Linux server brought down by Elite on 31337 port and also how to install 2 hard disks on the same linux machine

Hi,

I had been running a Redhat 9 Linux server. Today when i ran nmap I
saw a new entry called Elite using port 31337. I disconnected the
computer from the network and tried to restart the machine. On
restarting it went to INIT-2.05b
prompt. Is there anyway i can restore my server back?:((

I removed this hard disk and tried to make this a secondary hard drive
on another redhat linux machine(whose hard disk will serve as the
primary hard disk.) in the hope that i can mount the second hard disk
and browse the contents and make backups..After i install the
corrupted hard disk along with the good redhat linux hard disk, and
restart it, it shows the primary hard disk(the good redhat disk) info
and then it just hangs. I read some where that the second hard disk
should be automatically be detected by the redhat machine, but it
doesn't get there..Does it matter if the hard disks on both the
machine are named hda? Is there a way to rename one of them to hdb? I
know all these must be stupid questions..I am kind of new at this..

Can anyone please help me? I'll be eternally grateful..

Thanks,
Ann

Ann wrote:
>
> On restarting it went to INIT-2.05b
> prompt. Is there anyway i can restore my server back?:((
>
> I removed this hard disk and tried to make this a secondary hard drive
> on another redhat linux machine(whose hard disk will serve as the
> primary hard disk.) in the hope that i can mount the second hard disk
> and browse the contents and make backups..After i install the
> corrupted hard disk along with the good redhat linux hard disk, and
> restart it, it shows the primary hard disk(the good redhat disk) info
> and then it just hangs. I read some where that the second hard disk
> should be automatically be detected by the redhat machine, but it
> doesn't get there..Does it matter if the hard disks on both the
> machine are named hda? Is there a way to rename one of them to hdb? I
> know all these must be stupid questions..I am kind of new at this..

If you installed the compromised drive as a slave did you change
the jumper on it?

--
Confucius: He who play in root, eventually kill tree.
Registered with The Linux Counter. http://counter.li.org/
Slackware 9.1.0 Kernel 2.4.26 SMP i686 (GCC) 3.3.3
Uptime: 10 days, 23:21, 4 users, load average: 0.04, 0.51, 0.8

Ann wrote:
> Hi,

Cross-posting to 5 newsgroups is a bit much, eh?

> I removed this hard disk and tried to make this a secondary hard drive
> on another redhat linux machine(whose hard disk will serve as the

IDE? SCSI? SATA?

> primary hard disk.) in the hope that i can mount the second hard disk
> and browse the contents and make backups..After i install the
> corrupted hard disk along with the good redhat linux hard disk, and
> restart it, it shows the primary hard disk(the good redhat disk) info
> and then it just hangs. I read some where that the second hard disk

Sounds like IDE. Did you install the "bad" disk on the same
IDE channel as the "good" disk? If so you need to make the
"bad" disk a slave disk, by setting a jumper (or two) on the
drive itself. Most drives have this info printed on them
somewhere. If you installed the "bad" drive on the
secondary IDE channel, and there is no other drive on that
channel, then the "bad" drive will need to be the master for
that channel, which is probably the way it is configured.

> should be automatically be detected by the redhat machine, but it
> doesn't get there..Does it matter if the hard disks on both the
> machine are named hda? Is there a way to rename one of them to hdb? I
> know all these must be stupid questions..I am kind of new at this..

That can't happen. /dev/hda is the master drive on the
primary IDE channel. /dev/hdb is the slave drive on the
primary IDE channel. /dev/hdc is the master and /dev/hdd is
the slave on the secondary IDE channel.

> Can anyone please help me? I'll be eternally grateful..
>
> Thanks,
> Ann

One problem you may be having is duplicate partition labels.
This was (IMO) a major F-up by someone, Red Hat or other.
Labels are bad and I fix them on every install to prevent
just such a situation. If you have partitions labeled
"/boot" and "/" on both disks, likely if both are Red Hat,
when the kernel reads /etc/fstab and sees it is supposed to
mount the partition labeled "/" as the root partition and
the one labeled "/boot" as the boot partition, it will find
two of each, one of each on /dev/hda and the other on
/dev/hdb. Not sure what the kernel will do there. Panic,
freeze, try to mount the wrong one, ??

Try booting your "good" drive without the "bad" drive
installed, edit /etc/fstab and fix it to something sane,
i.e. use partitions instead of labels. If you don't know
how post the contents of /etc/fstab and the output of the
command "mount".

Having a known good boot floppy might be a reasonable thing
to do first. (Hint: mkbootdisk)

I'll be off to the country to kill diseased vermin for a few
days. I might be able to continue by Friday afternoon.
Maybe...

And consider trimming the newsgroups list to
comp.os.linux.redhat, since security doesn't really apply,
at least to what I'm dealing with. Someone else will have
to comment on the compromise.

Ann wrote:

> Hi,
>
> I had been running a Redhat 9 Linux server. Today when i ran nmap I
> saw a new entry called Elite using port 31337. I disconnected the
> computer from the network and tried to restart the machine. On
> restarting it went to INIT-2.05b
> prompt. Is there anyway i can restore my server back?:((
>
> I removed this hard disk and tried to make this a secondary hard drive
> on another redhat linux machine(whose hard disk will serve as the
> primary hard disk.) in the hope that i can mount the second hard disk
> and browse the contents and make backups..After i install the
> corrupted hard disk along with the good redhat linux hard disk, and
> restart it, it shows the primary hard disk(the good redhat disk) info
> and then it just hangs. I read some where that the second hard disk
> should be automatically be detected by the redhat machine, but it
> doesn't get there..Does it matter if the hard disks on both the
> machine are named hda? Is there a way to rename one of them to hdb? I
> know all these must be stupid questions..I am kind of new at this..
>
> Can anyone please help me? I'll be eternally grateful..
>
> Thanks,
> Ann

Sounds as if you did not set the jumper correctly on the second HD.

Interesting process, this "elite". I love the fact that it uses port
31337. Get it? Too funny. 31337 is "leet" for "eleet" 3=e, 1=l, and 7=t.


--
Copyright 2004 T. Sean Weintz
This post may be copied freely without
the express permission of T. Sean Weintz.
T. Sean Weintz could care less.
T. Sean Weintz is in no way responsible for
the accuracy of any information contained in
any usenet postings claiming to be from
T. Sean Weintz. Users reading postings from
T. Sean Weintz do so at their own risk.
T. Sean Weintz will in no way be liable for
premature hair loss, divorce, insanity,
world hunger, or any other adverse relults
that may arise from reading any usenet
posting attributed to T. Sean Weintz

In comp.security.misc Ann <nsajus@yahoo.com> wrote:

> I removed this hard disk and tried to make this a secondary hard drive
> on another redhat linux machine(whose hard disk will serve as the
> primary hard disk.) in the hope that i can mount the second hard disk
> and browse the contents and make backups..After i install the
> corrupted hard disk along with the good redhat linux hard disk, and
> restart it, it shows the primary hard disk(the good redhat disk) info
> and then it just hangs. I read some where that the second hard disk
> should be automatically be detected by the redhat machine, but it
> doesn't get there..Does it matter if the hard disks on both the
> machine are named hda? Is there a way to rename one of them to hdb? I
> know all these must be stupid questions..I am kind of new at this..

As many people have pointed out, this could be a lot of things from
bad jumper settings to duplicate volume labels (easy way to tell: if
the BIOS boot screen shows both drives, but Linux hangs when trying to
mount local filesystems, then it's a label problem).

I'm responding though with a different piece of advice: Doing this
little "hard disk dance" is unnecessary, and leads to a lot of
problems (like the one you're having!). I always keep a few bootable
full system CDs on-hand to rescue a system in such a situation. There
are a few designed specifically for security and forensics, but I have
lately been using just the standard Knoppix and Mandrake Move CDs. I
guarantee these will make your life much, much, MUCH easier in
situations like these.

For your current situation, you've already moved the disks around, but
you could certainly still get these live CDs and use them to boot to
a state where you can edit the /etc/fstab on your new install to use
actual partition names (like /dev/hda3 or whatever) instead of labels.

--

That's News To Me!
newstome@comcast.net

On 25 May 2004 17:55:04 -0700, nsajus@yahoo.com (Ann) wrote:

>Hi,
>
>I had been running a Redhat 9 Linux server. Today when i ran nmap I
>saw a new entry called Elite using port 31337. I disconnected the
>computer from the network and tried to restart the machine. On
>restarting it went to INIT-2.05b
>prompt. Is there anyway i can restore my server back?:((
>
>I removed this hard disk and tried to make this a secondary hard drive
>on another redhat linux machine(whose hard disk will serve as the
>primary hard disk.) in the hope that i can mount the second hard disk
>and browse the contents and make backups..After i install the
>corrupted hard disk along with the good redhat linux hard disk, and
>restart it, it shows the primary hard disk(the good redhat disk) info
>and then it just hangs. I read some where that the second hard disk
>should be automatically be detected by the redhat machine, but it
>doesn't get there..Does it matter if the hard disks on both the
>machine are named hda? Is there a way to rename one of them to hdb? I
>know all these must be stupid questions..I am kind of new at this..
>
>Can anyone please help me? I'll be eternally grateful..
>
>Thanks,
>Ann


So it just booted to single user mode then? You might have been able
to just do 'init 3' or 'init 5'. If the system has been compromised,
you just want to get the data files off and rebuild the install. No
telling how many backdoors were installed.

As for the disk problem, you probably need to set the disk to be a
slave. In theory, duplicate labels should not be an issue as it
should mount the first matching label found which should be on the
first disk. Despite theory, I have had it not work correctly.

For forensics purposes, I would start by making an image of the drive.
If the hacker was any good, most of the evidence is gone or hard to
find (eg files deleted, but possibly recoverable).


-Chris

"Ann" <nsajus@yahoo.com> wrote in message
news:cca0635f.0405251655.6135ee66@posting.google.c om...
> Hi,
>
> I had been running a Redhat 9 Linux server. Today when i ran nmap I
> saw a new entry called Elite using port 31337. I disconnected the
> computer from the network and tried to restart the machine. On
> restarting it went to INIT-2.05b
> prompt. Is there anyway i can restore my server back?:((
>
> I removed this hard disk and tried to make this a secondary hard drive
> on another redhat linux machine(whose hard disk will serve as the
> primary hard disk.) in the hope that i can mount the second hard disk
> and browse the contents and make backups..After i install the
> corrupted hard disk along with the good redhat linux hard disk, and
> restart it, it shows the primary hard disk(the good redhat disk) info
> and then it just hangs. I read some where that the second hard disk
> should be automatically be detected by the redhat machine, but it
> doesn't get there..Does it matter if the hard disks on both the
> machine are named hda? Is there a way to rename one of them to hdb? I
> know all these must be stupid questions..I am kind of new at this..
>
> Can anyone please help me? I'll be eternally grateful..


What made you think it was a trojan? It couldhave been anything! What made
you run nmap?

There would have been other messages as to why the system did not come back
multi user, check you messages file.

JP


--
There are 10 types of people in this world
Those that understand binary and those that don't

unfortunately i think you may have been rooted (hacker installed a rootkit).
You can re-install your linux to fix the problem, but then the rootkit will
still be there.

I would suggest you reformat your machine. Its the only sure way of removing
a good rootkit (especially those which replace kernel modules).

Sorry dude, if it is a rootkit, only a format is the absolute way of
cleaning the machine 100%.

Andrew

"JP" <ft00mch@h.o.t.m.a.i.l.c.o.m> wrote in message
news:c9i50o$cso$1@phys-news-1.nl.colt.net...
> "Ann" <nsajus@yahoo.com> wrote in message
> news:cca0635f.0405251655.6135ee66@posting.google.c om...
> > Hi,
> >
> > I had been running a Redhat 9 Linux server. Today when i ran nmap I
> > saw a new entry called Elite using port 31337. I disconnected the
> > computer from the network and tried to restart the machine. On
> > restarting it went to INIT-2.05b
> > prompt. Is there anyway i can restore my server back?:((
> >
> > I removed this hard disk and tried to make this a secondary hard drive
> > on another redhat linux machine(whose hard disk will serve as the
> > primary hard disk.) in the hope that i can mount the second hard disk
> > and browse the contents and make backups..After i install the
> > corrupted hard disk along with the good redhat linux hard disk, and
> > restart it, it shows the primary hard disk(the good redhat disk) info
> > and then it just hangs. I read some where that the second hard disk
> > should be automatically be detected by the redhat machine, but it
> > doesn't get there..Does it matter if the hard disks on both the
> > machine are named hda? Is there a way to rename one of them to hdb? I
> > know all these must be stupid questions..I am kind of new at this..
> >
> > Can anyone please help me? I'll be eternally grateful..
>
>
> What made you think it was a trojan? It couldhave been anything! What made
> you run nmap?
>
> There would have been other messages as to why the system did not come
back
> multi user, check you messages file.
>
> JP
>
>
> --
> There are 10 types of people in this world
> Those that understand binary and those that don't
>
>

No Chris, i couldn't boot into the init 3 or init 5 mode with the
infected hard disk..i had to make the infected disk a secondary hard
disk on another redhat machine to retrieve the data.

-Ann


chris@nospam.com wrote in message
> On 25 May 2004 17:55:04 -0700, nsajus@yahoo.com (Ann) wrote:
>
So it just booted to single user mode then? You might have been able
> to just do 'init 3' or 'init 5'. If the system has been compromised,
> you just want to get the data files off and rebuild the install. No
> telling how many backdoors were installed.
>
> -Chris