# Hacked Gentoo Server: Apache needs to be completely removed

## aajpotter

A gentoo box was rooted - the password was obtained through a compromised OSX iMac with a keylogger (I have become aware that the iMac has a root kit) - where I had been using ssh - and it was noted the next day that the gentoo server's root filesystem had been remounted as read-only by someone else!! This was the huge giveaway!!

After the next reboot apache stopped functioning completely with the following error:

 *Quote:*   

> apache2: apr_sockaddr_info_get() failed for mozart
> 
> apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
> 
> no listening sockets available, shutting down
> ...

 

Apache worked fine before the server was rooted. Therefore it appears to have been sabotaged - or nuked in some kind of way - Apache needs to be completely removed from the system and reinstalled. 

Running...

 *Quote:*   

> emerge --unmerge apache
> 
> emerge apache
> 
> 

 

Has not solved the problem. So presumably this is to do with configuration and/or permissions which may have been tampered with - correct me if I am wrong.

Everything else works absolutely fine - as before - including the CCTV system (using video4linux2). However, Apache is useful and needed for certain other tasks and I need to get it working again at some point - it isn't vitally important, but useful.

Any tips would be appreciated.

Andy James Potter

----------

## platojones

If you've truly been rooted, your only real option to secure that machine again is to wipe to drives clean and re-install from scratch in a locked down environment.

----------

## XQYZ

 *platojones wrote:*   

> If you've truly been rooted, your only real option to secure that machine again is to wipe to drives clean and re-install from scratch in a locked down environment.

 

I agree, there's no telling what somebody with root access can do. At the very least do an emerge -e world.

----------

## phajdan.jr

 *XQYZ wrote:*   

> At the very least do an emerge -e world.

 

If you can emerge -e world, you can re-install just as well. And it's not too hard for an attacker to protect his tools from emerge -e world.

----------

## aajpotter

Thank you. I will rebuild the system!

----------

## dE_logics

 *aajpotter wrote:*   

> Thank you. I will rebuild the system!

 

And this time you might try hardened.

----------

## Anarcho

 *dE_logics wrote:*   

>  *aajpotter wrote:*   Thank you. I will rebuild the system! 
> 
> And this time you might try hardened.

 

Good idea, though it wouldn't prevent the attack described here, as someone has stolen the password on the client machine.

----------

## phajdan.jr

 *Anarcho wrote:*   

> Good idea, though it wouldn't prevent the attack described here, as someone has stolen the password on the client machine.

 

Well, switching to key-based authentication in ssh seems to give the biggest gains here. A keylogger can still sniff the passphrase, but now it also has to steal the private key.

By the way, it's probably worth investigating how the Mac got infected with this keylogger. Try to patch the hole there: did you download untrusted software, did someone have unauthorized access, was it a browser exploit? etc.

----------

## Anarcho

 *phajdan.jr wrote:*   

>  *Anarcho wrote:*   Good idea, though it wouldn't prevent the attack described here, as someone has stolen the password on the client machine. 
> 
> Well, switching to key-based authentication in ssh seems to give the biggest gains here. A keylogger can still sniff the passphrase, but now it also has to steal the private key.

 

That's the reason why I only use key-based auth on all of my linux systems, even on the Nokia N810. And I really recommend everyone to do so. I have a USB-Stick with the encrypted key with me, so I can use it on foreign computers if I must.

----------

## dE_logics

 *Anarcho wrote:*   

>  *phajdan.jr wrote:*    *Anarcho wrote:*   Good idea, though it wouldn't prevent the attack described here, as someone has stolen the password on the client machine. 
> 
> Well, switching to key-based authentication in ssh seems to give the biggest gains here. A keylogger can still sniff the passphrase, but now it also has to steal the private key. 
> 
> That's the reason why I only use key-based auth on all of my linux systems, even on the Nokia N810. And I really recommend everyone to do so. I have a USB-Stick with the encrypted key with me, so I can use it on foreign computers if I must.

 

+1 same policy here.

----------

## aajpotter

 *phajdan.jr wrote:*   

> 
> 
> By the way, it's probably worth investigating how the Mac got infected with this keylogger. Try to patch the hole there: did you download untrusted software, did someone have unauthorized access, was it a browser exploit? etc.

 

I have no idea what method was used. The problem with OSX is that I am certain there are numerous backdoors which cannot be patched by the average person but could be exploited by sophisticated organisations.

----------

