I've been hacked with a r00tkit!!??!!

Talk about anything you like here: as long as it's technical, doesn't fit into the other categories and is within the rules. Questions and discussions about operating systems, programming, websites, hosting, ADSL etc. are particularly welcome here.
Post Reply
User avatar
studioeng
Experienced
Experienced
Posts: 454
Joined: Mon Oct 23, 2006 11:59 pm
Location: Dorset, England
Contact:

I've been hacked with a r00tkit!!??!!

Post by studioeng » Mon Oct 15, 2007 12:42 pm

Help guys :(

I've been sorting some stuff out on my server today, and I noticed something very odd. My email server has been acting weird the last couple of days, and my last successful log in was from some random host which I have never heard of; and on further investigation I have discovered someone has broken into my server and used a r00tkit.

Upset is a given, worried is an understatement, revengeful; you bet your a%$!!

Can anyone give me some top tips on how I can locate and destroy the r00tkit (and the m*ther F%&*ING a%&h$ole which broke in)?

I've got the feeling that I will need to reinstall the whole server. I've looked around for some information on r00tkits, but I'm far too annoyed to take any of it in. How paranoid do I need to be? Password changing of EVERYTHING? IP address changing??

.... :(
User avatar
eMuNiX
Ex RouterTech Team
Ex RouterTech Team
Posts: 901
Joined: Sat Jan 28, 2006 9:02 am
Contact:

Post by eMuNiX » Mon Oct 15, 2007 1:17 pm

AVG antirootkit is what I used to resurrect a friends PC.
Image
User avatar
studioeng
Experienced
Experienced
Posts: 454
Joined: Mon Oct 23, 2006 11:59 pm
Location: Dorset, England
Contact:

Post by studioeng » Mon Oct 15, 2007 1:19 pm

eMuNiX wrote:AVG antirootkit is what I used to resurrect a friends PC.
Ahh, thanks eMu; I should of been a little clearer. My server is linux based. As I am still getting to grips with the way it works, I'm completely in the dark to what to look for and check for possible damage or comprimise.

Thank you anyway.
User avatar
eMuNiX
Ex RouterTech Team
Ex RouterTech Team
Posts: 901
Joined: Sat Jan 28, 2006 9:02 am
Contact:

Post by eMuNiX » Mon Oct 15, 2007 1:40 pm

TripWire or Rootkit hunter?
Image
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Post by mstombs » Mon Oct 15, 2007 1:42 pm

Not much help, but amusing story about rootkits I came across recently

dickm is the author of smoothwall etc..

http://blog.dickmorrell.org/?p=437

bet you wish you could do the same to your attacker!
User avatar
studioeng
Experienced
Experienced
Posts: 454
Joined: Mon Oct 23, 2006 11:59 pm
Location: Dorset, England
Contact:

Post by studioeng » Mon Oct 15, 2007 1:58 pm

mstombs wrote:Not much help, but amusing story about rootkits I came across recently

dickm is the author of smoothwall etc..

http://blog.dickmorrell.org/?p=437

bet you wish you could do the same to your attacker!
That is very funny! Sweet sweet revenge.

Although I will say one thing about this, by the end of it, I'll know a lot more about the inner workings of linux :D
User avatar
eMuNiX
Ex RouterTech Team
Ex RouterTech Team
Posts: 901
Joined: Sat Jan 28, 2006 9:02 am
Contact:

Post by eMuNiX » Mon Oct 15, 2007 2:23 pm

Have a look at OSSEC too.
Image
User avatar
studioeng
Experienced
Experienced
Posts: 454
Joined: Mon Oct 23, 2006 11:59 pm
Location: Dorset, England
Contact:

Post by studioeng » Mon Oct 15, 2007 2:29 pm

Thanks for your tips guys. After reading through the relevant texts and readmes I have decided to shut the server down until I get home tonight.

I think a complete full network overhaul is in order. Password changes, IP range change, security changes etc.

I have no idea what they did, looked at, tried to do; so I think best to be 110% paranoid.

... It seems I am unable to shut the server down remotely ... what gives!? Now I'm even more concerned to what's been done to it... Had to disconnect the router to kill the net connection.

Livid is also another word I could use!!
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Post by mstombs » Mon Oct 15, 2007 2:38 pm

And now the Routertech banners in your sig are broken, which means your attacker may have been attracted to your website that you run off your enta DSL connection - from here!
Last edited by mstombs on Mon Oct 15, 2007 3:50 pm, edited 1 time in total.
User avatar
studioeng
Experienced
Experienced
Posts: 454
Joined: Mon Oct 23, 2006 11:59 pm
Location: Dorset, England
Contact:

Post by studioeng » Mon Oct 15, 2007 3:17 pm

Yeah, my sigs are hosted on my server which has just had its connection cut.

I know exactly how they got in and you are very correct; it was from this site! Reading through the 'Uptime Displays' thread, they were able to locate and access my server using a non-obscured username and password and were able to run a r00tkit on the server.

Through something as trivial as an account to upload a single timestamp file from my router, they were able to access the server, all because it did not have Shell Access disabled.

I apologise in advance for the following:

[rant]
I suppose in a way it's a good thing this was brought to my attention, obviously they did not get the Ethical Hacking Course!? Obviously had something to prove; like most scriptkiddies or people with small enough brains to think that they have to make themselves feel better by destroying and disrupting others. Most people in that position just buy a BWM or other form of enlargement.

I mean what the hell have they gained? They couldn't of sent any spam mail, as for one the spam filter was still running, and it appears the SMTP server had already died 24hrs earlier. DDOS couldn't of been done, as most outgoing ports from the server are blocked, only those needed for email, web server and other needed programs are allowed through.

Now most people on here will know what's happened and double check their own machines/systems if they haven't already, and I will just re-install my machine not only bringing it back bigger and harder than before, but will get me back into the Linux frame of mind again. So again, not completely a bad thing.

So at the end of the day, the only person who looses out is them! Round of applause to you! Studioeng 1 - F&*kwit 0!!

For the record I hope they are reading this! Flame me, try and attack me again! I dare you!

PS Your girlfriend is a Pig!!
[/rant]

So, I think this is a better time than any to try a different distro. I need a LAMP server; email (SMTP POP3/IMAP with secure protocol); an FTP etc etc. Any suggestions? xD
User avatar
studioeng
Experienced
Experienced
Posts: 454
Joined: Mon Oct 23, 2006 11:59 pm
Location: Dorset, England
Contact:

Post by studioeng » Mon Oct 15, 2007 3:39 pm

Most important thing I'm concerned about is if the attacker could of found out what my passwords are from the server. It is possible to reveal passwords from linux? I suppose I would have to worry about packet sniffers as well ... All depends on how keen they were on learning something.

I also found out that n map was installed onto the server. It that only a network analysing tool, or can it be used for attacks?
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Post by mstombs » Mon Oct 15, 2007 4:06 pm

studioeng wrote: So, I think this is a better time than any to try a different distro. I need a LAMP server; email (SMTP POP3/IMAP with secure protocol); an FTP etc etc. Any suggestions? xD
Just a few hundred to try

http://distrowatch.com/stats.php?section=popularity

You could test this claim out!
In around 15 minutes, the time it takes to install Ubuntu Server Edition, you can have a LAMP (Linux, Apache, MySQL and PHP) server up and ready to go. This feature, exclusive to Ubuntu Server Edition, is available at the time of installation.
User avatar
studioeng
Experienced
Experienced
Posts: 454
Joined: Mon Oct 23, 2006 11:59 pm
Location: Dorset, England
Contact:

Post by studioeng » Mon Oct 15, 2007 4:13 pm

I'm sure I tried Ubuntu Server before, I could never get it past the initial shell login. Couldn't find out how to get the server configured or running, or even access from WinSCP, Putty or web interface.

Shall have to have another go.

I've just stuck to ClarkConnect 3.2 (4.0 turned out to be complete trash) 'cause is just had everything there in one place. Hopefully I can find something equally quick and easy to set up and tweak.
KevinR
Regular
Regular
Posts: 95
Joined: Sat Jul 14, 2007 8:51 pm

Post by KevinR » Mon Oct 15, 2007 7:21 pm

studioeng wrote:... I also found out that n map was installed onto the server. It that only a network analysing tool, or can it be used for attacks?
Given that its own webpage says:
N map uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. N map runs on all major computer operating systems, and both console and graphical versions are available.
They were looking for:
what hosts you have
what ports they have open
which firewalls protect them
and if n map is a packet sniffer then they may have been looking for other passwords of yours crossing the LAN.

Also if your router has the default password - this would be a good time to change it AND check what DNS, etc it is configure to use.

PS: Did you mean that your signature bitmap had a username & password visible - or something else.
User avatar
studioeng
Experienced
Experienced
Posts: 454
Joined: Mon Oct 23, 2006 11:59 pm
Location: Dorset, England
Contact:

Post by studioeng » Tue Oct 16, 2007 11:32 am

I have heard of n map, but I have never used it or read into it. Thank you for explaining it in simpleton terms :)

There would of only been used ports open; such as email, web server etc. There are actually two firewalls on my network; the router, and then the server. The router did not use the default password, nor the default username. So as I say, it was pretty much a walled garden.

Stupidly in the thread 'Uptime Displays' on here I neleglected to obscure a trivial username and password which I used to upload a single timestamp file to my server via FTP from my router; which I did not even realise had shell access.

I am still in the process of re-building my server and the whole network, I'm being paranoid and changing everything.
Post Reply