Over the past couple of days we experienced hacker activity on our servers. It appears they are using a root kit described here http://www.hackinthebox.org/article.php?sid=5724.

We reinstalled OS on affected servers from scratch and changed the passwors but they found their way back in. Needless to say this is costing us a lot of money and more importantly could compromise our user's data, thankfully latter did not happen yet. Do any of you know of an effective and quick way to combat the type of hack and secondary on how to track down who is causing this problem.'

Thank you for your help.

Run chkrootkit that should correct it, or maybe I'm wrong?

Actually as they point out in the description of this thing chkrootkit fails to detect it. All of our boxes are patched up with the latest patches so it mustbe something new.

Do you have multiple servers, or just the one, and did you format and reinstall the OS, or just resinstall it?

If you did not format, make sure you format prior to reinstalling the OS, so you don't have to worry about things being missed.

Most likely the attacker is entering through a poorly secured script, but just to be sure, make sure all unnecessary services are disabled. Then use nmap to run a porstscan against your server to make sure you didn't miss anything (make sure your data center provider knows you will be running a port scan in case they monitor for things like that).

One other thing, I assume you have telnet disable, in addition, if at all possible disable FTP and force users to use SCP to transfer files. Make WinSCP available on your website for them to use.

I would also check permissions of you server to make sure that users do not have write access to folders they should not. Be as restrictive as possible with your permissions.

Next install a log analysis tool, like LogDog (http://caspian.dotconf.net/menu/Software/LogDog/default.php) to parse your logs and alert you when something that should not happen does happen. Track the information sent to you by your log parser program closely, and make sure nothing out of the ordinary is happening. If you note something extraordinary use IPTables to prevent that IP from continuing to access the server -- and do it quickly.

If you have multiple servers, set your syslog confing in the compromised server so it logs everything to another server -- this will make it more difficult for an attacker to cover his tracks.

These steps are a good start, but not complete, there are many good ::ahem:: books you can buy that will help you in much more detail.

Allan thanks a lot for all the info. Based on what we know as of now access was gained through buffer overflow in ftp. We are using proftpd and were not aware of the security issues with it. Is there a Mac version of the SCP software?

Thanks.

I dont know about the Mac version of SCP. But, just a little side note, what your expeirencing is not hacker activity but cracker activity. Just a distinction people fail to make.

kunal

Yeap you are right. It was a long couple of sleepless nights :)

Originally posted by matrosov:

Allan thanks a lot for all the info. Based on what we know as of now access was gained through buffer overflow in ftp. We are using proftpd and were not aware of the security issues with it. Is there a Mac version of the SCP software?


http://www.cs.jhu.edu/csg/cstools/scp/nifty.html

Originally posted by matrosov:

Yeap you are right. It was a long couple of sleepless nights :)

Know the feeling only too well. :(

Just wanted to thank all of you for helpful tips. They really helped us in dealing with this issue. As a follow up question are there any good hands on seminars that teach you Linux Security as well as protocol in dealing with these kinds of problems.

Thanks again :).

I really like "Red Hat Linux Security and Optimization"

http://www.amazon.com/exec/obidos/ASIN/0764547542/

A lot of practical tips, and good examples.