was i hacked

Robert Oldham pluglist at plug.org
Sat May 3 10:10:42 MDT 2003 

--=-YgvJG0Lc+RcF8fJT5aBt
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

> I had a system crash recently which had put me in all sorts of problems o=
n
> my RH7.1 box running sendmail and httpd.  Now it is restored but not to
> original and need some help.
>=20
> What happened exactly was like this : On the 1st of May when I connected =
to
> the box thru SSH form my home it gave me the bash prompt instead of my us=
ual
> hostname prompt.  Second there were no files in /var/log.  Next I reboot =
the
> comp and even my sshd on the server did not start and I had to rush to
> location physically.
>=20
> On the comp also I could not get the usual prompt.  Eventually I found ou=
t
> that the .bash_profile, .bashrc, .bash_logout  for root were missing. and
> none of the /var/log was there ALL DELETED!!
>=20
> The points I do not know are:
> 1. WAS I HACKED? IF YES HOW DO I KNOW WHICH WAY THE HACKER GOT IN?
> 2. After restoring the sendmail does not write logs to /var/log/maillog
> (though it is functioning) and similarly many log files boot.log, cron,
> messages, secure, spooler, are 0 bytes - The system is not writing logs t=
o
> this file HOW? WHY?
> 3. Before restoring the /etc/rc files had all broken links because at tha=
t
> time echo $PATH use to give me nothing.  No path was defined.  Now I ve p=
ut
> a fresh rc.sysinit but all the other rc files are still marked red (they =
are
> not blinking) so IS THE LINK RESTORED OR NOT?  And how do I remove the re=
d
> marked link files and restore all the linked files to normal??

Though the information you have offered is not conclusive that your host
has been compromised, it is very likely.  Having the shell history and
logs removed is fairly indicative of that.

If you have not been regularly applying the security patches from Red
Hat, it is likely that your host was compromised.  Red Hat 7.1 has a
number of known and well published root vulnerabilities, including
through sendmail, apache, and openssl just to name a few.  One of the
most important responsibilities of a system administrator today is to
keep up with the security patches which are made available.  Having a
host compromised is not only a terrible thing to have happen to you,
your compromised host can be used to launch anonymous attacks against
others and provide the cracker with a platform from which to operate
other illegal activities which may hurt others.

One thing that you must be very careful of is that a compromised host is
very likely to have information gathering applications installed.  This
would include password sniffers, tty recorders, patched ssh servers, and
data crawlers.  What this means is that your machine has probably been
extensively searched for any useful information which may aid in
attacking any existing or future hosts.  For example they may copy your
passwd or shadow file and use a passwd cracker to get all of the
passwords in it.  Further, they may use your host and its computing
resources to crack your password file.  Besides, as mentioned, they may
have already recorded the names and passwords you use to connect to any
other host from the compromised host.

On a brighter note, anyone who would erase your logs or bash config
files is not a very good cracker, demonstrating that they are not very
informed.  It is likely that your host was simply cracked by a script
kiddy.  What that means is that it is less likely, though still
possible, that you lost a great deal of very harmful information.  Or
that the information will be used against you in further attacks in the
future.

Regardless, I would suggest you remedy the problem as quickly as
possible.  Depending on what type of information you have on the
compromised host, you may need to perform forensic research to determine
how the cracker entered and what information they obtained.  However,
this can take a considerable amount of time.  Explaining it in email
would make my long email (for which I hope everyone will excuse me) much
longer.  The much shorter route is to simply backup your data and wipe
the machine clean with a new install.  Make sure to apply any security
patches before copying your data back onto the host.  You should also
change your passwords on any host which you connected to from the
compromised host and review each of their current states of security.=20
If you have used the same passwords used on the compromised host on
other hosts, they will obviously need to be changed, and the security on
those hosts must also be reviewed.

My condolences if your host has been compromised.  It is a horrible
thing to have happen to you.

Robert


--=-YgvJG0Lc+RcF8fJT5aBt
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA+s+oCt9rzlCBtyF0RAupBAJ9OJaQFA7HlpDGP00PWYpy4Je2wtwCeLdkH
g3ByO0qimEC9hrWxumecdvg=
=kSfc
-----END PGP SIGNATURE-----

--=-YgvJG0Lc+RcF8fJT5aBt--

More information about the PLUG mailing list