I am running Suse 8 and Xampp (latest version). the security features all have new passwords, the firewall is up. When I went to log into my webserver I discovered a user account "Dodu" I could not delete it as it said Dodu was still connected. I rebooted and deleted the account but then I discovered that when I used the SU command no password was requested and I was allowed straight into SU mode.

So far I can't find any evidence of damage but...

This machine is on the office network so he could have found his way to the wider network.

Are there any logs to tell me what might have been done?
Has anybody encountered Dodu?
What should I do next?

ANY advice greatfully received?

Latest: just found file Dora.tar in the root directory. I guess it's not friendly but what does it do?

Well first action is always, unplug this machine from any network.

Second action, get yourself a chrootkit to verify the system.

Thirdly, can you really trust this machine again? Probably not. If you need data from it, copy it off but be wary of what you copy, verify it's not been affected either. Usually cases like this resort to wiping and reinstalling, once you found how they got in to protect yourself in the future.

And in the future, don't allow remote root logins, make sure users have strong passwords, regularly making them change them every 30-90 days, disable accounts not needed, install tripwire or other similar functionality to help prevent future attacks, etc. And use sudo instead of just su'ing as root.

Also, I'm not familiar with Novell's release/support cycles, but be sure you're running a supported (regular security updates) OS.

I once had a box hacked and decided that it would be better to backup whatever I needed and just reinstall it.

And next time, use a more updated distro instead of SUSE 8.0...

Apart from the remarks about the validity of running an old version of your distribution, and realising that you may not have been that proficient securing the machine (wrt your XAMPP thread of last year, if relevant), the first thing would actually be to do nothing. Reflexes can save critical things, but revooting also destroys vital information like process and network details if they are not logged elsewhere (machine, syslog server, router) and deleting items should only be done when a backup is made. Reading up on what's important and steps to take now may save you trouble later on. The fact that this compromised machine was part of an office network makes things more critical, and your actions depend on where the machine is in the topology (DMZ or not?) sealing off subnets other machines are on should be first option, else if everything is in the same subnet then severing the network connection is your only option, yes. The first thing to read would be the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html because it shows you where you can find what information, and you best run those checks booting a Live CD like HELIX or KNOPPIX. The second step would be to alert anyone using machines in those subnets and investigate each for possible breaches. Do not restore a backup of the machine unless you have independant and authoritative means of verifying the backup is "clean" in every way and uncompromised, and when you do you must keep the machine off the network until you fixed the vulnerability that let the intruder in. This requires investigation, which *is* necessary since the intruder rootkitted the machine. Before continuing it would be best if you post the steps you took after posting your OP.

I have taken the machine off-line and replaced it with a clean machine running SuSE 10.2 and Apache 2 (all the XAMPP has been dumped) Only HTTP is enabled in the firewall and the machine is in the external zone. (I don't understand enough about DMZ yet) The machine is behind a router using port forwarding and NAT.

I have run virus and spyware checkers on all the office machines (XP)and checked my bank accounts!

chkrootkit revealed no infection on the file server but I could not get it to run on the hacked machine.

I found another alien file, psy.tar There was also a suspicious user with root privileges called grigo. The infected machine has been switched off and apart from deleting the dudo user account is unaltered. If you want some info from it please let me know.

The reaon I was running SuSE 8 was that the infected machine was an old P150 box that uses less power than a P4 it didn't have enough RAM to run V10.2 with a GUI (being green is not always the best policy)

Good work. Names are just names, but by name anything "psy" should point to PsyBNC, so that partially shows the perps MO (their reliance on IRC). I would like to have a content listing of the Dora.tar, maybe you could post the output of running 'tar -tf Dora.tar 2>&1'? If you still have all logs and auth databases, and files hopefully not being tainted by you, from running (from a Live CD!) 'rpm -qVa 2>&1 > logfile' and grepping for MD5 warnings see at aprox what time the binaries where changed? Another way would be to look though the system and daemon logs for anything "odd". With a fix on the aproximate time of entry you can guesstimate what time they had to "change things" (well, OK, *if* they did) or in other words what chances you have looking for clues.

Another bit of infomation. My ISP reported unusual activity on port 20 a few weeks ago. When I looked at the machine the network activity light was going full tilt. I re booted and nothing more was heard. The general concensus from the ISP support people was that they had given up an gone on to more interesting targets.

I'll try to find time to look at those logs etc tomorrow but I really have to do some real work or I shalln't need a server and a network!

Thanks fopr your help, it's good to know I'm not on my own.

NP, just post when you want to share results.

"Only HTTP is enabled in the firewall and the machine is in the external zone."

"Port 20"

Looks like they played with ftp data source port 20. Firewall/Router/NAT misconfiguration?

or someone was FTPing data off the box at an alarming rate using Active-mode FTP...

Good job, it sounds like you have things under control.

Just so you know, most experienced linux admins don't install GUI's on servers, especially ones that have limited resources. At a minimum, make sure you disable the GUI starting upon boot, to save precious RAM.

Another reason not to install a GUI is updates. Every time you run the update, it will not only update your server, but the GUI stuff as well, which is a waste of update time, not to mention disk space.