Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
1 month (at least) with a compromise webserver , you should really take it offline and reinstall.
No need to try to remove or kick these session, your machine is compromise, you d.o.n.t know what is really running. Using kill -9 would kill the process. lsof might help.
Next time consider using tripwire/samhain/... so that at least you know which files have been modified by the cracker.
More generally, read the LQ Security Reference post at the beginning of this forum so that next time, you have something to analyse. Now its hopeless.
Please - you really should not leave this machine online any longer.
You might not even be able to "kick" anyone off that machine anymore. It could also well be that the system tells you you "kicked" someone off - but really you did not...there is noting you can trust anymore on that machine!
If there are root-logins which you don't know anything about, they are able to do virtually anything - and probably already have done something to ensure that they are able to keep their access to this machine - and likely use it to send spam out to the world or whatever. If you leave the machine online you are acting really inresponsible because this compromized machine is very probably doing harm to others by now in the form of using your machine to send faked email or using it to crack other machines using your ip and name and/or the names of all the users on your machine BTW.
You have like 30 e-mail-boxes on there. It's not hard to back them up and reuse the data on a new install.
You will find advice on that even here if you ask. But you can do that while being offline.
The worst case: if they notice you trying to kick them off "their" machine they could just say to themselves: Well - lets see who the boss is - if we are not going to use that machine - nobody is - especialy not the person who really is (rather: was) root...
rm -rf /var/mail && rm -rf /home/* && rm -rf /
And there you are - without your precious mailboxes and they even cleaned out the machine for you...
I think in this cases, we should help the user to reinstall his system.
This is in general easy to do with Linux. Administrators are scared of loosing anything while reinstalling, its why they wait, they wait. And their machine become a zombie, effectively harming others.
Just for fun, to the OP, can you compare the output of this command
Code:
for i in `ls /proc/*/cmdline`; do cat $i; echo -e "\n"; done
You know what is unbelievable! I seen that my server is under attack, but I was unable to do anything. And now I'm certain: if your're under attack, you're f%^&#d. I was hacked by bruteforce, which took, I don't know... 2 months?? At least what I can do, is to use passwords that I can't remember, so I have to save them on a flash drive or write them in my agenda. The flash drive is not safe, I might loose data. If I do backups I increase the risk to expose my passwords DB. If I write them in my agenda, that's something primitve, anybody can look in my agenda an see my passwords... Slowly but surely I become paranoic. Now among you there are a few who knows things. Please take a look at my questions:
- How can I restrict root to log in(ssh/telnet)? I mean no root login, just normal login and than su
- How can I limit the number of attepts of unsuccessful logins(ssh/telnet/ftp)?
- If I restore all my qmail accounts, is there a possibility that my hacker to know all the email passwords??
- When I reinstall, I will use an other root password. What else do I have to change? I have Qmail, SAMBA(only for the LAN) and vsftpd.
- How the hell was I picked by hackers out of millions of servers???
One is really f%^&#d as you put it, from the moment he sees a root-login and knows it is not legitimate.
From that moment on you can't be sure that anything you do is actually done or has the effect it is supposed to have.
Quote:
How can I restrict root to log in(ssh/telnet)? I mean no root login, just normal login and than su
How can I limit the number of attepts of unsuccessful logins(ssh/telnet/ftp)?
NO telnet! ssh does all these things too and better!
On the 3-rd page of the thread I mentioned AAnarchYY mentioned "authfail" and it looks like the thing you want - this is a quite comprehensive thread and you should take some time for it and related matters.
Quote:
If I restore all my qmail accounts, is there a possibility that my hacker to know all the email passwords??
Not only the possibility - I'd take this as given fact and change all passwords and instruct the users to NOT change it back to the old ones again (and implement a poilicy to ensure strong passwords while you are at it).
For sure you need to have a firewall running!
Quote:
How the hell was I picked by hackers out of millions of servers???
Because it seemed worth it - or it was easy - or both...or just plain bad luck? - no, there is no such thing...
You might have had services running which gave info about your machine to anyone and made it look a good target - this includes the qmail and samba but starts at the prompt someone is given when trying to connect.
You should also try to do an analysis of what happened - because it can help you with the next setup when you know how they got in - but I doubt that you will find anything after that long a time.
Keep the system up to date / watch for and install security updates...
On http://www.grc.com/ (ShieldsUp) for example there is a - probably limited - opportunity to get your machine checked over the net.
Server is reinstalled. It doesn't work of course, but I'll will figure it out somehow with the help of a few enthusiastic friends.
But I have a complain and this is a general phanomen on linux forums. When a newbie asks a question it is so hard to answer straight, like: look for x.y file, it should be here or there, edit it, look for this parameter, if doesn't exist, create it, and give this value to it.
Why do I have to read 1000 topics than and up with Google looking for a straight answer?
I'm frustrated...
Unfortunately, life is seldom that simple (even on Windows ). This is particularly true when it comes to security. Maintaining a secure system isn't just about plugging in some magic values in some configguration files. There are things you can configure to make your system more secure (read the sticked thread at the top of this forum for some good advice), but you as the administrator have to take an active role. By the time your machine is the victim of a root compromise, as was the case this time, it's already too late.
By in large, I think you've gotten some good advice in this thread. We're not trying to be abtruse or frustrate you, but merely to tell you what the commonly accepted best way of handling things is. Let me reiterate--security and incident response are complicated topics that don't lend themselves to quick fixes in case of problems. If your media player was broken or your X server stopped working, someone could probably give you the recipe you desire. In your case, the only trustworthy recipe available is reinstall and follow the advice here to make sure this never happens again.
Also, FWIW I've been in your shoes dealing with a rooted system. It's not fun, I know. Fortunately I had a friend to help me out, since I was still a real n00b at that point (several years ago, and sometimes I think I'm still a real noob ). What I'm trying to say is that we're trying to help you as best we can, and your freustration is not abnormal.
Good, it didn't take you so long to reinstall it in fact!
The only problem I see (from a constructive/perfectionnist point of view) is that you don't really know how they get in or do you?
Did you have a simple root password? Or could someone have found this password (a friend gave it by email to another friend, this email got hacked,..)?
If you want to have a secure password policy, you can:
Password MUST contain:
->lowercase letters
->uppercase letters
->numbers or punctuations
Don't use a word
Dont only do things like "s3cr3t", it is known by bruteforcers,
To generate a pseudo random passord:
Code:
dd if=/dev/urandom bs=16 count=1 | uuencode -
then write it on your agenda, put it under your pillow . NOT on your pda!
Don't reuse a password
Don't use the same password as for your email or anyother machines
Change your password every 1 month (boring I know)
As soon as you have reinstalled (that means NOW), install an integrity checker, do it !!
Run nessus on your box.
Take very care if you use php in apache.
This adress is a "whole network" address so it should not be possible to set an interface to this address. There is something I don't understand, maybe some program corrupt your file.
what gives
Code:
last -o
?
Quote:
root :0 0.0.0.0 Wed Feb 22 14:05 - 14:12 (00:07)(what?)
This is you doing an su
Do you have a firewall? does it show connections from this addresses?
The answer you where getting - I can only speak for me - was indeed not a recipe for a couple of reasons.
1.) I don't own a server (nice ambiguity - but it is neighter one) - but I do know some things on how to set one up - that is why I pointed you to the information instead of copying+pasting a config-file - which also would need explanation BTW (as to why this setting here and not another for example...)
This was not to offend you but to help - it is my opinion that the best help to others is in teaching them how to help themselves...everything else is far less effective.
2.) this is then the next reason: you should know something about your setup - or know where to find information in case you don't.
Giving a recipe which does not work out for you (...there are a hundred reasons for this) and which would largely consist of information already out there would make you none the wiser and - in a sense - the person who gave the recipe would be to blame if it does not work out (...for the above mentioned hundred reasons...).
3.) the most important question (ssh) is indeed directly answered where I directed you
...on to the more constructive part...
root pts/1 115.140.3.0 Wed Feb 22 14:05 - 14:12 (00:06)(not friendly)
whois does not return anything on this - could be on your local network?
root pts/1 40.77.12.0 Wed Feb 22 14:13 - 14:25 (00:11)(not friendly)
login from an american provider - ten minutes after you booted a freshly installed system?
In this case there has to be a serious bug in some of the programs - or someone knows the password...
Or sshd is running and set up to give access without one? I dont know - look!
You should only go online with a system which is finished setting up - I mean no services running until you are all updated and configured
root :0 0.0.0.0 Wed Feb 22 14:05 - 14:12 (00:07)(what?)
that is you logged in locally
root pts/1 59.41.13.0 Wed Feb 22 14:27 - down (02:23)(not friendly)
this comes from a chinese provider
In this case there has to be a serious bug in some of the programs
There used to be a bug in older versions of Redhat/Fedora/Mandrake that would display false IPs in the output of the last command, but that only would appear for local X logins via gdm. So I don't believe that's what we're seeing here, could be some unknown bug though...
root :0 0.0.0.0
As stated, it's a local X session login for root. The :0 represents the X display number.
It would be really informative to install on a system without a network connection and see if any IPs appear. Also, did you fully update once you've installed?
The thing which is bothering me is that, if I look at the bright side, maybe I should not reinstall my server. But at least I don't see still logged on hostile IP-s.
There is no way on earth that somebody hacked in to my system because of weak root password and you cannot guess a password which is more that 15 characters long(and is not my name). Plus after I set up my internet connection the 1st thing was yum -y update. That is true, that all of the hostile IP-s in the log are before the system update, which makes me think that there are exploits for CentOS 4.2 x86_64. This is pretty weird because CentOS is an OS based on RHEE source.
I couldn't find any "Accepted password for root" in the /var/log/secure from hostile IP-s, which make me believe that the system is safe and I'm sure that there won't be any hostile IP-s connected to may server, even if I drop the firewall, only because of the strong passwords and the system kept up-to-date.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.