Find the answer to your Linux question:
Results 1 to 9 of 9
Hi guys. As you can see from the below email it looks as if one of my servers has been compromised. Excuse my arrogance but can you guys help fixing ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2007
    Posts
    4

    Server compromised perhaps??


    Hi guys.

    As you can see from the below email it looks as if one of my servers has been compromised. Excuse my arrogance but can you guys help fixing it - I need to know where I should be looking? Where is the best place to start to confirm that the server is definitely compromised? The LKM and bindshell reports are not too worrying - they might be false positives but the fact that my netstat and ps are infected - I am starting to think I might have an intruder.

    So where to start - I cannot see any odd usernames in /etc/passwd and I am the only user logged into the box?

    Rather than put the full chkrootkit here and the rkhunter here the links are as follows:

    1) chkrootkit - www.bcom.co.za/chkrootkit.txt
    2) rkhunter - www.bcom.co.za/rkhunter.txt

    I tried re-installing the net tools package for netstat but get this:

    [root@usa net-tools]# rpm -U --force net-tools-1.60-25.1.i386.rpm
    error: net-tools-1.60-25.1.i386.rpm: headerRead failed: region trailer: BAD, tag 1768841076 type 7567731 offset -1952804191 count 1966763874
    error: net-tools-1.60-25.1.i386.rpm cannot be installed
    [root@usa net-tools]#

    Any advice is much appreciated!

    Thanks,
    Mike

  2. #2
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692

    Arrow

    It's highly likely that a rootkit has been installed on your box (as noted by rkhunter). It's also pretty worrying that both chkrootkit and rkhunter identified the same infected binaries -- that means at very least those are probably infected.

    At this stage of the game, I would:
    • Take the system offline.
    • Backup / make an image of the entire system so that you can review it later if necessary.
    • Start from scratch. You're not going to be able to clean up the rootkit on your own, and the box can no longer be trusted until you wipe it clean.


    Also, according to the scans you're running FC2?? That version is no longer maintained, which means you aren't getting security fixes (which may be how you got exploited in the first place). Upgrade to the latest FC, or - better still - CentOS.

  3. #3
    Just Joined!
    Join Date
    Feb 2007
    Posts
    4

    hacked...

    Thanks for the reply Anomie. Yes it seems there is some kind of mach bot running on the server.

    OK so its time for an upgrade.

    Any quick backup tools that anyone can recommend? Should I go for Cent or RH ES 4?

    Thanks again....

    Mike

  4. #4
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    The easiest thing might be to hang on to the physical drive so that you can review it in a safe environment. If that's not possible, you can image it with something like ghost for unix. The purpose of this is for analysis -- you can take your time analyzing what the cracker did and what might have been compromised.

    As far as bringing files into the new system, you will probably want to restore app configurations (in /etc) by hand -- it's possible they were infected too. Personal files may or may not be reliable and in the state you would expect; hopefully you have a good backup of them from before the box was compromised.

    RHEL or CentOS? Depends on the money you're willing to spend and whether you need professional support.

  5. #5
    Linux Newbie cybersmurf's Avatar
    Join Date
    Apr 2006
    Posts
    122

    Hmmm

    Yeah you could spend money on Cent or RHEL, but if you were using FC2 and having good luck (ish) with it why not just go with FC6??

    Cheap and Familiar over spendy and strange...

    As for the support issue, I think this forum has all the technical support your ever going to need :P

    also as far as firewall what are you running??

    I tend to use Firestarted but I unfamiliar on that aspect as to what firewalls are good and what is good for servers as opposed to desktop.

    Cybersmurf
    The problem with developing something completely foolproof is underestimating the complete ingenuity of fools ~Unknown

  6. #6
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    CentOS is free. I'd prefer stable and fully tested over bleeding edge for a production environment, personally.

  7. #7
    Just Joined!
    Join Date
    Feb 2007
    Posts
    4

    re your post...

    OK so which one is stable and fully tested - surely the RH ES 4 - thats what you are paying for isnt it?

  8. #8
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Definitely. I don't really want to encourage one option over the other, because I don't know your situation.

    Do you have a manager and/or paying customers to whom you're accountable? Is true production quality the most important aspect? Buy RHEL and review their support options.

    Do you have more flexibility and time to solve problems on your own (without losing your job)? Are you in a situation where some downtime is acceptable? Go with CentOS, which is the non-RHEL but built on RHEL SRPMS distro. (Just have a look at their website.)

    I suggested these two options because they're obviously very FC-like.

  9. #9
    Just Joined!
    Join Date
    Feb 2007
    Posts
    4

    re

    Yeah I have RH ES4 running on 2 of my other servers. Thanks for the input - will go that route!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •