Hello everyone,

It is now almost a full month of trouble of installing and uninstalling Mandriva 2007 free edition because of a hacker who has targeted my server causing us serious problems.

I have used Mandrake since 2003. The server was running on a tightly secured Mandriva 2005 for a whole year without problem. From 2003 when I fail in love with mandrake as my first os, I did install every new release with security in mind. I always have msec at level 5 and do allow very few ports; such as port 80,443,143,25,110,21,53,465,995,993 and 3306. I make sure all other ports are commented out in /etc/services. Because of security reasons, I even changed ftp port 21 and gave it a new number. To update my server, I always do a fresh ftp install. After install and at boot, I always make sure to tighten security when I am off line. It is only when I am security is high and no other used ports are present in shorewall that I go online. My server has always been run bind a rotor and I use qmail-toaster with horde for my email services which requires that ports 25,110,143,465,995 and 993 be opened.

As I said, I am really surprised find that a hacker has penetrated server and literally has shut us down. Every time I finish setting the server and and go online. He enters the server and changes the index page with a message: "it is working".

I contacted my ISP and fowarded them my messages log and other log files which could help them to find out where this individual is coming from to infiltrate my server but in vain. They cannot help because the person is using a "sophisticated intrusion scanner that gus at Eastlink (my ISP) cannot block or track is true IP because the log files are showing that the scanner the hacker is using is scanning my server using many different fake IPS.

After istalling nessus and psad they both seem to reveal that the hacker is entering my server using port 53. Yesterday, as I was hunting for more clues as to how he is entering my computer, I found that, as soon as he enters the server, he installs a packet that reports all the keyboard keys I type. He also had activates the ssh client using a hidden file called .sshbash, in my admin home rea.

Please note that although avahi and openssl-sever are installed, they are both disable by commenting their the port and their function lines out in their conf files. I have since deleted the hidden file and the openssl-client packet is no longer listed in the running processes. Having done this I am hopping that he at present may not have access to my server. It is just guessing.

My trouble is that, I have found that this person is entering my sever - only each time I install the bind utility to configure my dns. Each time I install BIND9, he strikes and he is in, because bind is running on ports 53 and 953. Please not that portmap is disallowed on the sever.

Below is list of things he has done to stop my server form being see online:

1. Once he changed the right IP to a wrong IP in all my zone and db.hosts files.
2. Another time He deleted my named.conf.
3. Once I found that he had entered a code in the sudoers file which allowed him to use /sbin/ifup on the sever as root. The code he had entered was linked to /sbin/ifup and I believe it was configured to alert him each that I was online, immediatly after a connected the computer on line.
4. Each time bind is installed, he enters in and configures packets which cause bind to be controlled by him, thus not allowing my clients web pages to be seen.
After installing nessus immediatly after each new install , it reports that all its plugs are running. Strangely, after bind is installed and configured off line, nessus reports that all packets are okey. But after I connect the sever on line, the hacker attacks again. Few hours later when I run nessus, it reports that bind is being controled by a foreign host. As I studies all logs, I felt I should check bind`s log messages. And sure enough I discovered that the hacker had pirated my server. Below is the info I found in the bind`s log file. You will notice in the second colon that the hacker had linked my dns to bogus ips. Below is the record:


30-Jan-2007 10:51:01.745 general: info: zone 0.in-addr.arpa/IN: loaded serial 42
30-Jan-2007 10:51:01.746 general: info: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
30-Jan-2007 10:51:01.748 general: info: zone 255.in-addr.arpa/IN: loaded serial 42
30-Jan-2007 10:51:01.749 general: info: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
30-Jan-2007 10:51:01.751 general: info: zone localdomain/IN: loaded serial 42
30-Jan-2007 10:51:01.752 general: info: zone localhost/IN: loaded serial 42
30-Jan-2007 10:51:01.757 general: notice: running
30-Jan-2007 11:39:08.616 general: info: shutting down: flushing changes
30-Jan-2007 11:39:08.623 general: notice: stopping command channel on 127.0.0.1#953
30-Jan-2007 11:39:08.654 network: info: no longer listening on 127.0.0.1#53
30-Jan-2007 11:39:08.658 general: notice: exiting
30-Jan-2007 11:39:10.844 general: info: zone 0.in-addr.arpa/IN: loaded serial 42
30-Jan-2007 11:39:10.845 general: info: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
30-Jan-2007 11:39:10.847 general: info: zone 255.in-addr.arpa/IN: loaded serial 42
30-Jan-2007 11:39:10.848 general: info: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
30-Jan-2007 11:39:10.850 general: info: zone localdomain/IN: loaded serial 42
30-Jan-2007 11:39:10.851 general: info: zone localhost/IN: loaded serial 42
30-Jan-2007 11:39:10.961 general: notice: running
30-Jan-2007 13:10:34.806 general: info: shutting down: flushing changes
30-Jan-2007 13:10:34.806 general: notice: stopping command channel on 127.0.0.1#953
30-Jan-2007 13:10:34.806 network: info: no longer listening on 127.0.0.1#53
30-Jan-2007 13:10:34.806 network: info: no longer listening on 192.168.2.110#53
30-Jan-2007 13:10:34.808 general: notice: exiting
30-Jan-2007 13:10:36.939 general: info: zone 0.in-addr.arpa/IN: loaded serial 42
30-Jan-2007 13:10:36.941 general: info: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
30-Jan-2007 13:10:36.942 general: info: zone 255.in-addr.arpa/IN: loaded serial 42
30-Jan-2007 13:10:36.943 general: info: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
30-Jan-2007 13:10:36.944 general: info: zone localdomain/IN: loaded serial 42
30-Jan-2007 13:10:36.945 general: info: zone localhost/IN: loaded serial 42
30-Jan-2007 13:10:36.946 general: notice: running
30-Jan-2007 21:02:04.745 general: info: shutting down: flushing changes
30-Jan-2007 21:02:04.745 general: notice: stopping command channel on 127.0.0.1#953
30-Jan-2007 21:02:04.746 network: info: no longer listening on 127.0.0.1#53
30-Jan-2007 21:02:04.746 network: info: no longer listening on 192.168.2.110#53
30-Jan-2007 21:02:04.749 general: notice: exiting
30-Jan-2007 21:11:33.426 general: info: zone 0.in-addr.arpa/IN: loaded serial 42
30-Jan-2007 21:11:33.438 general: info: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
30-Jan-2007 21:11:33.439 general: info: zone 255.in-addr.arpa/IN: loaded serial 42
30-Jan-2007 21:11:33.440 general: info: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
30-Jan-2007 21:11:33.442 general: info: zone localdomain/IN: loaded serial 42
30-Jan-2007 21:11:33.443 general: info: zone localhost/IN: loaded serial 42
30-Jan-2007 21:11:33.451 general: notice: running
31-Jan-2007 09:26:47.802 general: info: zone 0.in-addr.arpa/IN: loaded serial 42
31-Jan-2007 09:26:47.813 general: info: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
31-Jan-2007 09:26:47.815 general: info: zone 255.in-addr.arpa/IN: loaded serial 42
31-Jan-2007 09:26:47.816 general: info: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
31-Jan-2007 09:26:47.818 general: info: zone localdomain/IN: loaded serial 42
31-Jan-2007 09:26:47.819 general: info: zone localhost/IN: loaded serial 42
31-Jan-2007 09:26:47.820 general: notice: running
31-Jan-2007 13:14:45.798 general: info: shutting down: flushing changes
31-Jan-2007 13:14:45.798 general: notice: stopping command channel on 127.0.0.1#953
31-Jan-2007 13:14:45.799 network: info: no longer listening on 127.0.0.1#53
31-Jan-2007 13:14:45.799 network: info: no longer listening on 192.168.2.110#53
31-Jan-2007 13:14:45.801 general: notice: exiting
31-Jan-2007 13:15:58.081 general: info: zone 0.in-addr.arpa/IN: loaded serial 42
31-Jan-2007 13:15:58.093 general: info: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
31-Jan-2007 13:15:58.095 general: info: zone 255.in-addr.arpa/IN: loaded serial 42
31-Jan-2007 13:15:58.096 general: info: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
31-Jan-2007 13:15:58.098 general: info: zone localdomain/IN: loaded serial 42
31-Jan-2007 13:15:58.099 general: info: zone localhost/IN: loaded serial 42
31-Jan-2007 13:15:58.104 general: notice: running
31-Jan-2007 13:28:55.475 general: info: zone 0.in-addr.arpa/IN: loaded serial 42
31-Jan-2007 13:28:55.487 general: info: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
31-Jan-2007 13:28:55.488 general: info: zone 255.in-addr.arpa/IN: loaded serial 42
31-Jan-2007 13:28:55.490 general: info: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
31-Jan-2007 13:28:55.491 general: info: zone localdomain/IN: loaded serial 42
31-Jan-2007 13:28:55.493 general: info: zone localhost/IN: loaded serial 42
31-Jan-2007 13:28:55.493 general: notice: running
31-Jan-2007 15:14:41.033 general: info: shutting down: flushing changes
31-Jan-2007 15:14:41.033 general: notice: stopping command channel on 127.0.0.1#953
31-Jan-2007 15:14:41.034 network: info: no longer listening on 127.0.0.1#53
31-Jan-2007 15:14:41.034 network: info: no longer listening on 192.168.2.110#53
31-Jan-2007 15:14:41.036 general: notice: exiting
31-Jan-2007 15:15:56.985 general: info: zone 0.in-addr.arpa/IN: loaded serial 42
31-Jan-2007 15:15:56.997 general: info: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
31-Jan-2007 15:15:56.999 general: info: zone 255.in-addr.arpa/IN: loaded serial 42
31-Jan-2007 15:15:57.000 general: info: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
31-Jan-2007 15:15:57.002 general: info: zone localdomain/IN: loaded serial 42
31-Jan-2007 15:15:57.003 general: info: zone localhost/IN: loaded serial 42
31-Jan-2007 15:15:57.004 general: notice: running
31-Jan-2007 16:07:54.448 general: info: zone 0.in-addr.arpa/IN: loaded serial 42
31-Jan-2007 16:07:54.460 general: info: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
31-Jan-2007 16:07:54.461 general: info: zone 255.in-addr.arpa/IN: loaded serial 42
31-Jan-2007 16:07:54.463 general: info: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
31-Jan-2007 16:07:54.464 general: info: zone localdomain/IN: loaded serial 42
31-Jan-2007 16:07:54.466 general: info: zone localhost/IN: loaded serial 42
31-Jan-2007 16:07:54.470 general: notice: running
31-Jan-2007 17:04:03.265 general: info: shutting down: flushing changes
31-Jan-2007 17:04:03.266 general: notice: stopping command channel on 127.0.0.1#953
31-Jan-2007 17:04:03.266 network: info: no longer listening on 127.0.0.1#53
31-Jan-2007 17:04:03.266 network: info: no longer listening on 192.168.2.110#53
31-Jan-2007 17:04:03.268 general: notice: exiting
31-Jan-2007 17:05:17.280 general: info: zone 0.in-addr.arpa/IN: loaded serial 42
31-Jan-2007 17:05:17.292 general: info: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
31-Jan-2007 17:05:17.293 general: info: zone 255.in-addr.arpa/IN: loaded serial 42
31-Jan-2007 17:05:17.294 general: info: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
31-Jan-2007 17:05:17.296 general: info: zone localdomain/IN: loaded serial 42
31-Jan-2007 17:05:17.297 general: info: zone localhost/IN: loaded serial 42
31-Jan-2007 17:05:17.302 general: notice: running
31-Jan-2007 17:35:22.928 general: info: zone 0.in-addr.arpa/IN: loaded serial 42
31-Jan-2007 17:35:22.940 general: info: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
31-Jan-2007 17:35:22.941 general: info: zone 255.in-addr.arpa/IN: loaded serial 42
31-Jan-2007 17:35:22.942 general: info: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
31-Jan-2007 17:35:22.944 general: info: zone localdomain/IN: loaded serial 42
31-Jan-2007 17:35:22.945 general: info: zone localhost/IN: loaded serial 42
31-Jan-2007 17:35:22.950 general: notice: running
31-Jan-2007 18:19:21.886 general: info: zone 0.in-addr.arpa/IN: loaded serial 42
31-Jan-2007 18:19:22.029 general: info: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
31-Jan-2007 18:19:22.041 general: info: zone 255.in-addr.arpa/IN: loaded serial 42
31-Jan-2007 18:19:22.042 general: info: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
31-Jan-2007 18:19:22.044 general: info: zone localdomain/IN: loaded serial 42
31-Jan-2007 18:19:22.045 general: info: zone localhost/IN: loaded serial 42
31-Jan-2007 18:19:22.050 general: notice: running
31-Jan-2007 18:21:46.537 general: info: shutting down: flushing changes
31-Jan-2007 18:21:46.537 general: notice: stopping command channel on 127.0.0.1#953
31-Jan-2007 18:21:46.538 network: info: no longer listening on 127.0.0.1#53
31-Jan-2007 18:21:46.538 network: info: no longer listening on 192.168.2.110#53
31-Jan-2007 18:21:46.540 general: notice: exiting
31-Jan-2007 19:59:47.827 general: info: zone 0.in-addr.arpa/IN: loaded serial 42
31-Jan-2007 19:59:47.839 general: info: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
31-Jan-2007 19:59:47.840 general: info: zone 255.in-addr.arpa/IN: loaded serial 42
31-Jan-2007 19:59:47.842 general: info: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
31-Jan-2007 19:59:47.843 general: info: zone localdomain/IN: loaded serial 42
31-Jan-2007 19:59:47.845 general: info: zone localhost/IN: loaded serial 42
31-Jan-2007 19:59:47.849 general: notice: running

Can anyone advise as to what I should do. I checked google and found a security advisory on BIN9 for mindriva 2007. I immediately did an update but the hacker was still able to penetrate the server. I have presently run out of options as far as using bind is concerned and I`m considering using a different dns package. Can you advised which dns package is safe.

Or, can someone, a linux geeg in the linux community or just anyone with a good linux security background help me with any advice as to what I should do to stop this vicious hacker from putting us out of business.

Note that I have already intalled Mandriva 2007 more than ten times since it was release. I started with a bittorent downloaded powerpack iso and moved to trying a current free version that I have installed using ftp.

Thanks.

Uzimadawa

First of all well done one a rather large post (the more info the better). However I don't see any clues or "evidence" I can use to determine if your box got compromised and how. With all due respect, but could it be you're just interpreting things the wrong way?

Anyway. Here's what I'd do:
- Make certain there are no port mappings on your router to any services on any machines on your LAN,
- Check all your machines on your LAN and make certain there are no signs of intrusion: if unsure halt there and use a guideline like the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html and then post your findings,
- Backup whatever you want to save from /home, /etc and /var that isn't binary: not for reuse but for reference. Also see: Steps for Recovering from a UNIX or NT System Compromise (CERT): http://www.cert.org/tech_tips/root_compromise.html,
- Disconnect any ethernet devices,
- Zero out the harddisks,
- Install your favourite O.S. and make sure you repartition and reformat, and during install make certain you:
- don't install services and applications that are not vital for the machine to function like PHP, Apache and such (install later on),
- *do* install SELinux, (Bastille-Linux,) Iptables, Tcp_wrappers, Sudo, Logwatch (and Tiger or Lsat if available),
- raise the firewall so it doesn't allow any inbound services,
- use a different root account password,
- configure a unprivileged user account with a different password,
- after reboot and into post install make certain you:
- run an audit with Tiger or Lsat (so you know what needs adjusting),
- disable any services that are not vital for the machine to function,
- if installed: read about, then configure Sudo for your unprivileged user,
- make certain the firewall blocks network access to any inbound services,
- if installed: read about, then configure Tcp_wrappers to drop inbound access to services,
- if installed: read about, then run Bastille-Linux if you fancy that,
- if installed: read about, then configure Logwatch,
- if installed: configure Aide (or Samhain or tripwire or equiv), run and save database off-site,
- run another audit with Tiger or Lsat, compare with previous results and adjust where necessary.

At this point make a backup. After the backup you can (more) safely enable your network device and get updates. After that run Aide (or Samhain or tripwire or equiv) and sync the database after verify changes against your package management database. If at this point there is reasonable doubt your machine is compromised, shut it down and do not boot it again but use a Live CD like KNOPPIX, (re)mount the disks readonly, tar up the logs and post me a D/L location. Note the above may not be complete. Also note skipping steps is not advised unless you know the risks.


//@All: If there's anything missing: please fill in.

Thank you so much.

I think I quickly panicked and deleted the files which I should have kept for in-depth analysis.

Also a logfile (message) showing ips that the intruder was using to scanning my server was pasted into my ISP abuse-webpage submission form that is offered online. They do not have a linux expert and therefore could not help. I really should have kept a copy of the said file to post it for your review and comment.

Nonetheless, your comments has given me great help as to what I should do. I have done a complete install following your instructions. I also have installed some of the tools you listed. It seems that the is no Bastille-Linux rpm for Mandiva 2007. I will install it later.

Also I have used a different dns instead of bind. Actually I realized later after posting that the intruder had also changed bind's group number in /etc/passwd to make it differ from the number that was in /etc/group thus causing nessus to report that it was being used by a different user.

As I said, the backup has been done and I am presently running a server with a new install. If I notice any abnormalities again, I shall report them so that you can also analyze them and give advice as to what I should do.

Thank you for you concern and quick reply.

Uzimadawa

NP, NP, that's what we're here for. Good to see you got it up and running again. If you've got more security related questions you're invited to post them in the Linux Security forum.

Go back to windows ,he will be too bored by it to follow you

Hello tytower,

Why should I go back to windows with all the security holes it has.

Can you give me reasons why?