I seem to have been hacked; chkrootkit reports that ps, tcpd and rexedcs are infected, .bash_history has been linked to another file and there might be an LKM.

If this sounds familiar to anyone I'd be grateful for more info. The most important effect of it seems to be that ftp (wuftp) is broken - no user can log in, it rejects their passwords.

If I could get a quick fix for this to last a couple of weeks until I upgrade to 7.2 I'd be OK. All suggestions gratefully received. I am thinking along the lines of trying to replace the suspect binaries; does anyone have a 6.1 box working?

Thanks

I am by no mean a linux pro. But my server also got hacked recently. My suggestion is that you do a full reinstallation(or full installation of RH7.1). Trying to replace modified binaries is just too risky, since you can't be sure how far the attacker had gone.

wu-ftpd is also not very secure, try proftpd.

Peter

Well... have you been keeping the server patched? A quick search shows multiple vulnerabilities in wuftpd since Redhat 6.1.

A quick search on google came up with a little on the different rootkits thought the information you provided doesn't seem enough to make a conclusion.

You can do an rpm update of the infected binaries but I wouldn't bother. You need to rebuild it.

Thank you for the replies. I am planning to rebuild and install 7.2 soon (or rather I am paying my colo to do it) but need to try some quick fixes in the meantime.

Could you please enlarge on the rpm replace idea - ie where I can get the rpms and hints on how to go about it?

if ps and such have been infected there is nothing you can do. Your system has been trojaned. They probably have login trojaned which means they can telnet to your box and login with say root and any password and get access. They can do this many different ways that is just one. Reformat right away.

If you ever want some help IM me at hijinks7 or mike@zcentric.com. I do a lot of security work and might be of some help if you are ever in need.

I suggest you reinstall the OS as soon as possible. The attacker may return at anytime, and use you server to do other tasks, e.g. DDoS attacker, stage for hacking other servers, etc. The longer you wait, the more risk you incur.

In the meantine, if you can afford it, at least shutdown the server so the attacker won't have access to it.

Peter

I really appreciate all your replies and I know this is good advice. The last thing I want is to give help to some hacker to scan for other servers/send spam etc.

But is there really no way I can try to get a temporary fix? As I said, I only need a few days. How about installing ProFTP and using that instead of WUFTP? And if I replace the infected binaries with clean copies from another 6.1 box, then run chkrootkit every hour as a cron job to alert me if they get infected again, shouldn't that hold the swine at bay for the short time I need?

Failing that, another question: Given that I can't FTP, how can I get users' sites off the server to relocate elsewhere? I've just installed webmin to use its file manager module and was amazed to see it can upload but not download!

Hi!
From my guess you may be hacked. In which case all binaries would be hacked. So there is not much you can do in a situation like this but reinstall everything from scratch.
You can upload files to a temporary server using ftp. Here you must use the ftp client of your server and the ftp server of the temporary server. This would work. Or try scp. However, the best would be to ask the datacenter to take a backup and reinstall everything. Your clients information is important which you do not want to be misused... It may cost a bit more with the datacenter but it sure would be worth the amount.
Have a great day :)

regards
amar

Well, the problem is that you don't know which files have been hacked and which haven't.
What's worse, those files reported as having hidden processes don't need to be hacked at all. What could be hacked is your kernel, and processes are hidden from there. You can replace all the binaries you want, but with a hacked kernel it wouldn't do much good, would it?! That also implies that checksum's would still report the files as being genuine, since they weren't hacked. So, what can you trust? Very little.

Replacing WUFTP is a bit late now. IF it was mis-used to gain entrance, then most likely a backdoor has already been installed.

Unless you're an Ace (capital intended), there's only one option, and it's mentioned already.

If not convinced, work your way through this page and weep:
http://www.pimmel.com/articles/lkm-hacking.html :bawling:

All your points are well taken, thank you.

Bob, could you possibly enlarge on "using the FTP client of my server"? Where might I find that? If it works and I can move the sites sideways to my other server I can get the hacked one shut down.

Asking the datacentre is a no-go I'm afraid. They won't help at any price - too busy making money from more important clients than I.

You should have a FTP client on your server.

Just type at the command line ftp {IP address or URL of the FTP server}. Or better yet, type man ftp.

Something to consider though, is a keystroke logger. You can't really consider ANYTHING on the hacked server to be secure. The hacker may be monitoring your keystrokes. So when you type in the log/pass for the FTP server you are FTPing to from the hacked server, you've given FTP access to the server you are FTPing to.

So I wouldn't reccomend FTPing your files from the hacked server to your new server.

Just scrap the whole thing and re-upload your sites from an older backup to the new server. Using files from the hacked server is about as good as a blood transfusion from someone with hepatitis.

Just tarball or gzip your clients data and offload them to your second server and do a complete reinstall of the hacked O/S. If you are using the same control panel on both servers and you have the space you may just want to export the clients on the exploited server over to your second one permanently. Of course this depends if you actually have the space on the second server and how many clients this would entail.

As for your question, as I have mentioned tarball or gzip the client data and store this file in your domains webpage directory. From the second server do a wget yourdomainname.com/filename and it will transfer the file over to the second server. You could do this via ftp but I thought I saw that you mentioned you no longer are running this.

Good luck

Was going to suggest that: gzip the stuff to a webdirectory and download it from the second server :)

As driverdave said: under no circumstance make a connection from the hacked server to another one. Your commands may (or will) be logged. Even more paranoid thought: the hacker may be logged into you server already, watching your every move without you being able to see any trace of him/her.

Also something to consider: if the second server is configured the same as the hacked one, it might be just as vulnerable...

But whatever you do, do it fast. And in the mean time, shut down every service not absolutely necessary, starting with ftp...

I'm having a go at doing it with WinSCP to a PC - so far so good. Then I can just go from there to the other server (but I will have to test and fix all the sites - they are using .htaccess, cgi scripts, php etc, and probably contain some absolute links).

The other one is a RaQ4 and fully patched. I think the vulnerability of the hacked one came from it being RH6.1; I have been trying to get the colo to upgrade it to 7 for months.

Apart from FTP, what services I can shut down to try to thwart the hacker, and how? If possible I must keep SSH (obviously), HTTPD and Sendmail (at least for receiving mail) up until I can get the rebuild started.

Not easy, stuff like this. I'm very tired right now, so this is all I can think about:

* Turn off ALL unneeded network services.

* Don't use programs that send passwords in clear text (FTP, Telnet, POP3)

* Run a portscanner to see what ports you have open, and maybe use ipchains to block access to any "unknown" ports you have open?
Not sure if this would work actually. With all the experts here maybe there'll be more tips and tricks...

* Configure tcp-wrappers to deny all but yourself


I have been considering setting up a secundary mailserver somewhere. I guess in times like this you see the value of such a thing...

Thought of this when I went to bed last night:
One of the things that seems affected is tcpd, which IS the tcp-wrapper, so I'm not sure if it would do the task is should do in this case....