Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : So Their Server got hacked...

[Pheaton]

I'm talking to a fellow hosting company on AIM and they're asking me to fix their server. I know these guys, so I agree.

Anyways, their server got hacked, shadow file got messed up and ssh just closes connections right away, and telnet refuses a connection.

Anyway to "hack" back in without getting the datacenter involved?

[boonchuan]

I won't recommend doing that, best to contact the datacenter and get the necessary access.

[eth00]

Well if you have secured your server there should not be

If the server is that far gone a restore/reimage is probably a very good idea. Without an IDS you don't have any clue what is screwed up.

[dollar]

Somebody correct me if I am wrong but if the shadow file is messed up you are not going to be able to log in period. Format, re-image, start from scratch. Be sure to ask them where their remote backups are.

[Captian_Spike]

I agree, get them to re-install the entire OS. I also suggest getting it installed on a new drive, then mount the old drive and you can access data off that. This will let you examine what went wrong and it will also give you quick access to files. And makes sure you aren't missing anything from the remote backups.

Another possibility is to get the DC to put a new shadow file on the server. Its easy enough, just make sure they have a root entry. Although if you were hacked other things could have been left behind, a re-install might still be a better method.

[eth00]

Quote:

Originally posted by justadollarhostin
Somebody correct me if I am wrong but if the shadow file is messed up you are not going to be able to log in period. Format, re-image, start from scratch. Be sure to ask them where their remote backups are.

You can login as single user on the physical computer and reset the password if you had a kvm or something. Over the internet you would have to exploit the server but if you had physical access would be easy.

[belowzero]

If there's no IDS installed that will block IPs then you could try port scanning the machine to see if the hacker has left SSH running on a different port and then try and login through that port.

There may however be a root kit installed that will spawn after each login is completed (eg a trojan attached to /bin/login) but you may still get some access to the box and at least get some data off it before a rebuild.

Just an idea.

Chris

[Pheaton]

Some of you are hinting towards this being our server. It's not. Our servers are secure. This was another companies server, and I don't have anything to do with how it was secured or kept secure.


Their server is tomsyer, and their response times are VERY slow. That's why I was wondering if there was any way I could get back into the server without logining in. Seems not.

Looks like they'll have to get an OS reinstall on a new drive in that case.

[TechMicheal]

Quote:

Originally posted by belowzero
If there's no IDS installed that will block IPs then you could try port scanning the machine to see if the hacker has left SSH running on a different port and then try and login through that port.

There may however be a root kit installed that will spawn after each login is completed (eg a trojan attached to /bin/login) but you may still get some access to the box and at least get some data off it before a rebuild.

Just an idea.

Chris

Sorry, but this just irks me. IDS is detection, not prevention. Granted, there are some IDS solutions that come with minimal blocking capabilities, but these are minimal at best. If they had access to destroy the shadow file, that means it was a root compromise, and no telling what happened. I would go with the above suggestion to get the OS reinstalled from scratch and mount the old HD so that they can try to get some data back.

Pheaton: looks like you replied as I hit post reply. Good luck. I've had some issues with Savvis, as well as with Tomsyer.

[belowzero]

Fair enough. IDS is a generic term but I meant if the box isn't going to ban your IP for scanning it (eg running something like portsentry) then there may be a telnet or SSH daemon listening on a port that you can still get a login through. The hacks I've seen don't usually trash the shadow file but mess up the commonly used daemons used to gain a shell with.

Then at least you could recover some valuable (non-executable) data before rebuilding the box.

Chris

[TechMicheal]

Quote:

Originally posted by belowzero
Fair enough. IDS is a generic term but I meant if the box isn't going to ban your IP for scanning it (eg running something like portsentry) then there may be a telnet or SSH daemon listening on a port that you can still get a login through. The hacks I've seen don't usually trash the shadow file but mess up the commonly used daemons used to gain a shell with.

Then at least you could recover some valuable (non-executable) data before rebuilding the box.

Chris

Yeah, I knew what you meant, but it still bothers me. At any rate. Yeah, I can't say I have ever heard of an attack trashing the shadow file either. Emphasis on non-executable, text-file type data.

[MaB]

Try scanning the box for any open ports - maybe the hackers have left a way for them to get back in...

Otherwise, just reboot in single user mode and restore the shadow file from the backups (.... you do have backups right??)

PS - if you can, don't hook the server back to the internet because there may be software on there that records any new root passwords you set.... after a compromise, do a fresh install.

Best of luck!

[Steven]

Quote:

Originally posted by Pheaton
Some of you are hinting towards this being our server. It's not. Our servers are secure. This was another companies server, and I don't have anything to do with how it was secured or kept secure.


Their server is tomsyer, and their response times are VERY slow. That's why I was wondering if there was any way I could get back into the server without logining in. Seems not.

Looks like they'll have to get an OS reinstall on a new drive in that case.

well,

if you got access to ftp, and they have an old vuln kernel, you can try to exploit using php or perl. But i think thats stupid. Just get an os reload.