
    23
    That will be very usefull, I use slack at home. Thank you

  9. #9
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    Have you tried Securing and Optimizing Linux:

    Version 1.3 deals with RH 6

    Version 2 deals with RH 7.1, but much should apply, both available for download

    ( You’ll have to buy version 3 though )

    Previous Versions
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  10. #10
    First off are you on a network?if so does other people have access to it?One trick that comes to mind is Linux single command. That would be the first question,next if it was remote access what ports and servers are you running? rlogin ssh telnet ftp are all good "doors" for a cracker that knows what hes doing.Also did you set your X11 Xserver not to listen on -TCP?.Thats another good hole. Maybe find an easy to use firewall. Shorewall is great for a small network. Netstat the box of course and also load nmap and scan your local network.(ports 1-65000) Do some reading,i assume using apache?check what modules you have enabled in the http.conf script. Also look up root kit locations on the net (google) Worst comes to worst format drive and start again. Hope that helps.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •