We've been hacked!

VA Linux 6.2.4, Internet Server runing Sendmail, DNS, radius, and HTTP/FTTP services.  Two identical servers have been hacked by the same people.

  The command line used in not in the keystroke buffer, but from the PS command we get this:

"./s3 0 1 56650 1 800"

The intruder apparently created the following folders:

/dev/. /s3  (there is a space after the period)
/dev/. /OSDBO
/dev/. /OSDBO2

The s3 folder has several megs of files in to it, we're not sure if it's a legitimate folder renamed, or if files have been copied to it.  The PS command shows only the line above with the intruder's IP address, and several lines of NFSIOD and OSDBO.  We rebooted one machine, and it's toast, would not boot back up, and we're afraid to reboot the other just yet for the same reason.  When the intruder attaches, we can disconnect him and he'll reattach almost immediately.  While he's attached, our graphs shows heavy data being transfered.

Does anybody recognize this hack process?  Can you me tell what it's doing, and most importantly how to reverse the effects before this system crashes?

I'm offering all the points I have!  

Steve Prater

Also posted in Network Security for 300 points!
Who is Participating?
The various things you've found (s3, NFSIOD, OSDBO) aren't recognizable indicators of any particular attack. They are, however, indicators of malicious activity by the attacker (probably some file sharing scheme for nefarious purposes).

It is possible to restore the system to a sane state, but you'll have to decide if it would be easier to just backup your data and re-install. At this point nothing on the box can be trusted in any way. So the process of recovering the system goes like:

1) Immediately disconnect the box from the Internet.

2) Set up a small isolated network containing both of the cracked systems and one other box that you can load a clean copy of Linux onto. A this point I wouldn't change anything on the configuration (like IP or hostname) of the attacked system.

3) Set up the 'sane' box with the same os as the cracked box. That allows you to do a checksum of all important system files and utilities and compare those against the cracked box. It's important to use a 'sane copy' of the sum problem, preferrably statically linked.

4) When you've identified all of the modified files you transfer those files from the sane system to the cracked box and repeat the checksum scan until no differences are found.

5) Apply vendor updates to close any vulnerabilities. I don't use VA Linux so I don't know what versions of various things that they use that are known to be vulnerable. I do know that just about all of the distro versions of SNMP &  Radius have vulnerabilitis that are eliminated by vendor supplied updates.
Simply get your stuff together in a backup and reinstall your system, because you can never be too sure about these things.
I've been hacked some time ago and I thought it was all clean, but after a while I noticed that I couldn't add IP aliases... Reinstall was the only solution.

  i think what the attacker has done is written a prog/script which will directly transfer data from ur machine to his. From the command lines u sent the . /s3 is the program.

"./s3 0 1 56650 1 800"

The others are parameters passed. My guess is the port he is using is 56650.
To confirm this, when data is being transferred, use netstat -n to check.
Also use nmap to find out all other suspicious ports on ur machine.

Once u get the port no, u can disable access to that particular port by using portsentry, which comes with almost all linux distributions.

To be on the safe side, use a firewall such as ipchains and configure the acls so as to deny packets from and port 56650

Dont worry
I would also recommend to set up a firewall on OpenBSD (that's the really paranoid guys. I think by now it's five years without a remote root hole in the default configuration, but I won't bet my life on that. Anyway, OpenBSD is one hell of secure.)

As for the hacked systems: Be sure to not only back up your data, but also any evidence - logfiles, the data in the "/dev/. "-directory etc. It will help you to find out how you've been hacked and avoid that stuff in the future, and it may help you identify the data that was stolen and who stole it.
sprater378Author Commented:
We had to scrap the box and start over - then found out the backup was no good! I accept this answer because it sounds like the most logical approach to recovering the system if we had the time.  I will file this process away for future reference!  Thank you!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.