• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Help Public server hacked....

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

engjohn

Senior Member
Joined
Dec 18, 2000
Location
SoCal
A public server that I now have to fix has been hacked.
login, bash, ps, and a few others have been replaced with newer larger versions.
SSH is no longer running v2 on port 22 it is running v1 on port 19....

I just need to make this work again for a day or two (share internat access) until I can get there with a new server...

I can login remotely, but I cannot do alot of things that I need to do to fix the problem.,...

Help
 

Attachments

  • bash.zip
    193 KB · Views: 111
If you don't have root access you're screwed :(

If you do have root access, change the password immediately.

What the heck is that thing you attached?
 
This is just a guess, but you could copy the known good shell to the server and reboot, passing init=/bin/sash (or whichever shell) to the kernel via your bootloader. This ought to bypass anything that the cracker may have installed. You should also use a known good kernel image.
You do have root access, right?
 
I do have root access, although it will not let me overwrite any of the hacked files. Even after playing around, and getting bash to overwrite the hacked version, as soon as I made is executable, it reverted back to the bad version.

I wish I had direct access to the system, I have to ssh, this makes it a little harder to work with... ( I cannot just put in my cd and go....)

I may just have to wait untill I am there in 2 days...
 
Have you tried changing the default shell for root in /etc/passwd. You could change it to an arbitrary (ie non-cracked, self-contained, strangely named and strangely located) shell, log out and log back in again.
Have you run chkrootkit to see what you're up against? Once you find out, your google's as good as mine, but that would give you a starting point.

BTW, I pointed out sash because it contains internal versions of a few common tools, meaning that it won't care if ls or cp are infected. Check its man page for what all it has and how to use it. It's not perfect (ie an infected kernel can still mess with /proc), but it can provide you with a small set of guarenteed clean tools. I'll stop pimping it now. :rolleyes:
 
Last edited:
Christoph said:
Have you tried changing the default shell for root in /etc/passwd. You could change it to an arbitrary (ie non-cracked, self-contained, strangely named and strangely located) shell, log out and log back in again.
Have you run chkrootkit to see what you're up against? Once you find out, your google's as good as mine, but that would give you a starting point.

BTW, I pointed out sash because it contains internal versions of a few common tools, meaning that it won't care if ls or cp are infected. Check its man page for what all it has and how to use it. It's not perfect (ie an infected kernel can still mess with /proc), but it can provide you with a small set of guarenteed clean tools. I'll stop pimping it now. :rolleyes:

Thanks for the info on sash, I will remember that for the future.
In the meantime, we took down that server and are getting it replaced
 
engjohn said:


Thanks for the info on sash, I will remember that for the future.
In the meantime, we took down that server and are getting it replaced

Hope you find an effecient way to clear it off and figure out what's been infected.
 
Christoph said:


Hope you find an effecient way to clear it off and figure out what's been infected.

Only fix for a compromised machine is a format and total rebuild, you can never be sure you got everything.
 
I was going to suggest you use chkrootkit, but since you don't have root access it's kind of a bust. It checks for any known root kits that could be installed on your system. But still, in the future running this could help in detecting any problems.

http://www.chkrootkit.org/

-DarkArctic
 
I ran chkrootkit and it came back really bad... It had mentioned three or four different root kits, and a truck load of infected files.
We took that system out of service an dreplaced it with a NEW system.
There were no traces left from the comprimise. They were smart enought to clean up thier tracks quite well...

Oh well, The chient learned thier lesson. The will now let us perform maintenance on thier systems to keep them up to date. This will make it harder for this to happen again in the future...
 
Well, I really could not tell... ALL the log files were gone from that time frame, and I could not get a list of running services...

I know that they were running, ssh, apache, nocc webmail, and postfix. It might have been from an old version of ssh (they didnt purchase a maintance agreement, so I could not update thier servers)
 
Back