I've been hacked with a r00tkit!!??!!
- studioeng
- Experienced
- Posts: 454
- Joined: Mon Oct 23, 2006 11:59 pm
- Location: Dorset, England
- Contact:
I've been hacked with a r00tkit!!??!!
Help guys
I've been sorting some stuff out on my server today, and I noticed something very odd. My email server has been acting weird the last couple of days, and my last successful log in was from some random host which I have never heard of; and on further investigation I have discovered someone has broken into my server and used a r00tkit.
Upset is a given, worried is an understatement, revengeful; you bet your a%$!!
Can anyone give me some top tips on how I can locate and destroy the r00tkit (and the m*ther F%&*ING a%&h$ole which broke in)?
I've got the feeling that I will need to reinstall the whole server. I've looked around for some information on r00tkits, but I'm far too annoyed to take any of it in. How paranoid do I need to be? Password changing of EVERYTHING? IP address changing??
....
I've been sorting some stuff out on my server today, and I noticed something very odd. My email server has been acting weird the last couple of days, and my last successful log in was from some random host which I have never heard of; and on further investigation I have discovered someone has broken into my server and used a r00tkit.
Upset is a given, worried is an understatement, revengeful; you bet your a%$!!
Can anyone give me some top tips on how I can locate and destroy the r00tkit (and the m*ther F%&*ING a%&h$ole which broke in)?
I've got the feeling that I will need to reinstall the whole server. I've looked around for some information on r00tkits, but I'm far too annoyed to take any of it in. How paranoid do I need to be? Password changing of EVERYTHING? IP address changing??
....
- studioeng
- Experienced
- Posts: 454
- Joined: Mon Oct 23, 2006 11:59 pm
- Location: Dorset, England
- Contact:
Ahh, thanks eMu; I should of been a little clearer. My server is linux based. As I am still getting to grips with the way it works, I'm completely in the dark to what to look for and check for possible damage or comprimise.eMuNiX wrote:AVG antirootkit is what I used to resurrect a friends PC.
Thank you anyway.
Not much help, but amusing story about rootkits I came across recently
dickm is the author of smoothwall etc..
http://blog.dickmorrell.org/?p=437
bet you wish you could do the same to your attacker!
dickm is the author of smoothwall etc..
http://blog.dickmorrell.org/?p=437
bet you wish you could do the same to your attacker!
- studioeng
- Experienced
- Posts: 454
- Joined: Mon Oct 23, 2006 11:59 pm
- Location: Dorset, England
- Contact:
That is very funny! Sweet sweet revenge.mstombs wrote:Not much help, but amusing story about rootkits I came across recently
dickm is the author of smoothwall etc..
http://blog.dickmorrell.org/?p=437
bet you wish you could do the same to your attacker!
Although I will say one thing about this, by the end of it, I'll know a lot more about the inner workings of linux
- studioeng
- Experienced
- Posts: 454
- Joined: Mon Oct 23, 2006 11:59 pm
- Location: Dorset, England
- Contact:
Thanks for your tips guys. After reading through the relevant texts and readmes I have decided to shut the server down until I get home tonight.
I think a complete full network overhaul is in order. Password changes, IP range change, security changes etc.
I have no idea what they did, looked at, tried to do; so I think best to be 110% paranoid.
... It seems I am unable to shut the server down remotely ... what gives!? Now I'm even more concerned to what's been done to it... Had to disconnect the router to kill the net connection.
Livid is also another word I could use!!
I think a complete full network overhaul is in order. Password changes, IP range change, security changes etc.
I have no idea what they did, looked at, tried to do; so I think best to be 110% paranoid.
... It seems I am unable to shut the server down remotely ... what gives!? Now I'm even more concerned to what's been done to it... Had to disconnect the router to kill the net connection.
Livid is also another word I could use!!
And now the Routertech banners in your sig are broken, which means your attacker may have been attracted to your website that you run off your enta DSL connection - from here!
Last edited by mstombs on Mon Oct 15, 2007 3:50 pm, edited 1 time in total.
- studioeng
- Experienced
- Posts: 454
- Joined: Mon Oct 23, 2006 11:59 pm
- Location: Dorset, England
- Contact:
Yeah, my sigs are hosted on my server which has just had its connection cut.
I know exactly how they got in and you are very correct; it was from this site! Reading through the 'Uptime Displays' thread, they were able to locate and access my server using a non-obscured username and password and were able to run a r00tkit on the server.
Through something as trivial as an account to upload a single timestamp file from my router, they were able to access the server, all because it did not have Shell Access disabled.
I apologise in advance for the following:
[rant]
I suppose in a way it's a good thing this was brought to my attention, obviously they did not get the Ethical Hacking Course!? Obviously had something to prove; like most scriptkiddies or people with small enough brains to think that they have to make themselves feel better by destroying and disrupting others. Most people in that position just buy a BWM or other form of enlargement.
I mean what the hell have they gained? They couldn't of sent any spam mail, as for one the spam filter was still running, and it appears the SMTP server had already died 24hrs earlier. DDOS couldn't of been done, as most outgoing ports from the server are blocked, only those needed for email, web server and other needed programs are allowed through.
Now most people on here will know what's happened and double check their own machines/systems if they haven't already, and I will just re-install my machine not only bringing it back bigger and harder than before, but will get me back into the Linux frame of mind again. So again, not completely a bad thing.
So at the end of the day, the only person who looses out is them! Round of applause to you! Studioeng 1 - F&*kwit 0!!
For the record I hope they are reading this! Flame me, try and attack me again! I dare you!
PS Your girlfriend is a Pig!!
[/rant]
So, I think this is a better time than any to try a different distro. I need a LAMP server; email (SMTP POP3/IMAP with secure protocol); an FTP etc etc. Any suggestions? xD
I know exactly how they got in and you are very correct; it was from this site! Reading through the 'Uptime Displays' thread, they were able to locate and access my server using a non-obscured username and password and were able to run a r00tkit on the server.
Through something as trivial as an account to upload a single timestamp file from my router, they were able to access the server, all because it did not have Shell Access disabled.
I apologise in advance for the following:
[rant]
I suppose in a way it's a good thing this was brought to my attention, obviously they did not get the Ethical Hacking Course!? Obviously had something to prove; like most scriptkiddies or people with small enough brains to think that they have to make themselves feel better by destroying and disrupting others. Most people in that position just buy a BWM or other form of enlargement.
I mean what the hell have they gained? They couldn't of sent any spam mail, as for one the spam filter was still running, and it appears the SMTP server had already died 24hrs earlier. DDOS couldn't of been done, as most outgoing ports from the server are blocked, only those needed for email, web server and other needed programs are allowed through.
Now most people on here will know what's happened and double check their own machines/systems if they haven't already, and I will just re-install my machine not only bringing it back bigger and harder than before, but will get me back into the Linux frame of mind again. So again, not completely a bad thing.
So at the end of the day, the only person who looses out is them! Round of applause to you! Studioeng 1 - F&*kwit 0!!
For the record I hope they are reading this! Flame me, try and attack me again! I dare you!
PS Your girlfriend is a Pig!!
[/rant]
So, I think this is a better time than any to try a different distro. I need a LAMP server; email (SMTP POP3/IMAP with secure protocol); an FTP etc etc. Any suggestions? xD
- studioeng
- Experienced
- Posts: 454
- Joined: Mon Oct 23, 2006 11:59 pm
- Location: Dorset, England
- Contact:
Most important thing I'm concerned about is if the attacker could of found out what my passwords are from the server. It is possible to reveal passwords from linux? I suppose I would have to worry about packet sniffers as well ... All depends on how keen they were on learning something.
I also found out that n map was installed onto the server. It that only a network analysing tool, or can it be used for attacks?
I also found out that n map was installed onto the server. It that only a network analysing tool, or can it be used for attacks?
Just a few hundred to trystudioeng wrote: So, I think this is a better time than any to try a different distro. I need a LAMP server; email (SMTP POP3/IMAP with secure protocol); an FTP etc etc. Any suggestions? xD
http://distrowatch.com/stats.php?section=popularity
You could test this claim out!
In around 15 minutes, the time it takes to install Ubuntu Server Edition, you can have a LAMP (Linux, Apache, MySQL and PHP) server up and ready to go. This feature, exclusive to Ubuntu Server Edition, is available at the time of installation.
- studioeng
- Experienced
- Posts: 454
- Joined: Mon Oct 23, 2006 11:59 pm
- Location: Dorset, England
- Contact:
I'm sure I tried Ubuntu Server before, I could never get it past the initial shell login. Couldn't find out how to get the server configured or running, or even access from WinSCP, Putty or web interface.
Shall have to have another go.
I've just stuck to ClarkConnect 3.2 (4.0 turned out to be complete trash) 'cause is just had everything there in one place. Hopefully I can find something equally quick and easy to set up and tweak.
Shall have to have another go.
I've just stuck to ClarkConnect 3.2 (4.0 turned out to be complete trash) 'cause is just had everything there in one place. Hopefully I can find something equally quick and easy to set up and tweak.
Given that its own webpage says:studioeng wrote:... I also found out that n map was installed onto the server. It that only a network analysing tool, or can it be used for attacks?
N map uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. N map runs on all major computer operating systems, and both console and graphical versions are available.
They were looking for:
what hosts you have
what ports they have open
which firewalls protect them
and if n map is a packet sniffer then they may have been looking for other passwords of yours crossing the LAN.
Also if your router has the default password - this would be a good time to change it AND check what DNS, etc it is configure to use.
PS: Did you mean that your signature bitmap had a username & password visible - or something else.
- studioeng
- Experienced
- Posts: 454
- Joined: Mon Oct 23, 2006 11:59 pm
- Location: Dorset, England
- Contact:
I have heard of n map, but I have never used it or read into it. Thank you for explaining it in simpleton terms
There would of only been used ports open; such as email, web server etc. There are actually two firewalls on my network; the router, and then the server. The router did not use the default password, nor the default username. So as I say, it was pretty much a walled garden.
Stupidly in the thread 'Uptime Displays' on here I neleglected to obscure a trivial username and password which I used to upload a single timestamp file to my server via FTP from my router; which I did not even realise had shell access.
I am still in the process of re-building my server and the whole network, I'm being paranoid and changing everything.
There would of only been used ports open; such as email, web server etc. There are actually two firewalls on my network; the router, and then the server. The router did not use the default password, nor the default username. So as I say, it was pretty much a walled garden.
Stupidly in the thread 'Uptime Displays' on here I neleglected to obscure a trivial username and password which I used to upload a single timestamp file to my server via FTP from my router; which I did not even realise had shell access.
I am still in the process of re-building my server and the whole network, I'm being paranoid and changing everything.