?
Solved

We've been hacked!

Posted on 2002-03-04
5
Medium Priority
?
277 Views
Last Modified: 2010-04-20
VA Linux 6.2.4, Internet Server runing Sendmail, DNS, radius, and HTTP/FTTP services.  Two identical servers have been hacked by the same people.

  The command line used in not in the keystroke buffer, but from the PS command we get this:

"./s3 0 200.255.64.103 1 56650 1 800"

The intruder apparently created the following folders:

/dev/. /s3  (there is a space after the period)
/dev/. /OSDBO
/dev/. /OSDBO2

The s3 folder has several megs of files in to it, we're not sure if it's a legitimate folder renamed, or if files have been copied to it.  The PS command shows only the line above with the intruder's IP address, and several lines of NFSIOD and OSDBO.  We rebooted one machine, and it's toast, would not boot back up, and we're afraid to reboot the other just yet for the same reason.  When the intruder attaches, we can disconnect him and he'll reattach almost immediately.  While he's attached, our graphs shows heavy data being transfered.

Does anybody recognize this hack process?  Can you me tell what it's doing, and most importantly how to reverse the effects before this system crashes?

I'm offering all the points I have!  

Steve Prater

Also posted in Network Security for 300 points!
0
Comment
Question by:sprater378
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 3

Expert Comment

by:datibbaW
ID: 6840993
Simply get your stuff together in a backup and reinstall your system, because you can never be too sure about these things.
I've been hacked some time ago and I thought it was all clean, but after a while I noticed that I couldn't add IP aliases... Reinstall was the only solution.
0
 
LVL 1

Expert Comment

by:swapsthegreat
ID: 6843996
hi

  i think what the attacker has done is written a prog/script which will directly transfer data from ur machine to his. From the command lines u sent the . /s3 is the program.

"./s3 0 200.255.64.103 1 56650 1 800"

The others are parameters passed. My guess is the port he is using is 56650.
To confirm this, when data is being transferred, use netstat -n to check.
Also use nmap to find out all other suspicious ports on ur machine.

Once u get the port no, u can disable access to that particular port by using portsentry, which comes with almost all linux distributions.

To be on the safe side, use a firewall such as ipchains and configure the acls so as to deny packets from 200.255.64.103 and port 56650


Dont worry
Regards
Swapsthegreat
0
 
LVL 40

Accepted Solution

by:
jlevie earned 225 total points
ID: 6848015
The various things you've found (s3, NFSIOD, OSDBO) aren't recognizable indicators of any particular attack. They are, however, indicators of malicious activity by the attacker (probably some file sharing scheme for nefarious purposes).

It is possible to restore the system to a sane state, but you'll have to decide if it would be easier to just backup your data and re-install. At this point nothing on the box can be trusted in any way. So the process of recovering the system goes like:

1) Immediately disconnect the box from the Internet.

2) Set up a small isolated network containing both of the cracked systems and one other box that you can load a clean copy of Linux onto. A this point I wouldn't change anything on the configuration (like IP or hostname) of the attacked system.

3) Set up the 'sane' box with the same os as the cracked box. That allows you to do a checksum of all important system files and utilities and compare those against the cracked box. It's important to use a 'sane copy' of the sum problem, preferrably statically linked.

4) When you've identified all of the modified files you transfer those files from the sane system to the cracked box and repeat the checksum scan until no differences are found.

5) Apply vendor updates to close any vulnerabilities. I don't use VA Linux so I don't know what versions of various things that they use that are known to be vulnerable. I do know that just about all of the distro versions of SNMP &  Radius have vulnerabilitis that are eliminated by vendor supplied updates.
0
 

Expert Comment

by:0xDEADBEEF
ID: 6879645
I would also recommend to set up a firewall on OpenBSD (that's the really paranoid guys. I think by now it's five years without a remote root hole in the default configuration, but I won't bet my life on that. Anyway, OpenBSD is one hell of secure.)

As for the hacked systems: Be sure to not only back up your data, but also any evidence - logfiles, the data in the "/dev/. "-directory etc. It will help you to find out how you've been hacked and avoid that stuff in the future, and it may help you identify the data that was stolen and who stole it.
0
 

Author Comment

by:sprater378
ID: 6879962
We had to scrap the box and start over - then found out the backup was no good! I accept this answer because it sounds like the most logical approach to recovering the system if we had the time.  I will file this process away for future reference!  Thank you!
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question