We've been hacked!

Posted on 2002-03-04
Last Modified: 2010-04-20
VA Linux 6.2.4, Internet Server runing Sendmail, DNS, radius, and HTTP/FTTP services.  Two identical servers have been hacked by the same people.

  The command line used in not in the keystroke buffer, but from the PS command we get this:

"./s3 0 1 56650 1 800"

The intruder apparently created the following folders:

/dev/. /s3  (there is a space after the period)
/dev/. /OSDBO
/dev/. /OSDBO2

The s3 folder has several megs of files in to it, we're not sure if it's a legitimate folder renamed, or if files have been copied to it.  The PS command shows only the line above with the intruder's IP address, and several lines of NFSIOD and OSDBO.  We rebooted one machine, and it's toast, would not boot back up, and we're afraid to reboot the other just yet for the same reason.  When the intruder attaches, we can disconnect him and he'll reattach almost immediately.  While he's attached, our graphs shows heavy data being transfered.

Does anybody recognize this hack process?  Can you me tell what it's doing, and most importantly how to reverse the effects before this system crashes?

I'm offering all the points I have!  

Steve Prater

Also posted in Network Security for 300 points!
Question by:sprater378

Expert Comment

Comment Utility
Simply get your stuff together in a backup and reinstall your system, because you can never be too sure about these things.
I've been hacked some time ago and I thought it was all clean, but after a while I noticed that I couldn't add IP aliases... Reinstall was the only solution.

Expert Comment

Comment Utility

  i think what the attacker has done is written a prog/script which will directly transfer data from ur machine to his. From the command lines u sent the . /s3 is the program.

"./s3 0 1 56650 1 800"

The others are parameters passed. My guess is the port he is using is 56650.
To confirm this, when data is being transferred, use netstat -n to check.
Also use nmap to find out all other suspicious ports on ur machine.

Once u get the port no, u can disable access to that particular port by using portsentry, which comes with almost all linux distributions.

To be on the safe side, use a firewall such as ipchains and configure the acls so as to deny packets from and port 56650

Dont worry
LVL 40

Accepted Solution

jlevie earned 75 total points
Comment Utility
The various things you've found (s3, NFSIOD, OSDBO) aren't recognizable indicators of any particular attack. They are, however, indicators of malicious activity by the attacker (probably some file sharing scheme for nefarious purposes).

It is possible to restore the system to a sane state, but you'll have to decide if it would be easier to just backup your data and re-install. At this point nothing on the box can be trusted in any way. So the process of recovering the system goes like:

1) Immediately disconnect the box from the Internet.

2) Set up a small isolated network containing both of the cracked systems and one other box that you can load a clean copy of Linux onto. A this point I wouldn't change anything on the configuration (like IP or hostname) of the attacked system.

3) Set up the 'sane' box with the same os as the cracked box. That allows you to do a checksum of all important system files and utilities and compare those against the cracked box. It's important to use a 'sane copy' of the sum problem, preferrably statically linked.

4) When you've identified all of the modified files you transfer those files from the sane system to the cracked box and repeat the checksum scan until no differences are found.

5) Apply vendor updates to close any vulnerabilities. I don't use VA Linux so I don't know what versions of various things that they use that are known to be vulnerable. I do know that just about all of the distro versions of SNMP &  Radius have vulnerabilitis that are eliminated by vendor supplied updates.

Expert Comment

Comment Utility
I would also recommend to set up a firewall on OpenBSD (that's the really paranoid guys. I think by now it's five years without a remote root hole in the default configuration, but I won't bet my life on that. Anyway, OpenBSD is one hell of secure.)

As for the hacked systems: Be sure to not only back up your data, but also any evidence - logfiles, the data in the "/dev/. "-directory etc. It will help you to find out how you've been hacked and avoid that stuff in the future, and it may help you identify the data that was stolen and who stole it.

Author Comment

Comment Utility
We had to scrap the box and start over - then found out the backup was no good! I accept this answer because it sounds like the most logical approach to recovering the system if we had the time.  I will file this process away for future reference!  Thank you!

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now