|
Click to See Complete Forum and Search --> : hacked.... Soybomb 01-16-2001, 11:11 AM It seems that one of our linux webservers setup here at school has been hacked and perhaps used for a ddos attack. Its a redhat 6.2 box and constantly scrolling modprobe errors. Whats teh best way to go about starting to figure out what has been done to our machine? Thanks! Soybomb 01-16-2001, 11:31 AM I've been looking around some more and found a hidden directory with all sorts of interesting programs in it such as hackl.sh hackw.sh and asp62, etc. So I assume this is part of a root kit of some sort. Where do I go from here? I see times that these files were created, can I figure out who was logged in and placed these here? There are no new users in /etc/passwd.... THanks! Soybomb 01-16-2001, 11:42 AM It appears the rootkit was named ramen.tar and part of it added the following lines to /etc/inetd.conf 9704 stream tcp nowait root /bin/sh sh -i shell stream tcp nowait root /usr/sbin/in.rshd -n Any ideas as to what exactly this did? Thanks! nanode 01-16-2001, 11:52 AM I dunno about the rootkit specifically, but in /etc/inetd.conf - it looks like connecting to that new port # would bring up a root shell directly - when connected. This behavior was not subtle, or even the least bit careful. I'm not a detective, but the clues you've shared indicate either a novice script kiddie type or else someone who just didn't care. Also, the changes to inetd would allow anyone to access this box - I wonder if the 'intruder' intended to share this compromised system with others or just didn't know how to tidy things up. I anticipate the latter. I'd post this in security forum to be sure. X_console 01-16-2001, 12:24 PM In future, it would be advisable to install Tripwire. It would be much easier to see what was changed by comparing the tripwire database to the current corrupt one. Soybomb 01-16-2001, 03:08 PM Ahhhhhhhhh I was previously unaware of tripwire, it will most definatley be used in teh future though http://www.linuxnewbie.org/ubb/smile.gif From looking around a bit it seems that this machine didn't have all the redhat security patches in place and perhaps the weakness with 6.2's wuftpd allowed the person to get root. Now my next questions come in with what log files will be useful to send to this persons' isp? They setup a ftp server and a asp server and were serving a webpage with their text in it. Only about 5-6 Ip's addresses are logged from apache and since the machine wasn't in use yet I can only assume they are all involved. Is there a better source of ip's and times to send this persons isp? Thanks a million! justlinux.com
Copyright Internet.com Inc. All Rights Reserved. |
|