Server was hacked and needs to clean up

[renbenzhuyi]

The Mandriva 2006 server in my lab was hacked twice in three months.
The server was then used to hack other servers.

I re-installed the OS after first attack. Here the attack came again!
If I simply re-install the OS this time there might be a third attack
and installation is time-consuming. Under Windows you can check REG
or use anti-virus software. In my situation what can i do to detect
virus (trojan) and unusual process?

Your suggestion is highly appreciated.

[aliov]

how did you know that it was hacked ? is this server connects directly to the net or it's behind a router ! are you using any firewall on it ? wish are the needed ports to you ?

[renbenzhuyi]

Thanks for your reply.

This server was controlled to attack other servers and consequently i got phone calls .

I am not sure whether it is behind a routre or not but I would guess yes.

I use the 'default' firewall of Mandriva 2006. Only four services were allowed by this firewall, ftpd, httpd, sshd and ping.

[aliov]

this is i can't confirm and i can't detect from where the vulnerability is coming in Mandriva 2006 are you always updating the system and specially the security fixes ? . in order to check hackers activity run this :

Code:

netstat -tunp

[anomie]

I'd highly recommend performing another new install. This time, before putting the box on the network, perform some basic hardening.

Post the results of netstat -ltun here after the fresh install.

Only four services were allowed by this firewall, ftpd, httpd, sshd...

Is the purpose of the box to provide those three services? If so, who (users / networks) should each be available to?

[aliov]

I'd highly recommend performing another new install

One question for you anomie, you believe if a Linux server is installed and configured correctly , it can be hacked !!! i never heard about something like that .


Regards.

[bigtomrodney]

The chances are it's through ssh.

• Use stronger passwords,
• Disable root login through ssh
• If possible change the ssh port to something much higher as scripts are almost always run against port 22
• Consider using ssh keys instead of passwords fro ssh authentication

any box running ssh on port 22 is likely to see brute force attempts regularly. I would suspect you fell victim to one of these due to relatively weak passwords.

[anomie]

One question for you anomie, you believe if a Linux server is installed and configured correctly , it can be hacked !!! i never heard about something like that .

First, I didn't say that so I'm not sure where you are getting that from.

Second, define "configured correctly". Even heavily hardened services can be cracked via brute force, zero-day exploits, etc.

[aliov]

First, I didn't say that so I'm not sure where you are getting that from.

It was just a question about your opinion !

Second, define "configured correctly". Even heavily hardened services can be cracked via brute force, zero-day exploits, etc.

I mean if the unused port are closed , complex non local password are used ,no sudoers users , closing any access of the root from outside etc .....

Regards.

[anomie]

Ok, you are asking about a hypothetical case (because it sounds to me like OP is running a box with several services wide open to the world). The ease at which it is getting cracked sounds like he has work to do.

Let me put it this way. If:

• All unused services are shut off.
• Shell access is restricted/hardened.
• Packet filtering rules are appropriately set.
• MAC policies are correctly set.
• Suid binaries are disabled or somehow contained.
• Public services are hardened to great extent.
• Physical access is properly controlled.
• (the theme here is that "Everything is denied unless specifically allowed")
• Auditing and logging is in place.

... then I think 99.9% of crackers will move on to a much easier target, unless you've really got something they want. Like anything in life, there is no perfect security solution. But you can increase the odds of protecting yourself so dramatically that you are not a good candidate to be targeted/compromised.