Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 14
The Mandriva 2006 server in my lab was hacked twice in three months. The server was then used to hack other servers. I re-installed the OS after first attack. Here ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2007
    Posts
    7

    Server was hacked and needs to clean up


    The Mandriva 2006 server in my lab was hacked twice in three months.
    The server was then used to hack other servers.

    I re-installed the OS after first attack. Here the attack came again!
    If I simply re-install the OS this time there might be a third attack
    and installation is time-consuming. Under Windows you can check REG
    or use anti-virus software. In my situation what can i do to detect
    virus (trojan) and unusual process?

    Your suggestion is highly appreciated.

  2. #2
    Linux Engineer aliov's Avatar
    Join Date
    Dec 2006
    Location
    Geneva,Beirut
    Posts
    1,078
    how did you know that it was hacked ? is this server connects directly to the net or it's behind a router ! are you using any firewall on it ? wish are the needed ports to you ?
    Linux is not only an operating system, it's a philosophy.
    Archost.

  3. #3
    Just Joined!
    Join Date
    Oct 2007
    Posts
    7
    Thanks for your reply.

    This server was controlled to attack other servers and consequently i got phone calls .

    I am not sure whether it is behind a routre or not but I would guess yes.

    I use the 'default' firewall of Mandriva 2006. Only four services were allowed by this firewall, ftpd, httpd, sshd and ping.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Engineer aliov's Avatar
    Join Date
    Dec 2006
    Location
    Geneva,Beirut
    Posts
    1,078
    this is i can't confirm and i can't detect from where the vulnerability is coming in Mandriva 2006 are you always updating the system and specially the security fixes ? . in order to check hackers activity run this :

    Code:
    netstat -tunp
    Linux is not only an operating system, it's a philosophy.
    Archost.

  6. #5
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    I'd highly recommend performing another new install. This time, before putting the box on the network, perform some basic hardening.

    Post the results of netstat -ltun here after the fresh install.

    Only four services were allowed by this firewall, ftpd, httpd, sshd...
    Is the purpose of the box to provide those three services? If so, who (users / networks) should each be available to?

  7. #6
    Linux Engineer aliov's Avatar
    Join Date
    Dec 2006
    Location
    Geneva,Beirut
    Posts
    1,078
    Quote Originally Posted by anomie View Post
    I'd highly recommend performing another new install
    One question for you anomie, you believe if a Linux server is installed and configured correctly , it can be hacked !!! i never heard about something like that .


    Regards.
    Linux is not only an operating system, it's a philosophy.
    Archost.

  8. #7
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133
    The chances are it's through ssh.
    • Use stronger passwords,
    • Disable root login through ssh
    • If possible change the ssh port to something much higher as scripts are almost always run against port 22
    • Consider using ssh keys instead of passwords fro ssh authentication
    any box running ssh on port 22 is likely to see brute force attempts regularly. I would suspect you fell victim to one of these due to relatively weak passwords.

  9. #8
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Quote Originally Posted by aliov
    One question for you anomie, you believe if a Linux server is installed and configured correctly , it can be hacked !!! i never heard about something like that .
    First, I didn't say that so I'm not sure where you are getting that from.

    Second, define "configured correctly". Even heavily hardened services can be cracked via brute force, zero-day exploits, etc.

  10. #9
    Linux Engineer aliov's Avatar
    Join Date
    Dec 2006
    Location
    Geneva,Beirut
    Posts
    1,078
    Quote Originally Posted by anomie View Post
    First, I didn't say that so I'm not sure where you are getting that from.
    It was just a question about your opinion !


    Quote Originally Posted by anomie View Post
    Second, define "configured correctly". Even heavily hardened services can be cracked via brute force, zero-day exploits, etc.
    I mean if the unused port are closed , complex non local password are used ,no sudoers users , closing any access of the root from outside etc .....

    Regards.
    Linux is not only an operating system, it's a philosophy.
    Archost.

  11. #10
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Ok, you are asking about a hypothetical case (because it sounds to me like OP is running a box with several services wide open to the world). The ease at which it is getting cracked sounds like he has work to do.

    Let me put it this way. If:
    • All unused services are shut off.
    • Shell access is restricted/hardened.
    • Packet filtering rules are appropriately set.
    • MAC policies are correctly set.
    • Suid binaries are disabled or somehow contained.
    • Public services are hardened to great extent.
    • Physical access is properly controlled.
    • (the theme here is that "Everything is denied unless specifically allowed")
    • Auditing and logging is in place.


    ... then I think 99.9% of crackers will move on to a much easier target, unless you've really got something they want. Like anything in life, there is no perfect security solution. But you can increase the odds of protecting yourself so dramatically that you are not a good candidate to be targeted/compromised.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •