Hello, I am running an apache 2 (the one that comes on the redhat iso) webserver on redhat 9. I only have the webserver and ssh server running, but this hacker keeps being able to gain control of my system. How does he keep getting in? I do have some other servies installed and a couple running, but only port 80 and 22 are open on my firewall and I thought that ssh was secure? Oh, also, after each time he gets in, I do a fresh install, so there is no back doors or packet sniffers to begin with. My server seems to have a some fatal security flaw that he can easily exploit.
This last time, he did leave behind a lot of files and other stuff, is there anyway to find out who he is, or where he is, or what he is using to get in? Could someone please help me I am about to say forget it and take the server down all together.
Be sure to update your system, the versions that come with the cd could be exploitable. And check for a rootkit as well, could be that there are tools installed that prevent the hacker from being discovered. Basicly it is a good idea to disconnect your machine from the internet and run a util (chkrootkit, rkhunter) that will check your machine for these rootkits.
Yeah, there is a rootkit installed...I dont need to run rkhunter because I found the problems by hand. There is a scan running and also my ls is corupt, it hides '...' among other things. But when I do a fresh install all this is wiped clean, correct??
Is the problem a security issue with Apache then or SSH? In the access log for apache there were a couple of strange entries...on one instead of a GET or POST is was a HTTP/1.0 CONNECT request to some fake IP on port 6668 for pxyscan and that seems to be how they got access because it is the first strange entry. Then after that there were several request for *.pl files in the cgi-bin directory. WHat is a CONNECT request? Also for this request it returned a 405 code...niether of these two behaviors are in the HTTP 1.0 protocol docs. Does Apache service CONNECT requests?
This sounds so like a question in an exam not sure of the point, but i know its not an exam seems like a question to make you feel dumb :) How didn you find it by hand but need to come here and ask about it?
The last exploit in SSH is some time ago, so it will probably be apache/php what caused the intrusion into your system. But when a rootkit is installed you can't tell what they do on and with your system. It depends on what they installed.
A complete reinstall of your system is the only way to be sure that it is safe again. And keep your system up to date, Redhat has tools to do it for you.
I found it by hand because I found a page that talked about this one guys experience with a similar problem and he said run 'find / ".*" -ls' and sure enough, just like in his case there was a directory called '...' so, that is how I determined I had a rootkit installed. There were also some processes that were not showing up when ps was ran.
I guess I will reinstall and actually get the updates for stuff this time...It looks like he was in my system for about 2.5 hours (a lot longer than it takes for me to reinstall redhat), GOD dont these guys have somthing better to be doing??
Is there anyway that the hacker could have installed a packet sniffer or some other malicous programs on my 2 windows machines connected to the same network? They arent really running any network services and they both have the windows firewall up, but still....
Windows has tools for discovering trojans and backdoors as well. But I am a dedicated Linux user for years now, so I can't give you names of programs to use (Hijackthis ??) .
The crackers probably abuse your bandwidth (FXP) , or they abuse your machine(s) in a zombie network to DDOS other machines.
Or use it as an IRC bouncer and do all kind of things that are illegal, or sending spam from your machine.
Could be anything...
another advice for you
re-install and patch your system, but re-install with a different root password...
SSH in it self is very secure, but the Akilles heal, is allways the choosed password. And from time to time there are allways some1 that states, "the only thing I allow is HTTP,SSH,SMTP, should that not be safe enough?".
Well, rule of thumb, only have services up and running that you intend to use, shut down all other services. RH9 AFAIK had Telnet enabled by default. And if you have that enabled, it will not take long to get hacked.
Rule no.2. If you have set up a bunch of rules on your IPTABLES/FW, test them with an online scanner or a scanner from within your network. That's the only way to be 99.9% sure that your system is closed for your purpose only.
Btw, a very common issue also, is that some users that converts from Windows into Linux, tend to use "root" as their ordinary user, due to the lack of ability to install software as your ordinary user. This IS and will ALLWAYS be a security issue.
also make sure you don't run software with known buffer exploits, like the apache and ssh versions that ship with rh9 and any available rpms for rh9.
do a fresh install, remove apache and ssh rpms and install from source, or install a newer distro