Hello I have some strange problems on my server, starting last night. Every minute root gets this mail Code: Cron <root@www> chown root:root /tmp/w00tt && chmod 4755 /tmp/w00tt && rm -rf /etc/cron.d/core && kill -USR1 2584 Witch says Code: /bin/sh: line 0: kill: (2584) - No such process I run SSH on a non standard port. But suddenly SSH is back on port 22. I checked my /etc/ssh/sshd_config and it is configured with the port I want. I use ISPConfig, and I have opened the firewall for the non standard SSH port. Edit: I also see that a root login was performed Code: ALERT - Root Shell Access on: Mon Apr 14 05:02:13 CEST 2008 This usually logs IP adr or says tty1. It is after this login the messages begin to come for root. Strange, I use a non standard SSH port, and a very secure password for root. Any tips here
Ok, this is not good I found a folder in /temp/ that is named .dat It seems to contain an exploit, for installing eggdrop. I removed a file in /etc/cron.d called core.2585 Then the messages from cron stopped. The file seems unreadable in text editors, bot some is readable. What should I do next...
You need to check the system from good read only media, because right now all your binaries must have been changed. My best bet is trash the system and rebuild a new system restoring configurations from known good backups.
Thank you. How can I check what binarys have been changed? Thrashing the system is not a good option for me right now
You need to know the md5sums of these binaries usually you would use the rpm database to verify Code: rpm -Va this but if the guy that brokein were good i guess they have already messed up the db In most cases exploited binaries will also have thier attributes changed such that you cannot replace them so check using Code: lsatt /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin Any with the immutable and append flag set should be suspect.
Thank you again topdog. chkrootkit and rkhunter does not find anything (I deleted the one I found manualy). What should I look for runnung rpm -Va? lsatt returns -bash: lsat: command not found
with rpm -Va your should be looking for binaries whose md5 / ownership has changed. I guess the person has removed lsattr because he has changed the attributes of your files, so you need to get your own one anyway as the installed one could be altered.
lsattr returns ---------- on all I run lsatt first time, sorry. I have shut down ssh for now. Changed root psw. And everything is back to normal (seems). What can I do to make ssh safe to use again? I guess, delete all files witch has to do with ssh, and re install it? Witch folders to delete? Have ssh and ssh2 on fedora c4. I have many e-mail accounts on the server, but only one user have access to shell (root), must I take any action regarding the e-mail users/addresses?
I actually think you are focusing in the wrong place, i think the server was exploited via something else not ssh, the person just configured ssh back on port 22 for them to connect to the machine. You need to focus on finding which software was vulnerable and was exploited for the attacker to get in.
You are right I think. It`s easy to get blind. The files was located in the temp folder. And /etc/cron.d/ I guess the temp folder is the source, and this came from a unsecure website on my server. This seems to be the exploit, attached as w00tt.zip. But I can`t understand how they got to run it. And how they got the cron job. The file core.zip contains the file witch was located in /etc/cron.d/ The w00tt file exploit seems to be for an older core, so I should have updated, and maybe this would`t have happened. But is that enough, or do you think there are other weaknesses?
You need to audit what is running, running selinux in most cases would mitigate some of these attacks its a pity control panel designers dont seem to consider such security mechanisms when designing their software. If apache was running secured by selinux there would be no way it could be allowed to write to the cron directories
http://www.milw0rm.com/exploits/2005 This is the exploit you where hit with so if you had updated your system you would not be a victim.
Ok, so it`s time to update my server Can I use selinux and run ISPConfig? In the guide TPS FC4 it`s recommended to disable selinux.
Why you insist on keeping a out of support machine on the internet beats me. You should be creating a upgrade plan now not salvaging a system that will be cracked the next day.
U are right. I just need some time. Will be upgrading to Fedora8. So it`s just buying myself the time
