Hi,
I was hacked when I run a chkroot kit it says this:

Warning: `//root/.bash_history' is linked to another file

I've never dealt with this before what should I do?

What does it link too?

cd /root
ls -la


post the output.

lrwxrwxrwx 1 root root 9 Jul 14 00:37 .bash_history -> /dev/null

its been CHMOD'd to 777.. in other words, anyone can read it..

How do i find out how the hacker got in?

They can only read it if they can reach it -- /root is usually mode 700. Pretty much all of the symlinks I've seen are 777. I don't think you can modify them short of removing and remaking them, in which case the directory's permissions kick in.

IOW, this is just dumping your shell's history into the bit bucket. That's curious (especially if you don't remember doing it), but not a cause for alarm unless something else is out of place.

Hi,
I have def. been hacked all of the index pages have been replaced. However how do I find out how he got in and fix it? I think it was through one of my resellers that has SSH access (as there was one of them logged in when it was hacked) however how do I verfiy this? How can I find out how it was hacked?

I'm not capable of telling you how to fix this, however, if you dont have any mission critical sites running on the server, might be a good idea to disconnect it from the network, or atleast monitor it extreamly closly while working on it.

They may come back...

Anyone know how I can find out how they got in?

When I run a root kit this is what it says:

Warning: `//root/.bash_history is linked to another file

Checking `wted'... not tested: can't exec ./chkwtmp
Checking `ldsopreload'... can't exec ./strings-static, not tested
Checking `z2'... not tested: can't exec ./chklastlog

Everything else is normal... Anyone know how they got in and how i can fix it?

first of all, delete that link

rm -f .bash_history
(i think it will auto create if you dont have one, but if not:)
touch .bash_history
chmod 600 .bash_history

second, check /var/log/securetty for logins
also check /var/log/messages for anything out of the ordinary

third, you might want to do a fresh install

Well,

1st, what software do you have installed?
what OS are you running?
what kernel version are you running?
do you allow people to have shell access to your server?

What did the defaced page say?

If they compromised your server and installed any decent rootkit it will be extremly difficult to detect and or remove while the machine is online. I hope you have backups because the fastest way to get your machine back to a trusted state is to reinstall.

I'd suggest you inform your clients of the situation as they could potentially have had personal/sensitive data compromised.

When the machine comes back up make sure ALL software including the kernel is up to date. Use completely different passwords than you currently use and suggest that your clients all change their passwords also. Chances are they took a copy of your password/shadow file and will happily crack it for weak passwords and thus have a nice little account to walk straight back into your server with.

Yeah, this is sounding bad. It's time to get a clean install going. If you can get this drive going as secondary, you can have a security expert sift through to hopefully see what happened.

You can pretty much assume the passwords have been compromised, and sessions have probably been keylogged as well.

Originally posted by LCHwebHost
Checking `wted'... not tested: can't exec ./chkwtmp
Checking `ldsopreload'... can't exec ./strings-static, not tested
Checking `z2'... not tested: can't exec ./chklastlog


since you forgot to "make" the chkrootkit binaries, enter that dir
and type "make" then rerun chkrootkit and it will do the missing checks

You can bet they got root if they have.
lrwxrwxrwx 1 root root 9 Jul 14 00:37 .bash_history -> /dev/null

They are dumping the bash history to the bit bucket to cover their tracks. Nothing you can do now but reinstall the OS.

Make sure all your users know once you get back online to change all passwords or better yet do it for them and give them the new passwords. Make sure they change passwords for everything, mail accounts to forum software. At this point they own your server and probably have a back door.

you don't need to rm -rf .bash_history, just type "unlink .bash_history" and it will delink itself to /dev/null .

Next, for each of your clients who have ssh access, run "grep .bash_history /home/*/.bash_history" and it will show you every command that has been used by your users when the command has included the term .bash_history . If that doesn't turn up anything, change the first ".bash_history" to "ln", or if that doesn't work, change that to "link" .

Good luck... i guess, heh.

Originally posted by LCHwebHost
..... how i can fix it?
Yea, hire someone who actually knows what they are doing. Don't you understand the responsibility you have? :mad:

Originally posted by ub3r
you don't need to rm -rf .bash_history, just type "unlink .bash_history" and it will delink itself to /dev/null .

Next, for each of your clients who have ssh access, run "grep .bash_history /home/*/.bash_history" and it will show you every command that has been used by your users when the command has included the term .bash_history . If that doesn't turn up anything, change the first ".bash_history" to "ln", or if that doesn't work, change that to "link" .

Good luck... i guess, heh.

.bash_history only works for bash obviously, there are any number of other shells on the box. Also I doubt it will help very much, if they symlinked roots bash history, I'm pretty sure they'd do it to the accounts they used to elevate privs. You may get lucky and find another account that has a dev/null link on the home dir though :)

Do a fresh install and higher some one to adminster the server .

Although I do agree that he should seek professional help in finding out the entry point, I must admit I was once in his shoes (never go hacked... but knowledge wise...). Unfortunately where I am from, network and server admins are hard to come by, so I never had an opportunity to work somewhere with other people and learn the ropes. I only wish I had been able to… In fact, I still wish I could as there is still plenty for me to learn. We all gotta start somewhere… Perhaps he’s in a similar situation…