[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [seul-edu] Server hacked via FTP hack... need help...



Ryan Booz wrote:
> Hey gang...
> 
> I'm sorry to barge in again with a help question, but I'm stuck on this 
> one.  I've tried to look around, but I'm not exactly sure what to search 
> for... I'm obviously not searching for the right thing as I'm getting 
> nowhere.
> 
> I help a school (remotely) keep up servers I installed while I was a 
> teacher there.  One of those servers is the firewall/webserver.  I 
> didn't realize that at some point FTP was started (I was playing around 
> with it a long time ago, but thought it was shutdown).  Last week I got 
> a call that they were having trouble with the system and couldn't get 
> out to the internet or SSH into the system.  We finally got some of it 
> back on-line, enough for me to get in via secure WebMin.  It appears 
> that someone got in via FTP and messed up SSH.  Although I'm functioning 
> as root in WebMin, I can't delete some files.  The permissions were 
> changed to "root" as owner and "ftp" as group on some of these files.  
> One of them being SSH.  I cannot see the ssh executable in some views, 
> nor can I delete it.  Then I found that there were files changed in 
> "/etc/rc.d/init.d" with the same problem. Although root appears to have 
> control of the file (with FTP as group now), I can't do anything with 
> it.  Any suggestions on how I can get this stuff corrected and get ssh 
> back up and running?
> 
> thank you for the time and help.  If there's a place anyone could direct 
> me instead, that's fine...
> 
> sincerely,
> Ryan Booz
> 
> 
> Ryan J. Booz
> Information Technology Associate
> Training Services, ITS@Penn State
> http://cac.psu.edu/training
> 224B Computer Building
> University Park, PA 16802-2101
> Office: 814-863-7491
> Fax: 814-863-7049
> 

Upload a known good copy of SSHD and fire it up on a custom port.  You 
may want to make that a static linked executable if you have the time. 
Can you issue a kill command from webmin to take out the offending SSHD? 
  Then you wouldn't need to specify a custom port.

If sshd has been replaced, netstat and other system commands probably 
are also.

In the future consider a CD or floppy based firewall that boots from 
read only media like Coyote.

A firewall is not a webserver is not a firewall.

- cameron

-- 
- cameron miller
- UNIX Systems Administrator
- cdmiller@adams.edu