Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 14th April 2008, 09:58
Hagforce Hagforce is offline
Senior Member
 
Join Date: Feb 2006
Posts: 210
Thanks: 37
Thanked 1 Time in 1 Post
Default SSH Problems, TPS FC4, messages from cron

Hello

I have some strange problems on my server, starting last night.

Every minute root gets this mail
Code:
Cron <root@www>  chown root:root /tmp/w00tt && chmod 4755 /tmp/w00tt && rm -rf /etc/cron.d/core && kill -USR1 2584
Witch says
Code:
/bin/sh: line 0: kill: (2584) - No such process
I run SSH on a non standard port.
But suddenly SSH is back on port 22.
I checked my /etc/ssh/sshd_config and it is configured with the port I want.

I use ISPConfig, and I have opened the firewall for the non standard SSH port.

Edit:
I also see that a root login was performed
Code:
ALERT - Root Shell Access on: Mon Apr 14 05:02:13 CEST 2008
This usually logs IP adr or says tty1.

It is after this login the messages begin to come for root.
Strange, I use a non standard SSH port, and a very secure password for root.

Any tips here

Last edited by Hagforce; 14th April 2008 at 10:22.
Reply With Quote
Sponsored Links
  #2  
Old 14th April 2008, 11:13
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 154 Times in 151 Posts
Default

You have been rooted
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
The Following User Says Thank You to topdog For This Useful Post:
Hagforce (18th April 2008)
  #3  
Old 14th April 2008, 11:26
Hagforce Hagforce is offline
Senior Member
 
Join Date: Feb 2006
Posts: 210
Thanks: 37
Thanked 1 Time in 1 Post
Default

Ok, this is not good

I found a folder in /temp/ that is named .dat
It seems to contain an exploit, for installing eggdrop.

I removed a file in /etc/cron.d called core.2585
Then the messages from cron stopped.

The file seems unreadable in text editors, bot some is readable.

What should I do next...
Reply With Quote
  #4  
Old 14th April 2008, 11:31
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 154 Times in 151 Posts
Default

You need to check the system from good read only media, because right now all your binaries must have been changed.

My best bet is trash the system and rebuild a new system restoring configurations from known good backups.
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
The Following User Says Thank You to topdog For This Useful Post:
Hagforce (18th April 2008)
  #5  
Old 14th April 2008, 11:43
Hagforce Hagforce is offline
Senior Member
 
Join Date: Feb 2006
Posts: 210
Thanks: 37
Thanked 1 Time in 1 Post
Default

Thank you.

How can I check what binarys have been changed?
Thrashing the system is not a good option for me right now
Reply With Quote
  #6  
Old 14th April 2008, 11:48
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 154 Times in 151 Posts
Default

You need to know the md5sums of these binaries usually you would use the rpm database to verify
Code:
rpm -Va
this but if the guy that brokein were good i guess they have already messed up the db

In most cases exploited binaries will also have thier attributes changed such that you cannot replace them so check using
Code:
lsatt /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
Any with the immutable and append flag set should be suspect.
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
The Following User Says Thank You to topdog For This Useful Post:
Hagforce (18th April 2008)
  #7  
Old 14th April 2008, 11:49
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 154 Times in 151 Posts
Default

You also need to run a rootkit hunter, rkhunter and chrootkit should help.
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
The Following User Says Thank You to topdog For This Useful Post:
Hagforce (18th April 2008)
  #8  
Old 14th April 2008, 12:54
Hagforce Hagforce is offline
Senior Member
 
Join Date: Feb 2006
Posts: 210
Thanks: 37
Thanked 1 Time in 1 Post
Default

Thank you again topdog.

chkrootkit and rkhunter does not find anything (I deleted the one I found manualy).

What should I look for runnung rpm -Va?
lsatt returns -bash: lsat: command not found
Reply With Quote
  #9  
Old 14th April 2008, 13:20
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 154 Times in 151 Posts
Default

with rpm -Va your should be looking for binaries whose md5 / ownership has changed.

I guess the person has removed lsattr because he has changed the attributes of your files, so you need to get your own one anyway as the installed one could be altered.
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
The Following User Says Thank You to topdog For This Useful Post:
Hagforce (18th April 2008)
  #10  
Old 14th April 2008, 21:55
Hagforce Hagforce is offline
Senior Member
 
Join Date: Feb 2006
Posts: 210
Thanks: 37
Thanked 1 Time in 1 Post
 
Default

lsattr returns ---------- on all
I run lsatt first time, sorry.

I have shut down ssh for now.
Changed root psw.
And everything is back to normal (seems).

What can I do to make ssh safe to use again?
I guess, delete all files witch has to do with ssh, and re install it?
Witch folders to delete? Have ssh and ssh2 on fedora c4.

I have many e-mail accounts on the server, but only one user have access to shell (root), must I take any action regarding the e-mail users/addresses?
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
TPS FC4, Mail size... Hagforce HOWTO-Related Questions 3 10th April 2008 18:36
CRON and .htaccess problems devilslayer General 1 23rd November 2007 17:49
Problems With VS-FTPD Under FC4 miodragz Installation/Configuration 1 4th September 2007 12:05
SSH Chroot Problems sinjab Installation/Configuration 7 24th August 2007 10:23
TPS FC4, mail server abused to send spam? Hagforce HOWTO-Related Questions 11 21st January 2007 17:24


All times are GMT +2. The time now is 23:35.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.