[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [seul-edu] Server hacked via FTP hack... need help...



Ryan Booz wrote:
>
> Hey gang...
>
> I'm sorry to barge in again with a help question, but I'm stuck on
this
> one.  I've tried to look around, but I'm not exactly sure what to
search
> for... I'm obviously not searching for the right thing as I'm
getting nowhere.
>
> I help a school (remotely) keep up servers I installed while I was
a
> teacher there.  One of those servers is the firewall/webserver.  I
didn't
> realize that at some point FTP was started (I was playing around
with it a
> long time ago, but thought it was shutdown).  Last week I got a
call that
> they were having trouble with the system and couldn't get out to
the
> internet or SSH into the system.  We finally got some of it back
on-line,
> enough for me to get in via secure WebMin.  It appears that
someone got in
> via FTP and messed up SSH.  Although I'm functioning as root in
WebMin, I
> can't delete some files.  The permissions were changed to "root"
as owner
> and "ftp" as group on some of these files.  One of them being
SSH.  I
> cannot see the ssh executable in some views, nor can I delete it.
Then I
> found that there were files changed in "/etc/rc.d/init.d" with the
same
> problem. Although root appears to have control of the file (with
FTP as
> group now), I can't do anything with it.  Any suggestions on how I
can get
> this stuff corrected and get ssh back up and running?
>
> thank you for the time and help.  If there's a place anyone could
direct me
> instead, that's fine...

Was it wu-ftp?  "He who woos wu woos woe."

You're not going to like hearing this, but the only way to regain
and retain control of the machine is by reformatting the harddrive
and reinstalling the OS from clean media with all security updates.
When a machine gets rooted, the intruder usually alters many system
binaries such as ps, top, ls, etc... This is done to make it
difficult for you to notice that he's been there.

At this point you cannot trust ANY of the binaries on your system,
period.  You need to pull the plug on this machine ASAP, because
until you do, your machine is a menace to society.  It is almost
certainly being used to attack other machines.  If it attacks a bank
or a military
site, you could get into some pretty hot water.

Read the comp.os.linux.security FAQ:
http://www.linuxsecurity.com/docs/colsfaq.html

Pay special attention to section 5.6:
http://www.linuxsecurity.com/docs/colsfaq.html#5.6

You may wish to make backups of your hd for forensic purposes, or to
restore your data.  When you restore your data, search for
executables - especially suid executables - and examine them VERY
carefully.

Once an intruder has access, he will almost certainly install a
backdoor so that he can regain access.

--
Jim Thomas              Principal Applications Engineer
Bittware,
Inc
jthomas@bittware.com    http://www.bittware.com             (703)
779-7770
The sooner you get behind, the more time you'll have to catch up