Re: Hacks

Tim wrote:
Simon Dean wrote:

Hi,

Are people going round doing any brute force attacks?

All the time - mostly for dumb user/password combinations. Also
probes for know exploits on ssh and many other services are nearly
continuous IME.

Yeah, same here, but I've never been compromised before now. And twice on two different machines within two months... Bit ominous for my liking.


Maybe it was because I had port 22 open (yeah yeah), but looks like
someone has brute force attacked my server, FC6.

A well set up and maintained sshd is one of the safest things to have
open. However, weak username/password combinations and unpatched
sshd's do occasionaly lead to break ins.

I've been having a look around at the SSHD settings... some fairly useful stuff.


httpd is unresponsive and doesn't start as a system service, and
bash looks compromised in that it freezes.

Also the starting of the login screen results in errors something
about the jpeg not being recognised, and I remember a number as
0x37.

This is reminiscint of another attack a friend of mine had a couple
months back where many of the files in /bin were compromised
(altered).

You do not say what distro.

Sure I do... FC6 - Fedore Core 6.

Incidentally, by my heap of garbage above, I mean, I ssh to the box, but it won't login leading me to believe bash is compromised.

From the local machine, a boot shows things like httpd not starting, and the Fedora Core login screen won't load with problems with jpegs...

If it RPM based, then I would boot of a
rescue CD (same distro), attempt to mount the disk filesystems (/ ,
/usr, /etc and /var at least) read-only. Then a useful check is to
run a fresh copy of the rpm binary (off the CD) and do:

rpm -qaV

Now this is a little non trivial as you have to redirect it to use
the package database on the disk's /var - not the /var off the CD -
you'll need to read the man page for "rpm". But that command will
verify the checksums of every file on the system that was installed
from an RPM.

Sounds good. Apart from installing bugzilla and a couple of other web based apps, I havent made any other major changes to the system (though I have the nagging feeling I installed updated kernels for some reason...).

I'll look into that.

Ten years running my own Linux servers and never had a hack like this...


If that is too difficult, then try booting the system with the
following as a kernel parameter:

init=/bin/bash

If that fails, try init=/bin/sash or indeed any other shell you know
you have. The system will boot direct to that shell

I can run a rescue off the installer cd and have a look, but Im confident that bash won't work.


Be suspicious of your web server document tree - if you have any
active scripts (PHP etc) this is a favourite way to break in.

Most Im running at the moment is a phpGedView (Family History) and Bugzilla.

As far as I know they're secure, I havent seen any major security flaws being reported.

I'll try and do a rescue, see what's changed, copy everything off and try and restore (if I can just remember why I upgraded the kernel).



PS - I would keep an open mind on the bit about being cracked - you
may simply have a technical problem locally.

Such as a faulty disk? Possible.

Thanks for your advice though. Much appreciated.

I'll get this going tonight and let you know how I get on.

Cheers
Simon
.