Linux security issue:

Discussion in 'General Linux' started by Arijit, Jan 16, 2014.

  1. Arijit

    Arijit New Member

    Messages:
    7
    Likes Received:
    1
    Trophy Points:
    3
    Few Days back someone hacked our server .I changed all the password for all user.But Still someone accessing our server.How can I prevent it.How can I solve this problem?

    DevynCJohnson likes this.
  2. Virneto

    Virneto Member

    Messages:
    46
    Likes Received:
    21
    Trophy Points:
    8
    Hi Arijit,
    how have you detected the intrusion?
    have you searched for "planted" scripts in you server? or have you reconstructed the whole server?
    Arijit likes this.
  3. DevynCJohnson

    DevynCJohnson Well-Known Member Staff Member Staff Writer

    Messages:
    1,220
    Likes Received:
    1,019
    Trophy Points:
    113
    Do you have a firewall (software or hardware)? What if you closed all unneeded ports?
    Haider92 and Arijit like this.
  4. Arijit

    Arijit New Member

    Messages:
    7
    Likes Received:
    1
    Trophy Points:
    3
    Hi Virneto,
    Thanks for your reply
    Actually when I ran "history" command in terminal I saw lots of command which are not ran me.
    Then I changed the password for the user
    But still same thing is going on
  5. Arijit

    Arijit New Member

    Messages:
    7
    Likes Received:
    1
    Trophy Points:
    3
    Thanks a lot
    I think no firewall software installed .Default firewall may be present.
    Can you tell me how to check firewall software is present or not?
    and some information about port.
  6. DevynCJohnson

    DevynCJohnson Well-Known Member Staff Member Staff Writer

    Messages:
    1,220
    Likes Received:
    1,019
    Trophy Points:
    113
    Run this command (you may need Root privileges) which will list firewall rules if the software firewall is active - iptables -L

    The rules will list the ports with denied in-traffic and/or out-traffic. Here is a link about ports (http://en.wikipedia.org/wiki/Port_(computer_networking)).
    Haider92 and Arijit like this.
  7. Arijit

    Arijit New Member

    Messages:
    7
    Likes Received:
    1
    Trophy Points:
    3
    Thanks again
    My firewall software is running properly.
    I think when someone got access of my server they are getting information of my server
    .I am attaching a file of suspicious connection.

    How can I solve this issue.

    Attached Files:

  8. Virneto

    Virneto Member

    Messages:
    46
    Likes Received:
    21
    Trophy Points:
    8
    Hey again Arijit,
    here's some thoughts (not a compreensive "what to do")
    do you have any cron jobs that are run by root?
    maybe is your sistem who is running those comands or some software
    #check who has been logged in (man last for full options)>_
    last
    #(not sure if this one will work 4 you)who has tried to log in as root and failled?>_
    faillog -u root
    #Who is logged in right now?>_
    who
    #see your log files in reall time for suspicious activity (-f option is for follow, so you get to see your logs the second they are writen)>_
    tail -f /var/log/auth.log
    #or >_
    tail -f /var/log/secure
    #or even if you don't already do it, keep a prompt openned in a terminal and just keep an eye on your access logs...just to see who stops by>_
    tail -f /var/log/access.log
    if you find some IP hammering you server you can use DenyHosts to ban that IP.
    please keep us updated ;)
    DevynCJohnson likes this.
  9. grim76

    grim76 Active Member Staff Writer

    Messages:
    177
    Likes Received:
    48
    Trophy Points:
    28
    1. Is the server directly on the internet no router/firewall in place?
    2. How are you authenticating to the server?
    3. When was the last time that you patched the server?
    4. As root run ss -tlna and post the output (Output on the forum won't be pretty so a pastebin or something similar would be best.)
    5. Look through your /etc/passwd for accounts that should not belong there.
    6. Using iptables block access to the ports that are for the offending application.
    7. Lets start there and we can proceed after some basics have been done.
    Arijit, Virneto and DevynCJohnson like this.
  10. Arijit

    Arijit New Member

    Messages:
    7
    Likes Received:
    1
    Trophy Points:
    3
    Thanks again
    I ran ss -tlna command .I want to show you the output.If you give me your email id or sagest anything.
    The hacker is also sending mails from our server.
  11. grim76

    grim76 Active Member Staff Writer

    Messages:
    177
    Likes Received:
    48
    Trophy Points:
    28
    Can you put it out on pastebin or something similar so that we can all look at it? The more eyes we have looking at this the better.

    If they are sending mails then you might try blocking the access to port 25 so that they can't send out more emails. What I am having you do here will not survive a reboot, but it should get you some temporary relief.

    As root run:

    Code:
    iptables -A OUTPUT -p tcp --dport 25 -m comment --comment "Rule to block outbound smtp" -j DROP
    This will not be effective if the attacker has root level access to the box. They can remove the rule if they have that level of access. In the event that the attacker has root level access you will want to start from scratch on the machine. There is no telling what else has been done.

    You are going to want to seriously rethink your security posture. You are going to need to harden your passwords, use SSH keys, patch regularly, and several other steps to keep this from happening again.
    Arijit likes this.
  12. JohnSerrano

    JohnSerrano New Member

    Messages:
    10
    Likes Received:
    3
    Trophy Points:
    3
    quite informative

Share This Page