RuletheNet
asked on
Server Hacked: To Reformat or Not?
Hello all,
My server was broken into yesterday using the sendmail flaw. Around 7:30 in the morning I received emails designed to cause buffer overflow (the address had a long string of <><><><>...). At the same time the traffic chart shows that there was a lot of traffic out of the server (possibly similar emails sent to other servers). Also later in the day I noticed some processes (groff, troff etc.) running which I have not seen before nor do I believe any of my software should cause to run. Conclusion: Highly likely that the server has been broken into. The OS is Redhat 7.1.
Question is now what? Should I reformat the server or not? Can I detect and disable all rootkits that may have been installed by the hacker? Is it impossible to detect and get rid of any LKM trojans that may have been installed?
I would appreciate replies detailing the pros or cons of the two strategies. And an informative answer of whether reformatting is the best solution?
Thanks in advance,
RtN
My server was broken into yesterday using the sendmail flaw. Around 7:30 in the morning I received emails designed to cause buffer overflow (the address had a long string of <><><><>...). At the same time the traffic chart shows that there was a lot of traffic out of the server (possibly similar emails sent to other servers). Also later in the day I noticed some processes (groff, troff etc.) running which I have not seen before nor do I believe any of my software should cause to run. Conclusion: Highly likely that the server has been broken into. The OS is Redhat 7.1.
Question is now what? Should I reformat the server or not? Can I detect and disable all rootkits that may have been installed by the hacker? Is it impossible to detect and get rid of any LKM trojans that may have been installed?
I would appreciate replies detailing the pros or cons of the two strategies. And an informative answer of whether reformatting is the best solution?
Thanks in advance,
RtN
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You might be able to find the hacker had install soemthing in /usr/lib as well.
alot can be done, however if you are not better at Linux than your hacker.. i would suggest reinstall.
my 5 cents.
/LamerSmurf
my 5 cents.
/LamerSmurf
I'm in complete agreement with yuzh. there is to much chance that you will miss something, as well as the exorbitant amount of work involved, that the reinstall->migrate "non-volatile" data is the only viable option.
In the future you would do well to implement tripwire, or some (full-fledged) IDS. They could help you reduce the amount of work involved in a "restoration" to manageable amounts, as well as drastically increase the accuracy thereof.
-- Glenn
In the future you would do well to implement tripwire, or some (full-fledged) IDS. They could help you reduce the amount of work involved in a "restoration" to manageable amounts, as well as drastically increase the accuracy thereof.
-- Glenn
If you don't want to reinstall, i suggest monitoring your server very closely for the next few days
You could also tighten the firewall for a while (month or so) ... If this is possible ofcourse.
i suggest you install IDS (intrusion detection system) to monitor the server.
I suggest snort as IDS. http://www.snort.org/about.html
It is a bitch to get installed, but it'll be worth it.
You could also scan your system for rootkits using a program like chkrootkit. http://www.chkrootkit.org/
It seems the hacker that hit you was a sciptkiddie. He prob scanned from your machine, so he will have found more machines with the hole. This makes him no real treath for you again, you closed the hole, and he lost his access...
If he doesn't have a rootkit, and you check regularly for intrusions, you should be safe without reinstalling.
Stefaan
You could also tighten the firewall for a while (month or so) ... If this is possible ofcourse.
i suggest you install IDS (intrusion detection system) to monitor the server.
I suggest snort as IDS. http://www.snort.org/about.html
It is a bitch to get installed, but it'll be worth it.
You could also scan your system for rootkits using a program like chkrootkit. http://www.chkrootkit.org/
It seems the hacker that hit you was a sciptkiddie. He prob scanned from your machine, so he will have found more machines with the hole. This makes him no real treath for you again, you closed the hole, and he lost his access...
If he doesn't have a rootkit, and you check regularly for intrusions, you should be safe without reinstalling.
Stefaan
Reinstall, unquestionably.
Make sure if you restore anything from the "old" system, that it's non-executable stuff.. e.g., configuration files (after you check them for correctness) and/or app data and so on, as others have suggested.
Make sure if you restore anything from the "old" system, that it's non-executable stuff.. e.g., configuration files (after you check them for correctness) and/or app data and so on, as others have suggested.
Funny thing.
Snort turn out to have a vulnerability, so ISS issued an alert last week.
Talk about contraproductive IDS:-).
Fortunately fixed versions are already out (since monday), and workarounds for those who cannot upgrade (just comment out "# preprocessor rpc_decode" in snort.conf).
Oh well...
-- Glenn
Snort turn out to have a vulnerability, so ISS issued an alert last week.
Talk about contraproductive IDS:-).
Fortunately fixed versions are already out (since monday), and workarounds for those who cannot upgrade (just comment out "# preprocessor rpc_decode" in snort.conf).
Oh well...
-- Glenn
ASKER
Thanks everybody for the very helpful information. I am giving the points to Yuzh as he or she answered first and in detail, but I appreciate everybody's help.
Regards,
Rtn
Regards,
Rtn