I got hacked 3 times

Hello anyone,

I'm using the operating System Linux - RedHat9
I'm totally a newbie in linux-security and that's why I've got a Problem:
A month ago, I got hacked by someone 3 times!
I always had to reinstall my distribution for security reasons.
Poeple in groups.google suggested to do so after a successful hack.
I changed the _standard known_ portnumbers and I denied the access for all
incoming internet connections to the ports 0-1024 and mysql per protocol tcp
and udp in my ipchains.
Is that enough or - what should else should I do to prevent him/her from
hacking into my computer again (and it would be nice if i could trace him
back and do something about it)
Any suggestions?

On Fri, 27 Jun 2003 11:07:23 +0200, roman dissertori wrote:

> Hello anyone,
>
> I'm using the operating System Linux - RedHat9
> I'm totally a newbie in linux-security and that's why I've got a Problem:
> A month ago, I got hacked by someone 3 times!
> I always had to reinstall my distribution for security reasons.
> Poeple in groups.google suggested to do so after a successful hack.
> I changed the _standard known_ portnumbers and I denied the access for all
> incoming internet connections to the ports 0-1024 and mysql per protocol tcp
> and udp in my ipchains.
> Is that enough or - what should else should I do to prevent him/her from
> hacking into my computer again (and it would be nice if i could trace him
> back and do something about it)
> Any suggestions?

Hi Roman!
First of all, use iptables instead of ipchains; it offers stateful-
inspection capabilities.

Then, don't change the port numbers of services; security through
obscurity was never supposed to work.

Use iptables to close all ports incoming, and only allow those
outgoing that you need (http/https/ftp/ssh, I guess).

Do not run any services that you don't use.

Make the services you decide to use listen only to the internal
interface.

Run an intrusion detection system like snort to get a couple of
points what is going on in your network.

Choose your system passwords carefully (your username backwars
is not a very secure password).

Use up2date to update your system regularly.


This should keep you quite safe :)
Peace,
Georg

On Fri, 27 Jun 2003 11:07:23 +0200, roman dissertori wrote:

> Hello anyone,
>
> I'm using the operating System Linux - RedHat9 I'm totally a newbie in
[snip]
> Any suggestions?

I assume that when you write hacked you actually mean cracked. The act of
breaking into a computer is cracking not hacking, although the press
refuse to understand that.

You already got good advice but there is more:

Make sure you actually got cracked, and didn't just run a trojan of some
sort. To avoid trojans: Don't run any {script,Makefile,programs,anything
else executable} from an untrusted source without lookin over it first,
and certainly don't run it as root.

hth
NPV

"roman dissertori" <r.dissertori@ecom-it.at> wrote in
news:bdh16r$c60$1@ulysses.news.tiscali.de:

> I'm using the operating System Linux - RedHat9
> I'm totally a newbie in linux-security and that's why I've got a
> Problem: A month ago, I got hacked by someone 3 times!

How did you get "hacked"?
Why do you think you were "hacked"?

> I always had to reinstall my distribution for security reasons.
> Poeple in groups.google suggested to do so after a successful hack.
> I changed the _standard known_ portnumbers and I denied the access for
> all incoming internet connections to the ports 0-1024 and mysql per
> protocol tcp and udp in my ipchains.

Did you verify by scanning your system from the outside that this was
really effective? If indeed you closed off all incoming ports with an
effective ipchains setup, there are very few ways anyone could ever crack
you...

Khay.

roman dissertori wrote:

> Hello anyone,
>
> I'm using the operating System Linux - RedHat9
> I'm totally a newbie in linux-security and that's why I've got a Problem:
> A month ago, I got hacked by someone 3 times!
> I always had to reinstall my distribution for security reasons.
> Poeple in groups.google suggested to do so after a successful hack.
> I changed the _standard known_ portnumbers and I denied the access for all
> incoming internet connections to the ports 0-1024 and mysql per protocol
> tcp and udp in my ipchains.
> Is that enough or - what should else should I do to prevent him/her from
> hacking into my computer again (and it would be nice if i could trace him
> back and do something about it)
> Any suggestions?

Recently, I was sure that I was hacked. I had at least half a dozen signs.
But one by one, they turned out to be "normal." Someone from outside tried
to set up their own user account and failed. This is the only thing I can
regard as a genuine "hack" and the hacker didn't win.

So, listen to the others asking "are you sure?"

HTH,

Doug.
--
Linux: in a world without fences, who needs Gates?

"roman dissertori" <r.dissertori@ecom-it.at> wrote in
news:bdhd01$d95$1@ulysses.news.tiscali.de:

> Ok, thank you very much everyone!
> These advices are very useful to me
> - I'll always look for updates for this linux-distribution
> - Scanning my ports for any security holes from outside.

Sounds like a good start!
Good sites for scanning from the outside is grc.com (a little windows-
aimed and hyped, but still) and pcflank.com.
Nmap is a very good (and free) tool you can use for this as well.

> ps:
> He/She cracked (thanks for teaching me the difference) my Computer
> trough an open Port, I don't know which one.


Well, it's not that the port was open, it's more that you had some
service sitting there unupdated!
Number one security tip: Make sure that the services you are running are
needed - running RPC/portmap/etc with no reason is not just unneccessary,
it's also quite dangerous!

Take a look at "netstat -tupan" - it will show which services are
listening to the internet, if nothing is listening then nothing can be
"hacked", atleast not remotely.


> I noticed that hacker because he/she made _one_ mistake: He/She forgot
> to delete the data in the /tmp folder where I found his evil scripts
> that he/she executed -> One Script for example was for moving the
> logfiles into /dev/null and lots of other stuff.

Remember that once people run a so called "rootkit", or "hack" your linux
system, it's not your system anymore!
Any command can be lying to you - "ps"/"pstree" can be hiding evil
programs, "ls" can be hiding directories from you - if you know what to
do and how to clean up the mess they did, ok no need to re-install.
If you don't then please re-install your server and try better the next
time!

> Sorry I don't use ipchains. I wrote it I know, but that was wrong ->
> I'm using iptables.
> I don't know much about the difference, but iptables is newer, right?
> (and I guess better)

Ah well.. ipchains is older, came with the 2.2 series of kernel -
iptables is newer and better. They both lack the most important component
needed to create a near perfect firewall - a good administrator.
That's where you has to come in!

Good luck!

Khay.

roman dissertori wrote:

> Hello anyone,
>
> I'm using the operating System Linux - RedHat9
> I'm totally a newbie in linux-security and that's why I've got a Problem:
> A month ago, I got hacked by someone 3 times!
> I always had to reinstall my distribution for security reasons.
> Poeple in groups.google suggested to do so after a successful hack.
> I changed the _standard known_ portnumbers and I denied the access for all
> incoming internet connections to the ports 0-1024 and mysql per protocol tcp
> and udp in my ipchains.
> Is that enough or - what should else should I do to prevent him/her from
> hacking into my computer again (and it would be nice if i could trace him
> back and do something about it)
> Any suggestions?
>

Have you installed all the security patches before exposing it to the
Net? Did you change *all* your passwords? How did they hack you?

"Nico Kadel-Garcia" <nkadel@verizon.net> wrote in message
news:3EFC3DF2.9030707@verizon.net...
> roman dissertori wrote:
>
> > Hello anyone,
> >
> > I'm using the operating System Linux - RedHat9
> > I'm totally a newbie in linux-security and that's why I've got a
Problem:
> > A month ago, I got hacked by someone 3 times!
> > I always had to reinstall my distribution for security reasons.
> > Poeple in groups.google suggested to do so after a successful hack.
> > I changed the _standard known_ portnumbers and I denied the access for
all
> > incoming internet connections to the ports 0-1024 and mysql per protocol
tcp
> > and udp in my ipchains.
> > Is that enough or - what should else should I do to prevent him/her from
> > hacking into my computer again (and it would be nice if i could trace
him
> > back and do something about it)
> > Any suggestions?
> >
>
> Have you installed all the security patches before exposing it to the
> Net? Did you change *all* your passwords? How did they hack you?
>
- No, I haven't, but I will do it as soon as possible
- Of Course I changed all standard-password into non-standard passwords
- They hacked me (read text above)

"roman dissertori" <r.dissertori@ecom-it.at> writes:

]Hello anyone,

]I'm using the operating System Linux - RedHat9
]I'm totally a newbie in linux-security and that's why I've got a Problem:
]A month ago, I got hacked by someone 3 times!
]I always had to reinstall my distribution for security reasons.

Yes. Was it a complete reinstall?
If not you also need to use the new find to search through the stuff you
did not reinstall for suid files.
Also you have to change all passwords.
And install allof the security updates.
And make sure that things you do not use (ftp, http,etc) are not enabled
in xinetd of /etc/rc?.d


]Poeple in groups.google suggested to do so after a successful hack.
]I changed the _standard known_ portnumbers and I denied the access for all
]incoming internet connections to the ports 0-1024 and mysql per protocol tcp
]and udp in my ipchains.
]Is that enough or - what should else should I do to prevent him/her from
]hacking into my computer again (and it would be nice if i could trace him
]back and do something about it)
]Any suggestions?

"roman dissertori" <r.dissertori@ecom-it.at> writes:


]>
]> Have you installed all the security patches before exposing it to the
]> Net? Did you change *all* your passwords? How did they hack you?
]>
]- No, I haven't, but I will do it as soon as possible
]- Of Course I changed all standard-password into non-standard passwords

What standard passwords? There are none. ALL passwords of all users on
the system need to change their passwords, including root.

]- They hacked me (read text above)

Yes, he asked how. What was the evidence you have that you were hacked?