This would make an excellent presentation. -- Garrett Goebel IS Development Specialist ScriptPro Direct: 913.403.5261 5828 Reeds Road Main: 913.384.1008 Mission, KS 66202 Fax: 913.384.2180 www.scriptpro.com garrett at scriptpro dot com > -----Original Message----- > From: owner-kclug@kclug.org [mailto:owner-kclug@kclug.org]On Behalf Of > Brian Densmore > Sent: Monday, February 16, 2004 12:18 PM > To: Kclug > Subject: RE: I think my server has been hacked [x-adr] > > > (this is a repost as the original never seems to have made it > through.) > > Well in the initial analysis I was rooted about 3am on the > 8th. The cracker installed at the least the shv5 rootkit. > He may have manipulated some/all of the log files. He definitely > trashed the login log file, but he missed some of my security > procedures. Initially it looks as though it was a remote > ssl exploit. I have an event in my apache log indicating how > he did it. But it may be he just deleted the tail of the log. > He didn't even bother changing the timestamps on the root kit > trojans he installed. It's a rather strange cracker, he wasn't > very thorough and did some odd things. Anyway, I digress. > I know what the initial rootkit was and when he did it and where he > got it from. I don't yet know where he came from and am not > sure I can trust the logs to tell me that. I am interested in seeing > what he did with the system once he got in. He did put > the NIC in promiscuous mode and created virtual IPs for the > entire network the server was sitting on. So it looks like he > was just using it for sniffing. (Since the box really didn't have > enough space to be useful for much other than a tiny > mailserver/webserver). > > So, I'm interesting in hearing what you all think I should/can do > to try and track this person, and where on my disks to look. I didn't > notice anything in the home directories of note, unless he's > found a way > of hiding the files from ls -al. I was thinking about running a > rootkit searching program on the disks to see if there is > more than one. > I haven't yet gotten to the point of reading all the configs > in /etc yet. > He definitely: altered the rc scripts, modified the ssh functionality, > replaced several programs, installed some nefarious libraries > and scripts, > restarted inetd with a rooted version, restarted the > webserver. I'm sure there's > more to discover. This server didn't have any thing of import > on it, other > than my personal long-neglected website, and frequently used > mail server. > Both of which are off-line until I can finish building my new > debian based more secure > box. I knew eventually this box would be rooted. He's been > trying very hard since > December. At least I believe it is the same person, although > there has been > extensive attempts for some time. Not sure why it was so > popular. It was a Mandrake > Bastille hardened system, that sadly was not properly > maintained by me. But, > I have learned some since I built this machine 4 years ago. > The new box will be > more secure and built by hand rather than from a package. > > (sorry about the length) > > Thanks, > Brian > > Brian > > "Three OS's from corporate-kings in their towers of glass, > Seven from valley-lords where orchards used to grow, > Nine from dotcoms doomed to die, > one from the dark lord Gates on his dark throne > In the Land of Redmond where the Shadows lie. > one OS to rule them all, one OS to find them, > one OS to bring them all and in the darkness bind them, > In the Land of Redmond where the Shadows lie." john thrum > >