Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hie! My Linux server which is running my company website have been hacked. Today I saw a number of clients (customers) with some fun characters entries on my database. Access denial on really clients. Please assist, am running Linux Ubuntu 9 and I dont know where to start troubleshooting this. let me confession that I am still on the learning curve on Linux
If your server has been hacked, the best place for this thread might be security rather than server. Consider reporting your own thread, if you think that this is the case.
I'm afraid that your post is rather difficult to understand exactly; in this kind of case, understanding what you write approximately is probably not good enough.
Quote:
Today I saw a number of clients (customers)
Does this mean that you saw physical people? Or was it their accounts, some client programs that were running, or something else?
Quote:
with some fun characters
No idea what this means; characters as in people, or, in some file somewhere (exactly which?) are there some ASCII characters which are in some way 'fun'. What does 'fun' mean in this context and why do you think that this is evidence of being hacked?
Quote:
Access denial on really clients.
What is 'really'; is it a program?
Quote:
am running Linux Ubuntu 9
No you are not; there were two 9.xx versions, which one is it? Is it still supported?
Last edited by salasi; 02-16-2011 at 09:24 AM.
Reason: clarification
Today I saw a number of clients (customers) with some fun characters entries on my database. mean name entries in mysql database.And the real clients or username with permission were changed or sluggish characters added for instance the username is perfectpol then it looks like this:- ^^%3perfectpol^~. as a result they are not able to login. Again sorry for posting on wrong thread. How can I move it to security.
Is the host computer at your site or hosted elsewhere? It needs to go offline - pull the network cable - or the hosting company might help you so that only your IP address can access it until fixed.
Can you notify your customers that it will be offline for maintenance tonight?
Does it host mission critical things for your customers? Things they will suffer financially being without for 24+ hours?
Has their been a serious data breach - are the passwords supplied by yourself, or could their personal passwords, ones they use for multiple logins elsewhere have been compromised, complete with their names and private email addresses?
How many customers have you got to worry about?
They will want to know that you are on the case, getting it fixed, and all will be well, soonest.
They will also appreciate being given the advice promptly to change the same password wheresoever they use it, to protect themselves from the hacker accessing their email account, etc. etc. Be brave and tell them ASAP.
Last edited by oxfordite; 02-16-2011 at 02:14 PM.
Reason: [removing naive comments - better answered by others!
You'll find an answer to that question (you can't directly change the thread yourself) in the first response; you report, using the 'report' button at the bottom of the thread, your own thread and ask the mods nicely to do it; they are normally very helpful for reasonable requests, and that would seem to me to be a reasonable request.
Sorry; where that says 'at the bottom of the thread', it should read 'at the bottom of each post'. Apologies.
Last edited by salasi; 02-16-2011 at 07:20 PM.
Reason: error with report button text
If possible, take this server off-line by disconnecting the network plug. If not, consider putting up a firewall that only allows SSH access from trusted IP addresses. Do NOT turn off the computer, isolate it.
The way compromises are handled here at LQ is by gathering an analyzing the facts to try and find out what happened so it doesn't happen again. To that end, we need some serious details including:
Exact version number of Ubuntu and the status of patching
What kinds of websites are being served, particularly if they are PHP based tools like Joomla, Drupal, phpBB, etc.
A list of any exposed services like ssh or ftp.
The rules for any firewall in place.
Any monitoring tools like Aide, Tripwire, Snort, Samhain, etc. that have been installed
Next, you need to start gathering facts about the current state of the machine. Using the CERT Checklist is usually a pretty good starting point. You also should generate the output from the following commands:
lsof -Pwn
netstat - nape
ps axfwwwe
These will be too big to post, so feel free to contact me directly with the output.
- Secure the server / take offline
- Find what damage the hacker did and how and fix
- Find how the hacker accessed the server, and patch / tighten security as necessary
- Sign up to security advisory services to stay on top of your server patching/security admin
And, by implication, if you cannot do these things, plan B - your server is not secure, it will happen again, more learning required before being sysadmin again... you need help and to ask lots of questions of those that know.
In addition to the things that Hangdog42 has mentioned, I have these questions:
do you keep backup copies of your logs and do you have records of if / when any of the web sites file have been changed?
Do you keep backup images?
Can you trace the first instance of these occurrences back to a date?
What I am getting at is the possibility of identifying when this first occurred and correlating it to a change.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.