We've been hacked!

Posted on 2002-03-04
Last Modified: 2010-04-20
VA Linux 6.2.4, Internet Server runing Sendmail, DNS, radius, and HTTP/FTTP services.  Two identical servers have been hacked by the same people.

  The command line used in not in the keystroke buffer, but from the PS command we get this:

"./s3 0 1 56650 1 800"

The intruder apparently created the following folders:

/dev/. /s3  (there is a space after the period)
/dev/. /OSDBO
/dev/. /OSDBO2

The s3 folder has several megs of files in to it, we're not sure if it's a legitimate folder renamed, or if files have been copied to it.  The PS command shows only the line above with the intruder's IP address, and several lines of NFSIOD and OSDBO.  We rebooted one machine, and it's toast, would not boot back up, and we're afraid to reboot the other just yet for the same reason.  When the intruder attaches, we can disconnect him and he'll reattach almost immediately.  While he's attached, our graphs shows heavy data being transfered.

Does anybody recognize this hack process?  Can you me tell what it's doing, and most importantly how to reverse the effects before this system crashes?

I'm offering all the points I have!  

Steve Prater

Also posted in Network Security for 300 points!
Question by:sprater378

Expert Comment

ID: 6840993
Simply get your stuff together in a backup and reinstall your system, because you can never be too sure about these things.
I've been hacked some time ago and I thought it was all clean, but after a while I noticed that I couldn't add IP aliases... Reinstall was the only solution.

Expert Comment

ID: 6843996

  i think what the attacker has done is written a prog/script which will directly transfer data from ur machine to his. From the command lines u sent the . /s3 is the program.

"./s3 0 1 56650 1 800"

The others are parameters passed. My guess is the port he is using is 56650.
To confirm this, when data is being transferred, use netstat -n to check.
Also use nmap to find out all other suspicious ports on ur machine.

Once u get the port no, u can disable access to that particular port by using portsentry, which comes with almost all linux distributions.

To be on the safe side, use a firewall such as ipchains and configure the acls so as to deny packets from and port 56650

Dont worry
LVL 40

Accepted Solution

jlevie earned 75 total points
ID: 6848015
The various things you've found (s3, NFSIOD, OSDBO) aren't recognizable indicators of any particular attack. They are, however, indicators of malicious activity by the attacker (probably some file sharing scheme for nefarious purposes).

It is possible to restore the system to a sane state, but you'll have to decide if it would be easier to just backup your data and re-install. At this point nothing on the box can be trusted in any way. So the process of recovering the system goes like:

1) Immediately disconnect the box from the Internet.

2) Set up a small isolated network containing both of the cracked systems and one other box that you can load a clean copy of Linux onto. A this point I wouldn't change anything on the configuration (like IP or hostname) of the attacked system.

3) Set up the 'sane' box with the same os as the cracked box. That allows you to do a checksum of all important system files and utilities and compare those against the cracked box. It's important to use a 'sane copy' of the sum problem, preferrably statically linked.

4) When you've identified all of the modified files you transfer those files from the sane system to the cracked box and repeat the checksum scan until no differences are found.

5) Apply vendor updates to close any vulnerabilities. I don't use VA Linux so I don't know what versions of various things that they use that are known to be vulnerable. I do know that just about all of the distro versions of SNMP &  Radius have vulnerabilitis that are eliminated by vendor supplied updates.

Expert Comment

ID: 6879645
I would also recommend to set up a firewall on OpenBSD (that's the really paranoid guys. I think by now it's five years without a remote root hole in the default configuration, but I won't bet my life on that. Anyway, OpenBSD is one hell of secure.)

As for the hacked systems: Be sure to not only back up your data, but also any evidence - logfiles, the data in the "/dev/. "-directory etc. It will help you to find out how you've been hacked and avoid that stuff in the future, and it may help you identify the data that was stolen and who stole it.

Author Comment

ID: 6879962
We had to scrap the box and start over - then found out the backup was no good! I accept this answer because it sounds like the most logical approach to recovering the system if we had the time.  I will file this process away for future reference!  Thank you!

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SonarQube on Linux vs Windows 3 71
awk sed variable in file 3 97
Bash script - Exit out of choice loop 2 53
LogmeIn using Linux Ubuntu 16.04 6 103
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension ( This reminded me of questions tha…
Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question