Go Premium for a chance to win a PS4. Enter to Win


We've been hacked!

Posted on 2002-03-04
Medium Priority
Last Modified: 2010-04-20
VA Linux 6.2.4, Internet Server runing Sendmail, DNS, radius, and HTTP/FTTP services.  Two identical servers have been hacked by the same people.

  The command line used in not in the keystroke buffer, but from the PS command we get this:

"./s3 0 1 56650 1 800"

The intruder apparently created the following folders:

/dev/. /s3  (there is a space after the period)
/dev/. /OSDBO
/dev/. /OSDBO2

The s3 folder has several megs of files in to it, we're not sure if it's a legitimate folder renamed, or if files have been copied to it.  The PS command shows only the line above with the intruder's IP address, and several lines of NFSIOD and OSDBO.  We rebooted one machine, and it's toast, would not boot back up, and we're afraid to reboot the other just yet for the same reason.  When the intruder attaches, we can disconnect him and he'll reattach almost immediately.  While he's attached, our graphs shows heavy data being transfered.

Does anybody recognize this hack process?  Can you me tell what it's doing, and most importantly how to reverse the effects before this system crashes?

I'm offering all the points I have!  

Steve Prater

Also posted in Network Security for 300 points!
Question by:sprater378

Expert Comment

ID: 6840993
Simply get your stuff together in a backup and reinstall your system, because you can never be too sure about these things.
I've been hacked some time ago and I thought it was all clean, but after a while I noticed that I couldn't add IP aliases... Reinstall was the only solution.

Expert Comment

ID: 6843996

  i think what the attacker has done is written a prog/script which will directly transfer data from ur machine to his. From the command lines u sent the . /s3 is the program.

"./s3 0 1 56650 1 800"

The others are parameters passed. My guess is the port he is using is 56650.
To confirm this, when data is being transferred, use netstat -n to check.
Also use nmap to find out all other suspicious ports on ur machine.

Once u get the port no, u can disable access to that particular port by using portsentry, which comes with almost all linux distributions.

To be on the safe side, use a firewall such as ipchains and configure the acls so as to deny packets from and port 56650

Dont worry
LVL 40

Accepted Solution

jlevie earned 225 total points
ID: 6848015
The various things you've found (s3, NFSIOD, OSDBO) aren't recognizable indicators of any particular attack. They are, however, indicators of malicious activity by the attacker (probably some file sharing scheme for nefarious purposes).

It is possible to restore the system to a sane state, but you'll have to decide if it would be easier to just backup your data and re-install. At this point nothing on the box can be trusted in any way. So the process of recovering the system goes like:

1) Immediately disconnect the box from the Internet.

2) Set up a small isolated network containing both of the cracked systems and one other box that you can load a clean copy of Linux onto. A this point I wouldn't change anything on the configuration (like IP or hostname) of the attacked system.

3) Set up the 'sane' box with the same os as the cracked box. That allows you to do a checksum of all important system files and utilities and compare those against the cracked box. It's important to use a 'sane copy' of the sum problem, preferrably statically linked.

4) When you've identified all of the modified files you transfer those files from the sane system to the cracked box and repeat the checksum scan until no differences are found.

5) Apply vendor updates to close any vulnerabilities. I don't use VA Linux so I don't know what versions of various things that they use that are known to be vulnerable. I do know that just about all of the distro versions of SNMP &  Radius have vulnerabilitis that are eliminated by vendor supplied updates.

Expert Comment

ID: 6879645
I would also recommend to set up a firewall on OpenBSD (that's the really paranoid guys. I think by now it's five years without a remote root hole in the default configuration, but I won't bet my life on that. Anyway, OpenBSD is one hell of secure.)

As for the hacked systems: Be sure to not only back up your data, but also any evidence - logfiles, the data in the "/dev/. "-directory etc. It will help you to find out how you've been hacked and avoid that stuff in the future, and it may help you identify the data that was stolen and who stole it.

Author Comment

ID: 6879962
We had to scrap the box and start over - then found out the backup was no good! I accept this answer because it sounds like the most logical approach to recovering the system if we had the time.  I will file this process away for future reference!  Thank you!

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will explain how to establish a SSH connection to Ubuntu through the firewall and using a different port other then 22. I have set up a Ubuntu virtual machine in Virtualbox and I am running a Windows 7 workstation. From the Ubuntu vi…
Fine Tune your automatic Updates for Ubuntu / Debian
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month7 days, 19 hours left to enroll

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question