[WBEL-users] Permissions (Was Problems after updates)
Jean Lee
jean.lee at free.fr
Mon Jun 13 04:58:35 CDT 2005
Larry Apolonio wrote:
>
> I have to agree with Jeremy. You probably got rooted (hacked). There
> are a host of ways this could have happened but in the case of a
> rootkit, someone downloads some "special" tools on to your box to take
> it over. Then they change /bin/ps delete logs, change libraries, and a
> lot of bad stuff to hide their tracks.
>
> One way to check is to boot off CD 1 of the whitebox set and go into
> emergency mode.
What is the purpose of doing this ?
>
>
> Finaly, one of thie tricks crackers use is the chattr command. Files on
> an ext3 system has hidden attributes. Do a lsattr /bin/ps and if you see
> ----i-------- /bin/ps
I see it
> odds are someone got you.
Great
> you can also run file /bin/ps, if it is shell script rather than an
> executable.
/bin/ps returns missing library libproc.so.2.0.13
> Than you should be able to cat /bin/ps and see what
> processes these guys are trying to hide.
Can you explain this more in detail ?
>
>
> Larry
Well,
first of all, thank you for your help.
Now, I'm sure I have been hacked. I think the only thing i have to do is
to back-up personnal data (already done), and to reinstall WBEL. Is it
right?
Behind the server, I have a LAN network composed of WINXP machines. Is
there a way for the hackers to install something on this machines and
then to re-open a hole in my new server installation ?
These first two questions are the most important ones but it would be
interesting to know what i have done wrong to be hacked. I will keep the
Hard drive for further analysis and install a new hard drive for the new
installation.
When I installed this server 1 year ago, I read the "Security quick
start howto" from HAL-Burgiss :
Things that I did which are big errors (after one year learning the
Linux system, I realise it) :
- No updates since 6 months.
- Run an Openssh server on the server (no DMZ) :
- incomming connections are chrooted with Jail
- Before to install the official OpenSSH server, I installed a patched
version with chrootssh. Someone on this list done it for me and packaged
this version in an rpm. When I discovered Jail, I removed the patched
package to install the official Openssh. The packager was bishop. I
think this can be a trusted packager but I don't have the skills to
verify it. If someone is interested to study it, I always have the package.
- No installation of chrootkit and tripwire.
Things that I respected :
- I always logged in as normal user and su in a shell.
- Iptables policy
- tcpwrappers
- no unused services
Is it possible to know from where I was hacked ?
The first thing that I will try is chkrootkit.
What is the DAG's RHEL repo?
Can I use the tar.gz available on www.chkrootkit.org ?
Are there other things that I can try ? (trying to reinstall ps to find
what are the real running processes for example) ....
Does anybody knows a list which is best suited to ask all these questions ?
Jean LEE
More information about the Whitebox-users
mailing list