# my box is been hacked,help me!

## Thunderbird

i used redhat 7.2 linux. yesterday, i found someone use ftp to connect and into my system. i type "netstat -ap" found that a 51501 port was opend ,and it is opend by sshd, i try to modify the sshd_config file ,but i can't find it,i use "locate" to search it,it displayed ,but use "ls" can't display. i use "vi" to modify it ,but no use.it isn't permit.i used root ,and can't modify it.so ,the hacker is very special.please help me!thx

----------

## rac

Probably the safest thing to do is to immediately disconnect the network connection of the affected machine.  The lsof command can help you associate specific processes with open ports; it is likely that a rogue copy of sshd is running on port 51501.

----------

## delta407

 *rac wrote:*   

> Probably the safest thing to do is to immediately disconnect the network connection of the affected machine.

 

To clarify: immediately. Also, there's no telling what was changed on your system -- probably lots of system binaries, possibly some shared libraries, and probably a few 'extra' programs. Generally, unless you have a really freakin' good reason not to, the best course of action is to unplug, boot from trusted media (boot floppy/boot CD), copy off anything you might want to, wipe everything, and reload from scratch.

----------

## rac

While I agree with everything that delta407 said, if you have free space of some sort available, it might be useful to keep a copy of the system in its compromised state on spare media, so that you can examine it in more detail at leisure later, with an eye to evaluating how security was broken so that you can take steps to prevent against further attacks in the future.

----------

## pjp

Does anyone know of a 'standard' checklist for where to begin 'evaluating how security was broken'?  Just thought I'd ask.  Seems relevant.

----------

## Thunderbird

i know, i tried to copy a new "sshd_config" to instead the rogue copy ,but it is not permitted.i logined by root ,and want to modify the rogue copy,it is not permitted too.how did he do that?

----------

## rac

 *Thunderbird wrote:*   

> i logined by root ,and want to modify the rogue copy,it is not permitted too.how did he do that?

 

Perhaps by means of a trojaned /bin/sh or /bin/login, so that you are not actually root.  In this case, it is very likely that your root password was captured and may have been sent to the attacker, so you should change it in all places that you use that password.

Try booting from a CD or boot floppy.

----------

## rac

 *kanuslupus wrote:*   

> Does anyone know of a 'standard' checklist for where to begin 'evaluating how security was broken'?

 

The best situation is where you have syslogs that are reliable.  This is a good argument for maintaining a dedicated syslog server, instead of keeping system logs locally on each machine.  The syslog server should not be running any daemons that allow remote logins; the only way to get shell access on it should be from the console.

I found many of the feature articles at LinuxSecurity.com to be enlightening reading.

----------

## dioxmat

also check out lsattr and chattr .

most rootkits add stealth modules, change binaries and libs, startup scripts, and configuration files. 

/me always log everything that happens and keep a statically built system on cd just in case.

----------

## Thunderbird

i am not really understand your means, i am a beginner,can you help me to repair the box step by step ? if i can repair the box successfully , i will learn the hack technique too ,and learn more and more knowledge.

----------

## rac

Unplug the network connection

Boot from a trusted medium, like the install CD

Mount your compromised filesystems somewhere not in your PATH, like /mnt/something

If you have enough free space available somewhere, make a copy of your entire compromised filesystem using tar or cpio for later analysis - mark it with a big skull and crossbones or something.

In any case, copy all important data files (don't copy any executable programs at this stage, unless you absolutely have to have them, and if you do, make sure you vet them carefully to make sure they have not been modified) somewhere to a backup medium.

Use mkfs to completely wipe the filesystems on the affected disk partitions

Reinstall the system from scratch

Change all passwords

Check each server process running on that machine for security updates and make sure that each is really necessary and configured properly.  Look at the machine from the point of view of a remote attacker.

----------

## Thunderbird

thank you for your advice , i will do that . i was very pleasure to be hacked by a special man , because i learned more knowledge from this case.

----------

## delta407

 *Thunderbird wrote:*   

> i was very pleasure to be hacked by a special man , because i learned more knowledge from this case.

 

Most people prefer learning about compromised systems at a distance rather than dealing with them up close, but whatever floats your boat, I guess.  :Wink: 

May the Force be with you.

----------

## Thunderbird

now, i have found the source of problem, it is SSH trojan. i used the version of 3.4p1 , it is in the list of been trojan below:

OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been trojaned 

Aug, 01 2002 - 17:21 

contributed by: hx 

OpenSSH Security Advisory (adv.trojan) 

1. Systems affected: 

OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been trojaned on the 

OpenBSD ftp server and potentially propagated via the normal mirroring 

process to other ftp servers. The code was inserted some time between 

the 30th and 31th of July. We replaced the trojaned files with their 

originals at 7AM MDT, August 1st. 

2. Impact: 

Anyone who has installed OpenSSH from the OpenBSD ftp server or any 

mirror within that time frame should consider his system compromised. 

The trojan allows the attacker to gain control of the system as the 

user compiling the binary. Arbitrary commands can be executed. 

3. Solution: 

Verify that you did not build a trojaned version of the sources. The 

portable SSH tar balls contain PGP signatures that should be verified 

before installation. You can also use the following MD5 checksums for 

verification. 

MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8 

MD5 (openssh-3.4p1.tar.gz.sig) = d5a956263287e7fd261528bb1962f24c 

MD5 (openssh-3.4.tgz) = 39659226ff5b0d16d0290b21f67c46f2 

MD5 (openssh-3.2.2p1.tar.gz) = 9d3e1e31e8d6cdbfa3036cb183aa4a01 

MD5 (openssh-3.2.2p1.tar.gz.sig) = be4f9ed8da1735efd770dc8fa2bb808a 

4. Details 

When building the OpenSSH binaries, the trojan resides in bf-test.c 

and causes code to execute which connects to a specified IP address. 

The destination port is normally used by the IRC protocol. A 

connection attempt is made once an hour. If the connection is 

successful, arbitrary commands may be executed. 

Three commands are understood by the backdoor: 

Command A: Kill the exploit. 

Command D: Execute a command. 

Command M: Go to sleep. 

5. Notice: 

Because of the urgency of this issue, the advisory may not be 

complete. Updates will be posted to the OpenSSH web pages if 

necessary. 

and another question, how can i use the MD5 ?

----------

## dioxmat

mmm, are you sure this is the openssh troyan ?

emerge does check the md5sum automatically. you can do it by hand with "md5sum".

----------

## trolley

 *dioxmat wrote:*   

> mmm, are you sure this is the openssh troyan ?
> 
> emerge does check the md5sum automatically. you can do it by hand with "md5sum".

 

I'm seeing Redhat 7.2 in the initial post, but maybe I'm misunderstanding.

----------

## Thunderbird

 *dioxmat wrote:*   

> mmm, are you sure this is the openssh troyan ?
> 
> emerge does check the md5sum automatically. you can do it by hand with "md5sum".

 

i am sure it is broken by ssh trojan, i saw some summary about the ssh trojan ,and it is very like mine. i don't know the command of check md5 and chack which file.

----------

## dioxmat

ooops :)

but then why is this post in gentoo's networking & security uh ? :)

----------

## Oizoken

 *dioxmat wrote:*   

> ooops 
> 
> but then why is this post in gentoo's networking & security uh ? 

 

cause maybe gentoo people know more about linux in general and the redhat forums are flooded with newbies only asking questions and not answering some?

(just ranting  :Wink:  )

----------

## Thunderbird

i am so sorry , i will do something by myself.and i  really appreciate your help.

----------

## sanity

You mentioned that Gentoo people know more about Linux?  Probably because we have to.  Gentoo installation requires more knowledge of Linux and Unix in general than most RedHat desktop users will ever know.

Maybe you should switch to Gentoo, as long as you're installing from scratch.  It would be a good exercise in basic Linux concepts.

Plus, I would guess that emerge is harder to trojan than rpm.

----------

## Xor

just me 2c

good checklists are available at securityfocus or sans.org... 

the command is md5sum

did redhat ever release an rpm of current openssh? last time I checked I could find one... but hey UTSL....

I would suggest something like aide, snort, argus or whatever you like... and oh, iptables wouldn't bat too... 

btw - RH is not really a secure Linux distro, if I remember right it is the no 1 Linux distro hacked.Last edited by Xor on Sat Aug 10, 2002 11:46 am; edited 1 time in total

----------

## pjp

Just in case others don't catch the typo, it is securitYfocus.  Thanks for the links.

----------

## Xor

ok.... after this _-dilema... I guess I deserve it.... 

a quick guide is available here

the book overview is here (havn't read it) and can be ordered here (I hate linking on amazon, cos they have patented this stupid 1click-feature... )

----------

## rajiv

 *Xor wrote:*   

> did redhat ever release an rpm of current openssh? last time I checked I could find one... but hey UTSL....

 

not for rh 7.3. check out http://seifried.org/security/os/linux/redhat/20020701-rh7x-openssh-34.html. they do have a source rpm at ftp://ftp.redhat.com/pub/redhat/linux/rawhide/SRPMS/SRPMS/openssh-3.4p1-1.src.rpm.

----------

## des

<a href="http://www.chkrootkit.org/">chkrootkit</a> is a simple uti;lity, and the site has some great suggestions on how not to become a statistic  :Smile: 

----------

## RagManX

 *Xor wrote:*   

> ok.... after this _-dilema... I guess I deserve it.... 
> 
> a quick guide is available here
> 
> the book overview is here (havn't read it) and can be ordered here (I hate linking on amazon, cos they have patented this stupid 1click-feature... )

 

I might suggest buying from bookpool instead, then.  Check http://www.bookpool.com/.x/kxga92zv96/ss/1?qs=incident, and note particularly the 3rd and 4th books on the list.  Both are excellent books for helping deal with incidents.

RagManX

----------

## nellat2002

http://www.giac.org/GCUX.php

I have been going to this site when I need to find documentation to harden all my linux boxes. 

Tell me what you think.

----------

