Find the answer to your Linux question:
Results 1 to 6 of 6
Hi, I own a internet radio station. I am posting here today because our system admin has been unable to stop an attack. Our server is based in Chicago and ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2007
    Posts
    2

    I am being hacked out of bussiness, Please help.


    Hi,

    I own a internet radio station. I am posting here today because our system admin has been unable to stop an attack. Our server is based in Chicago and we are in Michigan. Our server is set up with a IP table and a IDS. So yah sure we get attacked left and right, easily 1,000 times a day, but they up until recently have kept us safe.

    A few weeks ago things started to go wrong. Strange events began to happen, but nothing odd would show up in any logs and the IDS would think everything was fine. The server appreciated to be shitting its self but with no evidence of anything going on. Last night our server admin had an SSH tunnel up to the server and was working on it trying to figure out what was going on with the server. Then then noticed something odd. Another root user from an outside IP address appeared. We had been compromised. We baned that entire IP range, the hacked was out for the time, but the logs showed nothing... we now understood what had been happening.

    My system admin said they must have packed sniffed us, decrypted the Key as it was sent out, then cyphered it. But the key changes every hour and is encrypted to the highest level, it would take a mainfram to decrypt in less then an hour. The admin changed the root password, a new key was sent, 7 min latter, root was compromised again. It took them 7 min to cyper this key. Either they have a mainframe or know something we don't.

    So now that brings me to the present. Our server has been so screwed up we need to reinstall the OS. My system admin has no idea how to secure the sever once it is back up so for now we are shut down and losing money. He says the key is as encrypted as linux allows and he is using every security measure he knows of. So I am here looking for ideas on how we can solve this problem.

  2. #2
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    mos4567,

    It sounds like you need some competent assistance securing your server. No one is going to be able to walk you through the entire process in a thread.

    Your sysadmin needs to get up to speed on this. (In fact, if he has specific questions, he's the one who needs to be researching and/or posting here.)

    If I had to take a wild guess, your sshd service is being brute-forced (probably your sysadmin left password authentication enabled, and did not prevent root logins over ssh). Once a rootkit was installed, the box was easy pickings for continued disruption.

    But that's neither here nor there -- you need someone who knows what he is doing to work on this and to train your sysadmin if that's what you want.

    ------------------------------

    edit: Just an idea -- try running a craigslist ad in your city requesting volunteer assistance locking down your Linux server. It'll be something someone could put on his resume, and you may be able to snap up some sharp CS student or a bored geek in your community.

  3. #3
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,846
    And general advice in the meantime:

    - turn off the server if possible. If not possible, disconnect it from the internet
    - if that's not possible, re-install it (you'll need to do this anyway - dont assume that any of the existing system is safe for user) and set up ssh access on a port other than 22, only allow key-based logins, deny root logins and password authentication. Do all of this before you plug the machine back into the internet.
    - Track the IP address of the connections, and forward all those ip addresses with the time/date of the attack to the 'whois' listed owner of the ip addresses. Attempting to hack a system like this is a criminal offence in many countries.
    Linux user #126863 - see http://linuxcounter.net/

  4. #4
    Just Joined!
    Join Date
    May 2007
    Posts
    2

    Whew

    Thank you to all. Our server admin has secured the server and security experts are overhauling our entire security policy to something that is paranoid to say the least. The damage is bad, looks like its going to end up costs us a total of about a week of downtime and other expenses related to the server repair. The system admin has informed me that he fixed up how they got in and now they are trying a whole bunch of "armature" things according to him.

    We have found the hacker is at a University in Michigan and we are working on forwarding evidence to that University so hopefully they can take action.

  5. #5
    Just Joined!
    Join Date
    Jun 2005
    Location
    iowa
    Posts
    64

    want on sleep easier

    have them install a modem for the phone line.

    set up server no outside root, only on phone line.

    next set it up so this only works three times a day for 5 mins each.

    (a window for you to log into, open til you logout ssh)

    make it say 10:03 am 2:37 pm 7:15pm

  6. #6
    Just Joined!
    Join Date
    May 2007
    Posts
    11
    Quote Originally Posted by l8forwork View Post
    have them install a modem for the phone line.

    set up server no outside root, only on phone line.

    next set it up so this only works three times a day for 5 mins each.

    (a window for you to log into, open til you logout ssh)

    make it say 10:03 am 2:37 pm 7:15pm
    I'd say this might be a little too paranoid, but requiring the use of a VPN to connect to the servers, and only letting a limited number of IP ranges access the VPN over the Internet wouldn't be a bad idea. If you travel a lot, you might open up the range of addresses more, but then I'd suggest looking into some form of two-factor authentication.

    Remote root access shouldn't be allowed in any case; the admin should be logging in with his password and using 'su' or 'sudo'. Hopefully your consultants are already suggesting this amongst their to-do list.

    Good luck getting everything back up and running. What's the URL of your online radio station?

    Martin McKeay, CISSP, GSNA
    Last edited by oz; 05-29-2007 at 08:16 PM. Reason: removed spam URL/email/phone

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •