It seems that one of our linux webservers setup here at school has been hacked and perhaps used for a ddos attack. Its a redhat 6.2 box and constantly scrolling modprobe errors. Whats teh best way to go about starting to figure out what has been done to our machine?

I've been looking around some more and found a hidden directory with all sorts of interesting programs in it such as hackl.sh hackw.sh and asp62, etc. So I assume this is part of a root kit of some sort. Where do I go from here? I see times that these files were created, can I figure out who was logged in and placed these here? There are no new users in /etc/passwd....

It appears the rootkit was named ramen.tar and part of it added the following lines to /etc/inetd.conf
9704 stream tcp nowait root /bin/sh sh -i
shell stream tcp nowait root usr/sbin/in.rshd -n

Any ideas on how the machine was compromised?
Thanks!

Another RH hack. You wont believe how many RH boxes I've found on the Internet that have been hacked.

The best method to repair a hacked box is to format and reinstall the OS.

My RH 7 box got hacked this past Saturday... nothing major, but just enough to let me know they were in there. They also messed with my password files, giveing them a future door to go through.

My solution, was to back up the data, and reinstall the OS. Then... install all the patches and security patches. I removed wu-ftp, and replaced with PROftp. I disabled telnet, and any other service i didn't need. Also made sure i was using a shadow file for passwd authentication... and created more difficult passwords to get into the box.

To the one that was hacked: back up that rootkit onto some media like a floppy (further research), if you want and reinstall the OS. There is no easy way out of a rootkit.

About RedHat: Make sure you disable mostly useless things like rpc.statd (and the other rpc services.) LPRng (lpd) has a remote hole: close it or upgrade it. WU-FTPd was already mentioned, but all versions prior to 2.6.1 are huge with script kiddiots.

Sorry for the rushed reply...

http://www.linuxnewbie.org/ubb/biggrin.gif twistah http://www.linuxnewbie.org/ubb/biggrin.gif

In case you didn't see this, you were hit by the RAMEN worm. In case you saved the source/files/etc, I would be very interested in seeing them (trust me, I am no blackhat scriptkiddiot.)

This thing spreadz faster then butter.

Sorry I'm a little drunk.

http://www.linuxnewbie.org/ubb/biggrin.gif twistah http://www.linuxnewbie.org/ubb/biggrin.gif

twistah

Just open up the ftp port using an unpatched wu-ftpd and you'll get it.

I saved the scripts...nothing too exciting really. It just plugs the hole it used to get in, modifies some file and starts scanning a random Class B network for more stations with the same exploits open.

I don't have RedHat, nor do I have a wish to honeypot myself. The reason I want the source is to get some packet traces for IDS signatures and such, although I am really short on time now, anyway.

http://www.linuxnewbie.org/ubb/biggrin.gif twistah http://www.linuxnewbie.org/ubb/biggrin.gif

What port/daemon does RAMEN look for -- in other words how is it getting in? Telnet, Sendmail, WuFTP or a variety of different ways?

How can one determine if they are infected?

Thanks for all the useful info.