Re: Server hacked - next...?

To: "Dena Whitebirch" <shore@quasar.net>
Cc: <debian-isp@lists.debian.org>
Subject: Re: Server hacked - next...?
From: "Jason Lim" <maillist@jasonlim.com>
Date: Sun, 29 Jun 2003 15:15:05 +0800
Message-id: <[🔎] 05d501c33e0e$2ac03650$0800a8c0@SYSTEM8>
Reply-to: "Jason Lim" <maillist@jasonlim.com>
References: <Pine.LNX.4.43.0306290156100.10730-100000@blackhole.quasar.net>

Okay... so supposing the whole system needs to be installed, we can make a
backup of the home directory now... but after we restore everything, what
is to stop the hacker immediately re-gaining access again?

The server is a fully updated "stable" debian system. In fact, it was
updated just yesterday.

I'm thinking that even if we do all the trouble of a complete
re-installation of the entire system, it won't fix this as it will get
re-hacked again, especailly since we can't see what is going on anymore.

What do you think? :-(

This really, really sucks.



----- Original Message ----- 
From: "Dena Whitebirch" <shore@quasar.net>
To: "Jason Lim" <maillist@jasonlim.com>
Sent: Sunday, 29 June, 2003 2:16 PM
Subject: Re: Server hacked - next...?


>
> Hi Jason,
>
> My condolences!  We've been cracked twice, both times on RH boxes, (in
10
> years...so it's really not so bad) so we've got a bit of a system for
> cleaning up.  I applaud you for wanting to clean up correctly.  I've
> seen/heard too many horror stories out there where a user on someone
> else's system writes to me and shows me their cracked site and their
> host makes no apparent efforts to secure the box correctly.
>
> I'd like to offer any assistance I could give you.  This is the time of
> year it always happened to us.  School's out and people get bored ;)
>
> The first thing you can assume is the cracker probably has all the
> usernames and passwords on your system.  You can also suspect that your
> logs and everything else on your system *may not be* telling you the
> truth any longer.
>
> The liklihood that you'll need to rebuild from scratch is high.  It will
> probably, however be possible to maintain some/many user services while
> you do this after securing the box.  The first step to this is normally
> to lock all users out by changing their passwords until they all change
> them.
>
> You'll next want to consider the cracker's motives...there are a few
types
> of crackers.  If you can figure that out it will help you decide what
they
> may have done and the extent of the damage.  Sometimes they truly want
to
> harm you, and sometimes they want to plant things on your server so they
> can play with people on IRC, etc.
>
> sans.org has a pretty good section on cleanup if I remember correctly.
>
> Let me know what else I can do to help.  (And don't berate yourself too
> badly if you're tempted to do so!  Most any server can be cracked.)  You
> may never know for sure how you got cracked as there are so many ways.
> Any system with users, usernames/passwords, clients uploading insecure
> scripts, etc. will always be somewhat vulnerable.
>
> -Dena
>
>           -=Dena Whitebirch=-
>     @quasar Internet Solutions, Inc.
>     "Internet Powered by Experience"
> --------------------------------------------
> Register .MART domains and more @quasar!
>           http://quasar.net/
>
> On Sun, 29 Jun 2003, Jason Lim wrote:
>
> > Hi all,
> >
> > Well... bad day for me.
> >
> > One of our servers was hacked (woody)... badly, from what I can see. A
> > whole bunch of binaries have been modified, and strange processes are
> > running on the server. The hack date appears to be jun 6.
> >
> > Is there a document somewhere, or procedure, to recover after this?
This
> > is a working and running system, so somehow need to be able to recover
> > from this with minimal impact to end-users.
> >
> > Some things like:
> >
> > www-data 17451  0.0  0.0  2164  928 ?        S    02:31   0:00 /bin/sh
> > www-data 21550  0.0  0.0  1232  236 ?        S    05:02   0:00 ./x
> > www-data 21551  0.0  0.0     0    0 ?        Z    05:02   0:00 [x
> > <defunct>]
> > root     21552  0.0  0.0     0    0 ?        Z    05:02   0:00
[modprobe
> > <defunc
> > root     21554  0.0  0.0  2148  912 ?        S    05:02   0:00 /bin/sh
> > root     21755  0.0  0.0  2164  948 ?        S    05:02   0:00 /bin/sh
> > root     21801  0.0  0.0  2180  964 ?        S    05:03   0:00
/bin/bash
> > ./troja
> > root     22010  0.0  0.0  1244  204 ?        S    05:03   0:00 ./siz
> > ifconfigx /
> > root     12267  0.0  0.0     0    0 ?        Z    07:15   0:00 [date
> > <defunct>]
> > root     12266  0.0  0.0  1264  252 ?        T    07:15   0:00 date
+%d
> >
> > Anyone seen anything like this? Could this be the kernel hack ppl were
> > talking about affecting 2.4.17?
> >
> > Guess you guys would know a lot about this stuff...
> >
> > Any help and suggestions greatly appreciated.
> >
> > Sincerely,
> > Jas
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
> >
>
>
>

Reply to:

Follow-Ups:
- Re: Server hacked - next...?
  - From: Donovan Baarda <abo@minkirri.apana.org.au>
- Re: Server hacked - next...?
  - From: "Daniel K. Gebhart" <dkg@con-fuse.org>
- Re: Server hacked - next...?
  - From: Frode Haugsgjerd <froh@froh.dyndns.org>
- Re: Server hacked - next...?
  - From: Alex Borges <alex@sogrp.com>

Prev by Date: Re: Server hacked - next...?
Next by Date: Re: Server hacked - next...?
Previous by thread: Re: Server hacked - next...?
Next by thread: Re: Server hacked - next...?
Index(es):
- Date
- Thread