Forum Moderators: bakedjake
The reason I came here was that my Linux machine running FC2 was hacked yesterday. This machine does not run any commercial stuff, just my personal homepage and serves as way for me to learn to use Linux.
I run Fedora Core 2 with Apache 2.0.4x, PHP, mySQL, mySQL_auth, ssh and samba.
Anyway, all incoming traffic was redirected to a Russian truck parts vendor or something. Also all of my other services (ssh samba) was not responding. I usually only connect to this box from ssh so I had to restart the server.
After I restarted everything seemed to work fine. I inspected my web content, and everything was intact. I also checked httpd.conf and couldn’t find any changes there. After a couple of hours or so the same thing happened, all http traffic was redirected and ssh died. By this time I had cut of access to port 80 via my router. No other port is open to that computer.
How can I find the hackers/scriptkiddies point of entry? I’m also concerned about rootkits. How can you detect them? Has anyone got any tips or resources where to read up on “recovering” a system? I'm not a total newbie but far from an expert...
Grateful for any help!
//Johan
Before the real security experts on the forum answer (I'm not one of them!), I thought I'd throw in a few ideas. Was the box fully-patched? There have been patched vulnerabilities for the Linux kernel and for Apache 2 in the last two weeks. Also, you say you're running MySQL - are you using a CMS such as PHPNuke? Could the hacker have got in via a scripting bug in your website?
You mentioned the firewall: you said that it only lets through traffic to port 80, or does it allow connections to sshd?
Here are a couple of useful articles covering the basics of forensics on a Linux system that I was reading myself a few days back:
[securityfocus.com...]
[securityfocus.com...]
Also, you might want to check out bakedjake's (the forum moderator) UNIX security checklist in this thread to reduce the risks in the future:
[webmasterworld.com...]
<added>I believe the only real way to clean up after a hacking incident is a total format and reinstall after backing-up your data</added>
No, sadly I haven't applied any patches since I installed the operating system. Guess I've learned why you should do that now...
No i'm not running Nuke or any other CMS, though I was developing my own CMS that very well could have had security flaws. As for sshd I shut those ports of at my router (but there were still open in shorewall (isn't that what the Redhat firewall is called?).
Cheers!
//Johan
How can I find the hackers/scriptkiddies point of entry?
LOGS. Go through EVERYTHING. Unplug the machine from the network - now.
I’m also concerned about rootkits. How can you detect them?
[chkrootkit.org...]
Has anyone got any tips or resources where to read up on “recovering” a system?
Find the point of entry, confirm the point of entry (by testing it yourself), retrace the steps of the intruder.
Then, making sure you note the problem, reformat the hard drive and start over, restoring from a recent backup.
After this I decided to make a fresh install of FC2. I did not however format the drive that contain /var data. (I had my reasons for this). This time around I applied all safetyupdates.
After initial installation everything seemed fine, but after a while the same "hack" appeared.
All request was redirected to a server outside (via a google searchpage). One thing I noticed though was that I was only redirected when requesting the hostname (http://hostname/). If I request via IP or via localhost everything works fine. Can this give anyone any idea what has really happened, and how to fix it?
