Groups | Search | Server Info | Keyboard shortcuts | Login | Register

Groups > comp.os.linux.security > #24

Re: My system was hacked...how?

Show all headers | View raw

On 2011-08-04, Andres <vandresv@gmail.com> wrote:
> Hello,
> One of my linux servers was hacked recently. I closed all connections
> to the offending IP (japan) and now I am looking at what happened.

That is far from enough. If it has been hancked you have to assume he
can get into your system from anywhere in the world. Your closing off
that one IP will not stop him for even a millisecond (In fact that IP
was probably a machine he had hacked into before and he is entirely
elsewhere. 

Remove the machine from the net entirely. Wipe it and reinstall. Then
after restoring the backup and before connecting it to the net, so a
search for suid/guid files, especially root files. And search
everywhere, even ( and especially) in /tmp, /dev, /proc, /sys,....

find / -perm /6000 
and check each and every one of those files to make sure it should be
suid or sgid.
 I had a root hack, and there were suid files like /tmp/banana,
/dev/.sda1, /home/unruh/..newsrc
which were clearly files to be used for breaking in. 



>
> I  found the following files on /dev/shm/tmp:
> binariy executables: do, ss
> scripts:
>
> I ldd do and it is linked using  libc.so.6 and ld-linux.so.6.   ss is
> not a dynamic executable (does that means that is statically linked?)
>
> Also a bunch of ascii files. Each one of those files containing a list
> of Ip addresses...a lot of them.
>
> go script:
> ./ss 5901 -a $1 -i eth1 -s 8
> cat bios.txt | sort | uniq > $1.vnc
> ./do $1.vnc
> rm -rf bios.txt
> sh x
>
> do script:
>

Back to comp.os.linux.security | Previous | Next — Previous in thread | Find similar

Thread

My system was hacked...how? Andres <vandresv@gmail.com> - 2011-08-04 10:38 -0700
  Re: My system was hacked...how? unruh <unruh@wormhole.physics.ubc.ca> - 2011-08-04 21:11 +0000

csiph-web