PDA

Click to See Complete Forum and Search --> : Server may have been hacked?

Syngin
12-04-2001, 03:02 PM
Hey guys,

Sendmail died on our primary web server and our server provider is saying that its been compromised. He's put the following forth as proof:

SM5....T /bin/ps
SM5....T /usr/bin/top
.M...... /usr/bin/crontab
S.5..UGT /usr/bin/bzip2
S.5....T c /sbin/ifup
missing /usr/bin/wget
S.5..UGT /usr/bin/ncftpput
S.5....T /bin/netstat
S.5....T /sbin/ifconfig
SM5....T /usr/bin/ssh
S.5....T /usr/bin/ssh-add
S.5....T /usr/bin/ssh-agent
S.5....T /usr/bin/scp
S.5....T /usr/bin/ssh-keygen
......G. /usr/bin/locate
......G. /usr/bin/updatedb
S.5....T /usr/sbin/tcpd

(Note even sure exactly what command he obtained this info with. RPM with an argument or 2?)

Now, I installed ssh on the server last week so I think that part is me. Problem is that I'm not sure whether the other changes are legitimate hacks or changed due to file dependencies involved in the ssh install.

Anyone have any idea? I'm not really sure why actual changes to these files would permanenetly affect Sendmail and FTP authentication (that went down too) Anyone's 2 cents would be greatly appreciated.

:eek:
Dark Ninja
12-04-2001, 04:09 PM
Well, for one - it's a very bad thing when system files get installed that don't need to be installed.

In this case, 'ps' and 'top' - if the sysadmin wasn't expecting that, it may be worth checking out. As for the others, I'm not too sure - but, for future reference, a program like TripWire may be able to warn you if your system files have been changed. (Keeping backups are a very good thing, also.)


Dark Ninja
SykkN
12-04-2001, 04:34 PM
Verify all packages
# rpm -–verify –a


If the files or packages you were verifying checked out okay, you will see no output; otherwise, you’ll see what checks failed. The output will be a string of 8 characters, possibly a ‘c’ denoting configuration file, then the filename that failed. Each character in the 8-character field contains the result of a particular test. A “.” (period) indicates that test passed. The following example indicates that /bin/vi has an incorrect group id assigned to it:

# rpm –-Verify --file /bin/vi
......G. /bin/vi

----------------------------------------
Failure Code Meaning

5 | MD5 checksum
S | File size
L | Symbolic link
T | File modification time
D | Device
U | User
G | Group
M | Mode
Syngin
12-04-2001, 04:40 PM
Sweet. Thanks for the tips guys. We do have a backup service for this particualr server but its a few days behind and would required some time to figure what was missing. Trying to figure out whether to try a fix or restore from backups.

The info definitely help. :D
Dark Ninja
12-04-2001, 05:51 PM
About your reply SykkN - just because a file does not verify correctly does not necessarily mean there is a problem, does it?


Dark Ninja
Syngin
12-04-2001, 06:15 PM
From the looks of things, it reports EVERYTHING system oriented that's changed. Conf files etc. There's only a few things I'm not sure about and those are the ones I'm worried about.
SykkN
12-04-2001, 11:16 PM
I am not really sure. That is just some snippets from my RHCE book. :-)