Server Hacked

perfectpol7 · 02-16-2011, 08:38 AM

Hie! My Linux server which is running my company website have been hacked. Today I saw a number of clients (customers) with some fun characters entries on my database. Access denial on really clients. Please assist, am running Linux Ubuntu 9 and I dont know where to start troubleshooting this. let me confession that I am still on the learning curve on Linux

salasi · 02-16-2011, 09:23 AM

If your server has been hacked, the best place for this thread might be security rather than server. Consider reporting your own thread, if you think that this is the case.
I'm afraid that your post is rather difficult to understand exactly; in this kind of case, understanding what you write approximately is probably not good enough.
Quote:

Today I saw a number of clients (customers)

Does this mean that you saw physical people? Or was it their accounts, some client programs that were running, or something else?
Quote:

with some fun characters

No idea what this means; characters as in people, or, in some file somewhere (exactly which?) are there some ASCII characters which are in some way 'fun'. What does 'fun' mean in this context and why do you think that this is evidence of being hacked?
Quote:

Access denial on really clients.

What is 'really'; is it a program?
Quote:

am running Linux Ubuntu 9

No you are not; there were two 9.xx versions, which one is it? Is it still supported?

perfectpol7 · 02-16-2011, 09:38 AM

Sorry for the poor grammar,

Today I saw a number of clients (customers) with some fun characters entries on my database. mean name entries in mysql database.And the real clients or username with permission were changed or sluggish characters added for instance the username is perfectpol then it looks like this:- ^^%3perfectpol^~. as a result they are not able to login. Again sorry for posting on wrong thread. How can I move it to security.

oxfordite · 02-16-2011, 10:46 AM

Is the host computer at your site or hosted elsewhere? It needs to go offline - pull the network cable - or the hosting company might help you so that only your IP address can access it until fixed.
Can you notify your customers that it will be offline for maintenance tonight?

Does it host mission critical things for your customers? Things they will suffer financially being without for 24+ hours?
Has their been a serious data breach - are the passwords supplied by yourself, or could their personal passwords, ones they use for multiple logins elsewhere have been compromised, complete with their names and private email addresses?

How many customers have you got to worry about?
They will want to know that you are on the case, getting it fixed, and all will be well, soonest.
They will also appreciate being given the advice promptly to change the same password wheresoever they use it, to protect themselves from the hacker accessing their email account, etc. etc. Be brave and tell them ASAP.

salasi · 02-16-2011, 11:27 AM

Quote:

Originally Posted by perfectpol7

let me confession that I am still on the learning curve on Linux

OK, what you want is
http://www.linuxquestions.org/questi...erences-45261/

There is a lot there, and you'll want to go through the list eventually, but, from where you are now, here is where you want to start

http://web.archive.org/web/200801092...checklist.html

and then

http://web.archive.org/web/200801230...ompromise.html

Quote:

How can I move it to security.

You'll find an answer to that question (you can't directly change the thread yourself) in the first response; you report, using the 'report' button at the bottom of the thread, your own thread and ask the mods nicely to do it; they are normally very helpful for reasonable requests, and that would seem to me to be a reasonable request.

Sorry; where that says 'at the bottom of the thread', it should read 'at the bottom of each post'. Apologies.

Hangdog42 · 02-16-2011, 11:49 AM

If possible, take this server off-line by disconnecting the network plug. If not, consider putting up a firewall that only allows SSH access from trusted IP addresses. Do NOT turn off the computer, isolate it.

The way compromises are handled here at LQ is by gathering an analyzing the facts to try and find out what happened so it doesn't happen again. To that end, we need some serious details including:

Exact version number of Ubuntu and the status of patching
What kinds of websites are being served, particularly if they are PHP based tools like Joomla, Drupal, phpBB, etc.
A list of any exposed services like ssh or ftp.
The rules for any firewall in place.
Any monitoring tools like Aide, Tripwire, Snort, Samhain, etc. that have been installed

Next, you need to start gathering facts about the current state of the machine. Using the CERT Checklist is usually a pretty good starting point. You also should generate the output from the following commands:

lsof -Pwn
netstat - nape
ps axfwwwe

These will be too big to post, so feel free to contact me directly with the output.

oxfordite · 02-17-2011, 07:26 AM

Though I'm a newbie, this looks like the type of story that throws light on the topic of what needs to be done if your server gets hacked:

http://www.linux.com/archive/feature/113974

- Secure the server / take offline
- Find what damage the hacker did and how and fix
- Find how the hacker accessed the server, and patch / tighten security as necessary
- Sign up to security advisory services to stay on top of your server patching/security admin

And, by implication, if you cannot do these things, plan B - your server is not secure, it will happen again, more learning required before being sysadmin again... you need help and to ask lots of questions of those that know.

GrapefruiTgirl · 02-20-2011, 09:01 AM

Moved: This thread is more suitable in Linux Security and has been moved accordingly to help your thread/question get the exposure it deserves.

Noway2 · 02-21-2011, 04:42 AM

In addition to the things that Hangdog42 has mentioned, I have these questions:
do you keep backup copies of your logs and do you have records of if / when any of the web sites file have been changed?
Do you keep backup images?
Can you trace the first instance of these occurrences back to a date?

What I am getting at is the possibility of identifying when this first occurred and correlating it to a change.