Linux security issue:

A

Arijit

Guest
Few Days back someone hacked our server .I changed all the password for all user.But Still someone accessing our server.How can I prevent it.How can I solve this problem?
 


Hi Arijit,
how have you detected the intrusion?
have you searched for "planted" scripts in you server? or have you reconstructed the whole server?
 
Do you have a firewall (software or hardware)? What if you closed all unneeded ports?
 
Hi Virneto,
Thanks for your reply
Actually when I ran "history" command in terminal I saw lots of command which are not ran me.
Then I changed the password for the user
But still same thing is going on
 
Do you have a firewall (software or hardware)? What if you closed all unneeded ports?

Thanks a lot
I think no firewall software installed .Default firewall may be present.
Can you tell me how to check firewall software is present or not?
and some information about port.
 
Thanks a lot
I think no firewall software installed .Default firewall may be present.
Can you tell me how to check firewall software is present or not?
and some information about port.

Run this command (you may need Root privileges) which will list firewall rules if the software firewall is active - iptables -L

The rules will list the ports with denied in-traffic and/or out-traffic. Here is a link about ports (http://en.wikipedia.org/wiki/Port_(computer_networking)).
 
Thanks again
My firewall software is running properly.
I think when someone got access of my server they are getting information of my server
.I am attaching a file of suspicious connection.

How can I solve this issue.
 

Attachments

  • Untitled11.jpg
    Untitled11.jpg
    27.1 KB · Views: 1,083
Hey again Arijit,
here's some thoughts (not a compreensive "what to do")
do you have any cron jobs that are run by root?
maybe is your sistem who is running those comands or some software
#check who has been logged in (man last for full options)>_
last
#(not sure if this one will work 4 you)who has tried to log in as root and failled?>_
faillog -u root
#Who is logged in right now?>_
who
#see your log files in reall time for suspicious activity (-f option is for follow, so you get to see your logs the second they are writen)>_
tail -f /var/log/auth.log
#or >_
tail -f /var/log/secure
#or even if you don't already do it, keep a prompt openned in a terminal and just keep an eye on your access logs...just to see who stops by>_
tail -f /var/log/access.log
if you find some IP hammering you server you can use DenyHosts to ban that IP.
please keep us updated ;)
 
  1. Is the server directly on the internet no router/firewall in place?
  2. How are you authenticating to the server?
  3. When was the last time that you patched the server?
  4. As root run ss -tlna and post the output (Output on the forum won't be pretty so a pastebin or something similar would be best.)
  5. Look through your /etc/passwd for accounts that should not belong there.
  6. Using iptables block access to the ports that are for the offending application.
  7. Lets start there and we can proceed after some basics have been done.
 
Thanks again
I ran ss -tlna command .I want to show you the output.If you give me your email id or sagest anything.
The hacker is also sending mails from our server.
 
Can you put it out on pastebin or something similar so that we can all look at it? The more eyes we have looking at this the better.

If they are sending mails then you might try blocking the access to port 25 so that they can't send out more emails. What I am having you do here will not survive a reboot, but it should get you some temporary relief.

As root run:

Code:
iptables -A OUTPUT -p tcp --dport 25 -m comment --comment "Rule to block outbound smtp" -j DROP

This will not be effective if the attacker has root level access to the box. They can remove the rule if they have that level of access. In the event that the attacker has root level access you will want to start from scratch on the machine. There is no telling what else has been done.

You are going to want to seriously rethink your security posture. You are going to need to harden your passwords, use SSH keys, patch regularly, and several other steps to keep this from happening again.
 
Can you put it out on pastebin or something similar so that we can all look at it? The more eyes we have looking at this the better.

If they are sending mails then you might try blocking the access to port 25 so that they can't send out more emails. What I am having you do here will not survive a reboot, but it should get you some temporary relief.

As root run:

Code:
iptables -A OUTPUT -p tcp --dport 25 -m comment --comment "Rule to block outbound smtp" -j DROP

This will not be effective if the attacker has root level access to the box. They can remove the rule if they have that level of access. In the event that the attacker has root level access you will want to start from scratch on the machine. There is no telling what else has been done.

You are going to want to seriously rethink your security posture. You are going to need to harden your passwords, use SSH keys, patch regularly, and several other steps to keep this from happening again.

quite informative
 

Staff online


Top