Alfred von Campe
2006-Dec-01 05:45 UTC
[CentOS] I've been hacked -- what should I do next?
My home system has been hacked. It's running CentOS 4.4, and I recently added an account to play around with Samba shares to back up PCs here at home. I had set a weak password for that account and forgot to disable it after my testing. I could hear the disk being accessed constantly, so I knew something was up. I disabled the port forwarding to my CentOS box on my Linksys router (only ports 22 and 80 were being forwarded). After some poking around, I found the following files in the directory "/var/tmp/ /.. ": -rw-rw-r-- 1 backup backup 9468 Dec 1 00:20 azi2.seen -rw-rw-r-- 1 backup backup 9513 Dec 1 00:20 azi3.seen -rw-rw-r-- 1 backup backup 9513 Dec 1 00:20 azi4.seen -rwxr-xr-x 1 backup backup 504464 Feb 10 2005 -bash -rwx--x--x 1 backup backup 22936 Feb 10 2005 kswap.help -rw-r--r-- 1 backup backup 1085 Dec 1 00:00 kswap.levels -rw------- 1 backup backup 5 Nov 29 17:28 kswap.pid -rw-r--r-- 1 backup backup 1480 Dec 1 00:00 kswap.session -rw-r--r-- 1 backup backup 4731 Dec 25 2005 kswap.set -rw-r--r-- 1 backup backup 165073 Dec 1 00:26 LinkEvents -rw-r--r-- 1 backup backup 258 Dec 1 00:00 mech2.users -rw-r--r-- 1 backup backup 258 Dec 1 00:00 mech3.users -rw-r--r-- 1 backup backup 258 Dec 1 00:00 mech4.users -rw-r--r-- 1 backup backup 258 Jun 28 1999 mech.users -rwxr-xr-x 1 backup backup 174396 May 17 2004 pico Anyone recognize this root kit (if that is what it is)? I've disabled the backup account, and re-enabled port forwarding on my router (so I can access the system from home). Other than deleting these files, is there anything else I should worry about? I'd rather not re-install the OS... Alfred
Alfred von Campe wrote:> My home system has been hacked. It's running CentOS 4.4, and I > recently added an account to play around with Samba shares to back up > PCs here at home. I had set a weak password for that account and > forgot to disable it after my testing. I could hear the disk being > accessed constantly, so I knew something was up. I disabled the port > forwarding to my CentOS box on my Linksys router (only ports 22 and 80 > were being forwarded).if for sure only 22 and 80 were forwarded, then it wasn't Samba. There's no default account I see here on my 4.4 boxes named backup, was that something you'd created? some package you'd installed? what was on your website? any canned php scripting or whatever? re: cleanup... look very carefully for directories in odd places with . names I'd run rkhunter to see if tehre's any other well known root kits on your system.
Aleksandar Milivojevic
2006-Dec-01 13:12 UTC
[CentOS] I've been hacked -- what should I do next?
Alfred von Campe wrote:> Anyone recognize this root kit (if that is what it is)? I've disabled > the backup account, and re-enabled port forwarding on my router (so I > can access the system from home). Other than deleting these files, is > there anything else I should worry about? I'd rather not re-install the > OS...My advice is to reinstall too. Cleaning compromised machine is error prone job. Especially if that is something you have never done before. Have you been running anything like Tripwire on that box? Without it (or somethine similar), and without its database that was stored off the machine or on read-only media (CD/DVD) I'd be very reluctant to even attempt cleaning the machine. Anyhow, if you decide to proceed with cleaning attempt (and not reinstall), boot from into the rescue mode from installation CD. That way you'll be using clean kernel and binaries to examine the system. Do not chroot into compromised file systems, since this could simply trigger loading of rootkit (and than you won't see anything). If you haven't been running tools like Tripwire, you could make fresh installation on some spare system, undo prelink stuff on both machines (prelink changes your binary files), create database on clean system, copy it to the compromised system and run check. This should find all changed, added and removed files (if you do it properly), as long as you run it from rescue mode. The rpm in verify mode will find changed files, however it will not find changes in configuration files. It also won't be able to find added files (for example kernel modules that are supposed to hide files from you and tools such as rpm and/or tripwire). But it might be good start. Again, run rpm from rescue mode, and do not chroot. You don't want to use (potentially modified) rpm from the file system, you want to use clean rpm binary from installation media (it has couple of options to point it to where the root file system is mounted). You could also try to remove all kernels, than manually remove kernel directories in /lib/modules, and reinstall kernel (again from rescue mode, and avoid chrooting if possible). This should get rid of additional kernel modules that were part of rootkit. There's plethora of other stuff to do or try. But even if I went along and made this posting 10 times longer than it already is, you wouldn't be 100% sure you cleaned the machine. Again, reinstall is really your best friend here. You'll probably spend way more time attempting to clean up, than if you were simply to reinstall and restore data (and only data, not config files or anything else, and watch for config files that might be part of data) from backup. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20061201/5975a0f3/attachment-0001.sig>
On Dec 1, 2006, at 12:45 AM, Alfred von Campe wrote:> enabled port forwarding on my router (so I can access the system > from home). Other than deleting these files, is there anything > else I should worry about? I'd rather not re-install the OS...let me add another suggestion to the flood: once you've rebuilt the box, install DenyHosts (http://denyhosts.sourceforge.net/). this tool is quite effective at blocking brute-force ssh attacks; not only will this make it much harder for an attacker even if you should happen to set a weak password on an account in the future, but it will also reduce the amount of CPU time and memory wasted on dealing with brute-force ssh attacks. RPMs are available at sourceforge; the python 2.3 RPM works great on CentOS 4. i'm sorry you're having to deal with this. :( -steve -- If this were played upon a stage now, I could condemn it as an improbable fiction. - Fabian, Twelfth Night, III,v
Mark Schoonover
2006-Dec-01 21:31 UTC
[CentOS] Re: I've been hacked -- what should I do next?
Scott Silva wrote:> Aleksandar Milivojevic spake the following on 12/1/2006 12:43 PM: >> Quoting Alfred von Campe <alfred at 110.net>: >> >>> FWIW, the IP addresses are 172.178.63.167 (acb23fa7.ipt.aol.com) and >>> 61.43.153.30. There is no reverse entry for the latter, so I don't >>> know who to contact. I'll fire off an email to AOL (not that I >>> think anything will happen). >> >> You can use a whois database to find the info (for example, there's >> web interface on www.ripe.net). Info for 61.43.153.30 indicates >> that this IP address is alocated to an provider in South Korea. >> Contact addresses included: >> >> inetnum: 61.32.0.0 - 61.43.255.255 >> netname: BORANET-1 >> descr: DACOM Corp. >> descr: Facility-based Telecommunication Service Provider >> descr: providing Internet leased-ine, on-line service, BLL >> etc. country: KR admin-c: DB50-AP >> tech-c: DB50-AP >> status: ALLOCATED PORTABLE "status:" definitions >> mnt-by: APNIC-HM >> mnt-lower: MNT-KRNIC-AP >> changed: hostmaster at apnic.net >> 20000918 >> source: APNIC >> >> role: DACOM BORANET >> address: DACOM Bldg., 706-1, Yoeksam-dong, Kangnam-ku, Seoul >> country: KR phone: +82-2-2089-7755 >> fax-no: +82-2-2089-0706 >> e-mail: ipadm at nic.bora.net >> e-mail: abuse at bora.net >> e-mail: security at bora.net >> admin-c: EC115-AP >> tech-c: SIJ1-AP >> nic-hdl: DB50-AP >> remarks: IP address administrator group of NIC team, DACOM >> Corp. remarks: If related with spam, send mail to >> abuse at bora.net >> remarks: If related with security, send mail to >> security at bora.net remarks: Only for whois information >> correction, send mail to ipadm at nic.bora.net mnt-by: >> MNT-KRNIC-AP >> changed: jeonsi at bora.net 20041105 >> source: APNIC > Hacked from Korea! There is a surprise!! ;-DWe're all assuming that the IP address wasn't spoofed... Mark