Koozali.org: home of the SME Server

5.6 Hacked/Rooted, Trying to recover

Brian L

5.6 Hacked/Rooted, Trying to recover
« Reply #15 on: April 02, 2004, 04:57:37 AM »
Interesting that you have had this happen to you so frequently.

Do you think it is something with the SME distribution? like an exploit or hack that is easy?

Brian

Offline MSmith

  • *
  • 675
  • +0/-0
Isn't this a BIG DEAL?
« Reply #16 on: April 02, 2004, 08:56:09 AM »
I mean, if these 5.6 boxes have actually been rooted ... (where's the documentation on the successful attack, BTW?) then this is a big problem for those of us who haven't "taken the plunge" and upgraded from 5.6 on production machines!!!

So, gentlemen ... how about some DETAILS on these hacked boxes?

FWIW I installed and ran the following:

http://www.rootkit.nl/projects/rootkit_hunter.html

It said my 5.6u6 box is clean.
...

fredd0

5.6 Hacked/Rooted, Trying to recover
« Reply #17 on: April 02, 2004, 01:02:54 PM »
the machines I have had messed up are 5.1.2, 5.5

they were not necessarily fully patched on the patches that were available and I had left command line access open from the internet.

ie It was my own stupid fault

Offline MSmith

  • *
  • 675
  • +0/-0
5.6 Hacked/Rooted, Trying to recover
« Reply #18 on: April 02, 2004, 09:40:06 PM »
Understood, Freddo, but what about you, Brian?  You said your 5.6 box had been hacked; it would definitely be a service to the community if you could show how it was done.

5.1.2 and 5.5 have been deprecated for awhile due to security concerns, but I thought 5.6u6 and 6.0 were OK.
...

Anonymous

5.6 Hacked/Rooted, Trying to recover
« Reply #19 on: April 03, 2004, 02:11:39 AM »
Quote from: "MSmith"
Understood, Freddo, but what about you, Brian?  You said your 5.6 box had been hacked; it would definitely be a service to the community if you could show how it was done.


Sorry - I dont agree.

If it was hacked - then it should be reported to the contrib guys. I and my customers dont want to see a 5.6 hacking howto posted on this site.

Offline MSmith

  • *
  • 675
  • +0/-0
You raise a good point there
« Reply #20 on: April 04, 2004, 07:47:17 AM »
Hacking howto not wanted, just SOME information as to how the blackhat got in.  I.e. a specific service, that should be turned off, or a PHP vulnerability in a certain version, or what?  Just saying "I've been hacked" is nothing more than alarmist, in my view.
...

Offline mark

  • *
  • 34
  • +0/-0
    • http://webcoda.com
5.6 Hacked/Rooted, Trying to recover
« Reply #21 on: April 04, 2004, 08:07:18 AM »
Sorry - I dont agree.

If it was hacked - then it should be reported to the contrib guys. I and my customers dont want to see a 5.6 hacking howto posted on this site.[/quote]

- and I disagree with you - I would rather know about the hack NOW so I can protect my clients NOW - not when some other special group decides that I should know. It would appear that the hacker community already knows ....

cheers

Mark

Anonymous

5.6 Hacked/Rooted, Trying to recover
« Reply #22 on: April 04, 2004, 02:07:39 PM »
Quote from: "mark"
-and I disagree with you - I would rather know about the hack NOW so I can protect my clients NOW - not when some other special group decides that I should know. It would appear that the hacker community already knows ....


and I disagree with you - What I want is a fix for the alleged hack before someone goes blabbing about it on a public forum.

It would appear that the hacker community already knows what

Offline del

  • *
  • 765
  • +0/-0
5.6 Hacked/Rooted, Trying to recover
« Reply #23 on: April 04, 2004, 04:48:34 PM »
Hi Brian,
I am not a Linux guru but this site may help: http://ebcd.pcministry.com/ it is aimed at messed up windows systems but allows copying of files etc.to and from any system that can use "long file names" Also includes a password reset tool. I hope this helps.
Regards,
Del :pint:
If at first you don't succeed, then sky-diving is not for you!
"Life is like a coin. You can spend it anyway you wish, but you can only spend it once." --Author Unknown

Brian L.

5.6 Hacked/Rooted, Trying to recover
« Reply #24 on: April 04, 2004, 11:40:27 PM »
Hey everyone,

Sorry for the delay, I havent had time to post in the last day or two.

The system WAS hacked/rooted -- there is no doubt about that. It was defaced and one of the domains running had an index.php that was from a hacker group called ihrdex or something. I saw this before I shutdown the box.

I am in the process of getting my files out of mysql, some images, etc onto another test server, and then to my new production server.

I do not know how they exploited the box -- I use very strong passwords and am not lax on security. Any advice on how to find where the exploit originated on the box is much assisted -- Im not going to format it for a while. I have full access via knoppix.

Brian

guest

5.6 Hacked/Rooted, Trying to recover
« Reply #25 on: April 05, 2004, 06:27:49 PM »
Brian -
1) Were you running a standard 5.6 install or did you install additional contribs?
2) What were the conrtibs?
3) Did you make your distro non-standard in any way (rpm update, etc.)?
4) How was the machine configured (server/gateway/etc.).
5) Were you running any web sites in primary / ibays?

Just wondering as many are probably now concerned about how vulnerable they are.  Thanks for the info. :-o

Anonymous

5.6 Hacked/Rooted, Trying to recover
« Reply #26 on: April 05, 2004, 11:27:26 PM »
Guest,

I was running a 5.6 box with most recent updates (i think update 6, is this correct?)

I had contribs installed, but they were nothing out of the ordinary -- including AWStats, Backup2WS, Damien Curtains Email SSL Contrib, Disk Utilization, CLAMD AV and thats it I think.

I did not many any non-standard changes in any way other than contribs above. Machine was configured as server+gateway. No VPN, SSH was on for public but nothing else (FTP etc closed). I was using strong passwords.

I was running 3 sites that included an installation of  Mambo Open Source (a CMS), Gallery on another IBAY (pictures), and the third website was just plain HTML.

Again, this is nothing strange here -- I am generally a stickler for security and always make sure files are correct ownership and permissions, etc.

Brian L

5.6 Hacked/Rooted, Trying to recover
« Reply #27 on: April 05, 2004, 11:28:43 PM »
Sorry, above line should read:

"I did not have any non-standard changes in any way other than contribs above"

Brian

Offline stancol

  • ***
  • 90
  • +0/-0
    • http://www.srcproductions.com
What are the three dots for at the end of my signature file and why can't I get rid of them?These three dots right here >...

Anonymous

5.6 Hacked/Rooted, Trying to recover
« Reply #29 on: April 06, 2004, 05:41:05 PM »
Quote from: "Brian L."

The system WAS hacked/rooted -- there is no doubt about that. It was defaced and one of the domains running had an index.php that was from a hacker group called ihrdex or something. I saw this before I shutdown the box.


What you've said so far only indicates that an account which has access to your web content (perhaps www) was compromised. It doesn't indicate that your system was rooted.

Please notify security@contribs.org.