My Redhat 9.0 was just hacked to death - help
This is a discussion on My Redhat 9.0 was just hacked to death - help within the Linux Security forums, part of the System Security and Security Related category; Greetings, My new Redhat 9.0 box running Server stuff was hacked last night. I want to share with you ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-14-2004
|
|||
|
|||
My Redhat 9.0 was just hacked to death - help
Greetings,
My new Redhat 9.0 box running Server stuff was hacked last night. I want to share with you that state of the system as I found it this morning, and hope that you can give me some ideas as to how it may have happened. The system was not protected by a firewall, well it should have been but that was my short coming. Until 10pm last night was not compromised as I signed out of it. This morning it did not take SSH connections. I had to go physically to the system to check it out. In the console it was running GRUB. It would not boot as no kernel was found to load. I managed to get to the hard drive using the rescue disk. All partitions on the hard drive are gone, some new ones seams to have been created. In the /var directory only states directory exists and the rest are gone. Strange enough, the box was still responding to PING. Now what did they do, how and who are the questions. I can not find any log files except for some useless ones which belong to applications. Any ideas please? Thanks 
|
|
08-14-2004
|
|||
|
|||
|
Re: My Redhat 9.0 was just hacked to death - help
Seena wrote:
> Greetings, > > My new Redhat 9.0 box running Server stuff was hacked last night. I > want to share with you that state of the system as I found it this > morning, and hope that you can give me some ideas as to how it may > have happened. Maybe because you're running an older distribution, or one that's not secure enough. Or maybe you aren't doing your job. Maybe you should get a more recent or secure distribution. Or maybe not.... -- Q: How do you know when you're in the <ethnic> section of Vermont? A: The maple sap buckets are hanging on utility poles.
|
|
08-14-2004
|
|||
|
|||
|
Re: My Redhat 9.0 was just hacked to death - help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message In comp.os.linux.security Seena <seena@earthlink.net> suggested: > Greetings, > My new Redhat 9.0 box running Server stuff was hacked last night. I RH 9.0 is already outdated. > want to share with you that state of the system as I found it this > morning, and hope that you can give me some ideas as to how it may > have happened. [..] > Any ideas please? Hire someone experienced to setup a recent distro for you, with firewall. -- Michael Heiming - RHCE (GPG-Key ID: 0xEDD27B94) mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBHb5bAkPEju3Se5QRAvy8AJ9qMOayLOB1BJDF9JYF10 z57AOggwCgtWPu nfrZs3Q8zR01yk8B1ZMYbZ0= =lH6O -----END PGP SIGNATURE-----
|
|
08-14-2004
|
|||
|
|||
|
Re: My Redhat 9.0 was just hacked to death - help
Seena wrote:
> Greetings, > > My new Redhat 9.0 box running Server stuff was hacked last night. I > want to share with you that state of the system as I found it this > morning, and hope that you can give me some ideas as to how it may > have happened. > > The system was not protected by a firewall, well it should have been > but that was my short coming. > > Until 10pm last night was not compromised as I signed out of it. This > morning it did not take SSH connections. I had to go physically to the > system to check it out. > > In the console it was running GRUB. It would not boot as no kernel was > found to load. > > I managed to get to the hard drive using the rescue disk. All > partitions on the hard drive are gone, some new ones seams to have > been created. In the /var directory only states directory exists and > the rest are gone. > > Strange enough, the box was still responding to PING. Now what did > they do, how and who are the questions. I can not find any log files > except for some useless ones which belong to applications. > > Any ideas please? > > Thanks I would guess that someone have got in to your system though a badly configured/non existing firewall and managed to get your root password and reconfigured your system. Perhaps it is a trojan? I can only guess since finding out exactly what has happend is very hard without seeing it. You say that all your partitions where gone? and some new ones was created. What partitions was created and the date of the creation would be of some help. Micke
|
|
08-14-2004
|
|||
|
|||
|
Re: My Redhat 9.0 was just hacked to death - help
micke <(no)micke(spam)@(remove)gullarp.(this_to).com> writes:
> I would guess that someone have got in to your system though a badly > configured/non existing firewall and managed to get your root password > and reconfigured your system. Kids, that's what worries me. If things like partitions and kernels have been messed-around so much, then we have one of two things: a) simple innocent hardware failure - disk corruption or broken hardware RAID controller, either could have this kind of detrimental effect on data-integrity (at the partition-table layer or higher up). b) an ugly malicious sonuvabitch cracker who's out to cause you paaaiiin and for whatever reason doesn't care that her damage is blatantly obvious to you. In the absence of both a statement describing how the box was initially set up, what services were running and packages were installed, with what protective measures, AND some forensic analysis of the state of hardware and HD in particular and then of the HD's contents in some detail, including but not limited to running _chkrootkit_ on the blighter, we don't know which, or even if not both. HTH, ~Tim -- Morning dawning / |piglet@stirfried.vegetable.org.uk With life abounding |http://spodzone.org.uk/
|
|
08-14-2004
|
|||
|
|||
|
Re: My Redhat 9.0 was just hacked to death - help
> RH 9.0 is already outdated.
Oh so you are going to set up a new distribution on productive servers all 6 months or so, because a new red hat version arrives? Come on. I even have Red Hat 7.3 and 8.0 servers, and they are definitely NOT outdated if you update the software.
|
|
08-14-2004
|
|||
|
|||
|
Re: My Redhat 9.0 was just hacked to death - help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message In comp.os.linux.security Stephan Goeldi <expires.1.9.04@usable.ch> suggested: >> RH 9.0 is already outdated. > Oh so you are going to set up a new distribution on productive servers all > 6 months or so, because a new red hat version arrives? You did read the OP? "My new Redhat 9.0", sounds as if he just installed an outdated distro, which I wouldn't suggest. I'd recommend some enterprise version or some clone on a production server, with a usual lifetime of 5 years. > Come on. I even have Red Hat 7.3 and 8.0 servers, and they are definitely > NOT outdated if you update the software. There are no more official patches from RH for those versions since 31.12.2003, RH 9 support ended April? 2004. So unless you did somehow manage to get or make your own new patches, they are definitely outdated and you need to plan on upgrading. -- Michael Heiming (GPG-Key ID: 0xEDD27B94) mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBHi4yAkPEju3Se5QRAt3jAJ9+EY8d59HaOAjbbwejq2 Uxw4bJNgCeIRQ+ JgyODqT46ry72tlQrHbvH8c= =4Xm/ -----END PGP SIGNATURE-----
|
|
08-14-2004
|
|||
|
|||
|
Re: My Redhat 9.0 was just hacked to death - help
micke <(no)micke(spam)@(remove)gullarp.(this_to).com> writes:
]Seena wrote: ]> Greetings, ]> ]> My new Redhat 9.0 box running Server stuff was hacked last night. I ]> want to share with you that state of the system as I found it this ]> morning, and hope that you can give me some ideas as to how it may ]> have happened. ]> ]> The system was not protected by a firewall, well it should have been ]> but that was my short coming. ]> ]> Until 10pm last night was not compromised as I signed out of it. This ]> morning it did not take SSH connections. I had to go physically to the ]> system to check it out. ]> ]> In the console it was running GRUB. It would not boot as no kernel was ]> found to load. ]> ]> I managed to get to the hard drive using the rescue disk. All ]> partitions on the hard drive are gone, some new ones seams to have ]> been created. In the /var directory only states directory exists and ]> the rest are gone. ]> ]> Strange enough, the box was still responding to PING. Now what did ]> they do, how and who are the questions. I can not find any log files ]> except for some useless ones which belong to applications. ]> ]> Any ideas please? ]> ]> Thanks ]I would guess that someone have got in to your system though a badly ]configured/non existing firewall and managed to get your root password and ]reconfigured your system. ]Perhaps it is a trojan? I can only guess since finding out exactly what has ]happend is very hard without seeing it. ]You say that all your partitions where gone? and some new ones was created. ]What partitions was created and the date of the creation would be of some ]help. If you have the exact old partition information, you might want to try recreating those partitions on the disk, without formatting. You might find that the old stuff is still there. Anyway, repartioning would be possible. Putting new information into those partitions I do not think would be possible, since the repartitioning would have destroyed the system needed to put stuff there. A computer without any programs finds it hard to respond off the net. It may well be that this is an inside job-- someon who had access to the console, rather than a hacking job. firewalls may well have had absolutely nothing to do with this. a firewall is not much better than a proper job of making sure only daemons you need to run actually running. Keeping up with security updates is probably far more important than a firewall.
|
|
08-14-2004
|
|||
|
|||
|
Re: My Redhat 9.0 was just hacked to death - help
Stephan Goeldi <expires.1.9.04@usable.ch> writes:
]> RH 9.0 is already outdated. ]Oh so you are going to set up a new distribution on productive servers all ]6 months or so, because a new red hat version arrives? ]Come on. I even have Red Hat 7.3 and 8.0 servers, and they are definitely ]NOT outdated if you update the software. Yes, they are. Redhat no longer issues security updates for them, and the probablility of your finding and closing all security holes in them yourself is zero. Yes, the need for constant version update is one of the real problems with Linux, which makes it dubious for real professional use. One year update policy is simply not sufficient, especially since updating rather than installing a new version is so fraught with potential for disaster.
|
|
08-14-2004
|
|||
|
|||
|
Re: My Redhat 9.0 was just hacked to death - help
Michael Heiming <michael+USENET@www.heiming.de> writes:
]-----BEGIN PGP SIGNED MESSAGE----- ]Hash: SHA1 ]NotDashEscaped: You need GnuPG to verify this message ]In comp.os.linux.security Stephan Goeldi <expires.1.9.04@usable.ch> suggested: ]>> RH 9.0 is already outdated. ]> Oh so you are going to set up a new distribution on productive servers all ]> 6 months or so, because a new red hat version arrives? ]You did read the OP? "My new Redhat 9.0", sounds as if he just ]installed an outdated distro, which I wouldn't suggest. For most people a year old is "new".
|
Linear Mode
