[WBEL-users] Permissions (Was Problems after updates)

Mon Jun 13 04:58:35 CDT 2005

Larry Apolonio wrote:

>
> I have to agree with Jeremy.  You probably got rooted (hacked).  There
> are a host of ways this could have happened but in the case of a
> rootkit, someone downloads some "special" tools on to your box to take
> it over.  Then they change /bin/ps delete logs, change libraries, and a
> lot of bad stuff to hide their tracks.
>
> One way to check is to boot off  CD 1 of the whitebox set and go into
> emergency mode.

What is the purpose of doing this ?

>
>
> Finaly, one of thie tricks crackers use is the chattr command.  Files on
> an ext3 system has hidden attributes.  Do a lsattr /bin/ps and if you see
> ----i-------- /bin/ps

I see it

> odds are someone got you.

Great

> you can also run file /bin/ps, if it is shell script rather than an
> executable.  

/bin/ps returns missing library libproc.so.2.0.13

> Than you should be able to cat /bin/ps and see what
> processes these guys are trying to hide.

Can you explain this more in detail ?

>
>
> Larry

Well,

first of all, thank you for your help.
Now, I'm sure I have been hacked. I think the only thing i have to do is 
to back-up personnal data (already done), and to reinstall WBEL. Is it 
right?

Behind the server, I have a LAN network composed of WINXP machines. Is 
there a way for the hackers to install something on this machines and 
then to re-open a hole in my new server installation ?

These first two questions are the most important ones but it would be 
interesting to know what i have done wrong to be hacked. I will keep the 
Hard drive for further analysis and install a new hard drive for the new 
installation.

When I installed this server 1 year ago, I read the "Security quick 
start howto" from HAL-Burgiss :
Things that I did which are big errors (after one year learning the 
Linux system, I realise it) :

- No updates since 6 months.
- Run an Openssh server on the server (no DMZ) :
        - incomming connections are chrooted with Jail
- Before to install the official OpenSSH server, I installed a patched 
version with chrootssh. Someone on this list done it for me and packaged 
this version in an rpm. When I discovered Jail, I removed the patched 
package to install the official Openssh. The packager was bishop. I 
think this can be a trusted packager but I don't have the skills to 
verify it. If someone is interested to study it, I always have the package.
- No installation of chrootkit and tripwire.

Things that I respected :

- I always logged in as normal user and su in a shell.
- Iptables policy
- tcpwrappers
- no unused services

Is it possible to know from where I was hacked ?

The first thing that I will try is chkrootkit.
What is the DAG's RHEL repo?
Can I use the tar.gz available on www.chkrootkit.org ?

Are there other things that I can try ? (trying to reinstall ps to find 
what are the real running processes for example) ....
Does anybody knows a list which is best suited to ask all these questions ?

Jean LEE