Urgent!!! My computer seems to be hacked, pls HELP!!! - SSH

This is a discussion on Urgent!!! My computer seems to be hacked, pls HELP!!! - SSH ; On Fri, 15 Sep 2006 02:13:50 GMT, Randy Yates wrote: >Grant writes: > >> On Thu, 14 Sep 2006 23:20:22 GMT, Randy Yates wrote: .... >> tar cvzf .../backup-config.tar.gz /etc /boot/config-* > >Ha! And you think that's all there is ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 35 of 35

Thread: Urgent!!! My computer seems to be hacked, pls HELP!!!

  1. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    On Fri, 15 Sep 2006 02:13:50 GMT, Randy Yates wrote:

    >Grant writes:
    >
    >> On Thu, 14 Sep 2006 23:20:22 GMT, Randy Yates wrote:

    ....
    >> tar cvzf .../backup-config.tar.gz /etc /boot/config-*

    >
    >Ha! And you think that's all there is to it? What about
    >all the libraries and sym links strung all over heck?
    >
    >> Wipe OS partition (6Ps)

    >
    >6Ps?

    Prior Planning Prevents Piss Poor Performance
    >
    >> re-install OS, unpack backup-config to /tmp
    >> and cherry pick custom .conf files

    >
    >Oh yeah - that's going to be a picnic. I just
    >did a count in my /etc and I have 405 configuration
    >files.


    The most recent dozen or so matter, the rest don't. I don't run an MTA
    here, but got samba, nfs, sshd, etc.

    >And I think you're being optimistic.


    Well I took a config backup and updated to slack-current 'live', prepared
    to reinstall if it fell over, it didn't fall over, renamed some .new configs
    to replace old ones, checked and kept custom configs, rebooted to get all
    new files into memory: pppoe, web, ftp, sshd servers all fine.

    Offline time 1 or 2 minutes. Box is Internet facing router / server.
    >
    >> If you have separate
    >> /home and /usr/local partitions, replacing the OS is a snap...

    >
    >Although I couldn't name a specific one, I bet there are more than a
    >few local apps that install themselves in /usr/bin and whatever other
    >non-standard locations, and they don't ask the installers permission
    >for it.


    That should be under admin control -- I expect non-distro apps to go
    into /usr/local area, I don't know why so much extras are shoved into
    the OS 'space'.

    Again, a logbook (or text file) of changes made helps a lot.

    >I've been wondering lately if there's some God-send utility that would
    >track installs for the purpose of alleviating the pain of such
    >reinstalls.


    There is one called 'checkinstall', dunno if it is generic, never used
    it. Takes place of the 'make install' step and records all the damage
    and insults to the OS for later unwind?

    Grant.
    --
    http://bugsplatter.mine.nu/

  2. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    Randy Yates wrote:

    > If the OP's like me, they are loathe to do this not for the basic OS
    > install, but for the dozens or perhaps hundreds of other
    > upgrades/applications/tweaks that they've performed since they first
    > installed their OS. If i had to re-install, it would probably chew
    > up a week of my time to reconfigure everything back just the way it
    > was.


    I recommend making a disk image of the clean, completely installed
    system and burn the image to CDs.
    Repeat this after each major install.
    Restoring the 15GB of files on my system HD takes about 1 hour.


    --
    email me: change "nospam" to "w.hennings"
    Wilfried Hennings c./o.
    Forschungszentrum (Research Center) Juelich GmbH, MUT

    All opinions mentioned are strictly my own, not my employer's.

  3. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    René Berber wrote:
    > Darren Dunham wrote:
    >
    >>
    >>Unless the CD nukes any unknown (read non-OS) executable on the drive or
    >>you have some known state to compare against (a la tripwire), I don't
    >>see how you can effectively check a drive. It's certainly possible, but
    >>requires you've done work before the attack. Afterward is too late.

    >
    >
    > Not true, and it really makes no sense continuing to discuss this.


    Yes, true. Once a hacker gains root access to your box, you cannot
    trust *any* program or library on it again. I thought this would've
    been almost self-evident, but I guess it isn't to some people.

    --
    Christopher Mattern

    "Which one you figure tracked us?"
    "The ugly one, sir."
    "...Could you be more specific?"

  4. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    Chris Mattern writes:

    > René Berber wrote:
    >> Darren Dunham wrote:
    >>
    >>>
    >>>Unless the CD nukes any unknown (read non-OS) executable on the drive or
    >>>you have some known state to compare against (a la tripwire), I don't
    >>>see how you can effectively check a drive. It's certainly possible, but
    >>>requires you've done work before the attack. Afterward is too late.

    >> Not true, and it really makes no sense continuing to discuss this.

    >
    > Yes, true. Once a hacker gains root access to your box, you cannot
    > trust *any* program or library on it again. I thought this would've
    > been almost self-evident, but I guess it isn't to some people.


    Instead of both sides making empty claims, why not back the claims up
    with some specific, concrete examples or possibilities? I for one
    would love to see how these "rootkits" accomplish their nasty tricks,
    and would like to try my mind at defeating them.
    --
    % Randy Yates % "Though you ride on the wheels of tomorrow,
    %% Fuquay-Varina, NC % you still wander the fields of your
    %%% 919-577-9882 % sorrow."
    %%%% % '21st Century Man', *Time*, ELO
    http://home.earthlink.net/~yatescr

  5. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    Randy Yates writes:
    > [...]


    > I for one would love to see how these "rootkits" accomplish their
    > nasty tricks, and would like to try my mind at defeating them.


    Never mind - I just found www.rootkit.com. ... Unless they're sneaky
    enough to use this site to spread false information...
    --
    % Randy Yates % "Remember the good old 1980's, when
    %% Fuquay-Varina, NC % things were so uncomplicated?"
    %%% 919-577-9882 % 'Ticket To The Moon'
    %%%% % *Time*, Electric Light Orchestra
    http://home.earthlink.net/~yatescr

  6. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    Randy Yates wrote:
    > Chris Mattern writes:
    >
    >
    >>René Berber wrote:
    >>
    >>>Darren Dunham wrote:
    >>>
    >>>
    >>>>Unless the CD nukes any unknown (read non-OS) executable on the drive or
    >>>>you have some known state to compare against (a la tripwire), I don't
    >>>>see how you can effectively check a drive. It's certainly possible, but
    >>>>requires you've done work before the attack. Afterward is too late.
    >>>
    >>>Not true, and it really makes no sense continuing to discuss this.

    >>
    >>Yes, true. Once a hacker gains root access to your box, you cannot
    >>trust *any* program or library on it again. I thought this would've
    >>been almost self-evident, but I guess it isn't to some people.

    >
    >
    > Instead of both sides making empty claims, why not back the claims up
    > with some specific, concrete examples or possibilities? I for one
    > would love to see how these "rootkits" accomplish their nasty tricks,
    > and would like to try my mind at defeating them.


    Specific concrete examples are easy to see. You use lsof and ps
    to see what's running on your box and what processes are running.
    But lsof and ps are program files writable by anyone who has root;
    the rootkit can rewrite them to its own specification. You use
    ls to look at the files--the rootkit can rewrite this as well.
    Every OS program on your system uses libc, which, once again, the
    rootkit can rewrite so that you see only what it wants you to see.
    In short, every bit of program code on your box can be rewritten
    by the hacker so that it shows you only what he wants you to see.
    If he reboots your box, he can even subvert the kernel itself. In
    fact, he can subvert the kernel even *without* rebooting the box by
    careful manipulation of memory. How can any of it be trusted?

    --
    Christopher Mattern

    "Which one you figure tracked us?"
    "The ugly one, sir."
    "...Could you be more specific?"

  7. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    A useful trick could be to copy common binaries like ps, lsof etc, to
    files with unrecognizable names, in hopes that rootkits will not
    modify the binaries that they do not know. That would need to be done
    prior to virus infestation.

    I recently saw some linux virus attacks on my server, trying to
    exploit vulnerability in some commercial PHP software (which I do not
    have installed). A hacked linux server is a very valuable thing for
    hackers, as it often has a lot more power and bandwidth, since it is
    more likely to be a dedicated/colocated server.

    i

    On Fri, 15 Sep 2006 12:24:37 -0400, Chris Mattern wrote:
    > Randy Yates wrote:
    >> Chris Mattern writes:
    >>
    >>
    >>>René Berber wrote:
    >>>
    >>>>Darren Dunham wrote:
    >>>>
    >>>>
    >>>>>Unless the CD nukes any unknown (read non-OS) executable on the drive or
    >>>>>you have some known state to compare against (a la tripwire), I don't
    >>>>>see how you can effectively check a drive. It's certainly possible, but
    >>>>>requires you've done work before the attack. Afterward is too late.
    >>>>
    >>>>Not true, and it really makes no sense continuing to discuss this.
    >>>
    >>>Yes, true. Once a hacker gains root access to your box, you cannot
    >>>trust *any* program or library on it again. I thought this would've
    >>>been almost self-evident, but I guess it isn't to some people.

    >>
    >>
    >> Instead of both sides making empty claims, why not back the claims up
    >> with some specific, concrete examples or possibilities? I for one
    >> would love to see how these "rootkits" accomplish their nasty tricks,
    >> and would like to try my mind at defeating them.

    >
    > Specific concrete examples are easy to see. You use lsof and ps
    > to see what's running on your box and what processes are running.
    > But lsof and ps are program files writable by anyone who has root;
    > the rootkit can rewrite them to its own specification. You use
    > ls to look at the files--the rootkit can rewrite this as well.
    > Every OS program on your system uses libc, which, once again, the
    > rootkit can rewrite so that you see only what it wants you to see.
    > In short, every bit of program code on your box can be rewritten
    > by the hacker so that it shows you only what he wants you to see.
    > If he reboots your box, he can even subvert the kernel itself. In
    > fact, he can subvert the kernel even *without* rebooting the box by
    > careful manipulation of memory. How can any of it be trusted?
    >



  8. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    Randy Yates writes:

    > Chris Mattern writes:
    >
    > > René Berber wrote:
    > >> Darren Dunham wrote:
    > >>
    > >>>
    > >>>Unless the CD nukes any unknown (read non-OS) executable on the drive or
    > >>>you have some known state to compare against (a la tripwire), I don't
    > >>>see how you can effectively check a drive. It's certainly possible, but
    > >>>requires you've done work before the attack. Afterward is too late.
    > >> Not true, and it really makes no sense continuing to discuss this.

    > >
    > > Yes, true. Once a hacker gains root access to your box, you cannot
    > > trust *any* program or library on it again. I thought this would've
    > > been almost self-evident, but I guess it isn't to some people.

    >
    > Instead of both sides making empty claims, why not back the claims up
    > with some specific, concrete examples or possibilities? I for one
    > would love to see how these "rootkits" accomplish their nasty tricks,
    > and would like to try my mind at defeating them.


    There's not really two sides to this debate.

    Rene would find him or herself is in a _very_ stark minority of
    security professionals (or perhaps is not a security professional but
    rather a system administrator) in debating the wisdom of flattening
    and rebuilding once an administrator account has been breached on a
    system.

    Rootkits in general, install backdoors into a system. They can be as
    simple as replacing your real sshd, for example, with one that has a
    coded backdoor account into it with a fixed name account and a
    password known to the attacker. More proper rootkits will replace
    utilities like ls, ps, netstat, and lsof with versions that hide files
    and connections the attacker wants to use, and do everything posible
    to hide the presence. These sorts of application level kits can be
    detected with root kit detection run on the system and potentially
    clenaed up. They rely on file signatures to compare against to detect
    the changes. Tripwire is a good complimentary tool for file integrity
    checking, provided you run it first on a known-good system
    configuration and have knowledge of what files are normal to change.

    Kernel mode rootkits are nastier still. They get in at the kernel
    level and intercept calls and modify results at their bidding. Since
    they're interacting with the OS at the most intimate level, they can
    evade detection easily since any program running on top of a corrupted
    kernel has a hard time doing anything with reliable results. So, even
    if the ls binary is stock and clean, the calls ls makes get
    intercepted, and your file hiding is done that way for instance. Same
    with process hiding from ps. Or open file hiding from lsof. The only
    conceptual way to detect that is with an offline scan booting into an
    alternate OS or kernel (e.g. a live CD). In a custom compiled kernel,
    though, a scanner has a tough job scanning for tell-tale signatures of
    such a rootkit unless it's a very well known one. A kernel mode
    rootkit that's been hand modified or customized, based on the
    limitations of signature based detection technologies, is damned
    difficult to detect. As said previously, detectors can only detect
    things they know about, and given that the more sophisticated
    attackers always customize their attacks, you can see the problem.

    So, the possibilities for being 0wn3d are pretty broad, and given that
    you can't detect everything that's out there is why the "flatten and
    rebuild from original media" recommendation is the one to go with
    unless you can withstand the risk of thinking your clean, when in fact
    you're still owned.

    For more info and links, http://en.wikipedia.org/wiki/Rootkits isn't
    too bad.

    Of particular note is the Removal section:
    http://en.wikipedia.org/wiki/Rootkits#Removing



    Best Regards,
    --
    Todd H.
    http://www.toddh.net/

  9. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    Interesting. Vely interesting. (As Art Carnie used to say,
    but you'd have to be >45 years old to know that...) Thanks
    for the dump of knowledge, Todd.

    These discussions bring to mind a practical question: other
    than ssh, what is the most likely way a linux system would
    be owned/hacked?
    --
    % Randy Yates % "I met someone who looks alot like you,
    %% Fuquay-Varina, NC % she does the things you do,
    %%% 919-577-9882 % but she is an IBM."
    %%%% % 'Yours Truly, 2095', *Time*, ELO
    http://home.earthlink.net/~yatescr

  10. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    Randy Yates wrote:
    > Interesting. Vely interesting. (As Art Carnie used to say,
    > but you'd have to be >45 years old to know that...) Thanks
    > for the dump of knowledge, Todd.
    >


    Uh, Art Carney was Ed Norton in the Honeymooners. You're
    thinking of Artie Johnson.

    --
    Christopher Mattern

    "Which one you figure tracked us?"
    "The ugly one, sir."
    "...Could you be more specific?"

  11. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    Randy Yates writes:

    > Interesting. Vely interesting. (As Art Carnie used to say,
    > but you'd have to be >45 years old to know that...) Thanks
    > for the dump of knowledge, Todd.
    >
    > These discussions bring to mind a practical question: other
    > than ssh, what is the most likely way a linux system would
    > be owned/hacked?


    Practically these days, it running Apache with a backlevel version of
    PHP installed would be a great way to invite trouble for a server box,
    depending on what web pages or any custom code it were serving.

    For a workstation box, an old level of Firefox and a user stumbling
    upon a website that has exploit code built in would be a great way to
    get owned by this vulnerability:
    http://www.securityfocus.com/bid/19181/discuss

    Or by running any network service open to the internet that hasn't
    been patched by the user in a long time.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/

  12. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    Chris Mattern writes:

    > Randy Yates wrote:
    >> Interesting. Vely interesting. (As Art Carnie used to say,
    >> but you'd have to be >45 years old to know that...) Thanks
    >> for the dump of knowledge, Todd.
    >>

    >
    > Uh, Art Carney was Ed Norton in the Honeymooners. You're
    > thinking of Artie Johnson.


    I sit (with rather bad posture) corrected.
    --
    % Randy Yates % "Bird, on the wing,
    %% Fuquay-Varina, NC % goes floating by
    %%% 919-577-9882 % but there's a teardrop in his eye..."
    %%%% % 'One Summer Dream', *Face The Music*, ELO
    http://home.earthlink.net/~yatescr

  13. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    On Fri, 15 Sep 2006 16:36:47 GMT, Ignoramus17640 wrote:

    >I recently saw some linux virus attacks on my server, trying to
    >exploit vulnerability in some commercial PHP software (which I do not
    >have installed).


    Too many install LAMPs (Linux Apache MySQL PHP) boxen and run non-secure
    PHP crapware

    > A hacked linux server is a very valuable thing for
    >hackers, as it often has a lot more power and bandwidth, since it is
    >more likely to be a dedicated/colocated server.


    Too true. I see those attacks and am impervious since I don't run PHP,
    easy enough to run a secure public access system.

    As far as compromised systems go, wiping the OS partition and starting
    over seems safest, and run /usr read-only?

    Grant.
    --
    http://bugsplatter.mine.nu/

  14. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    On Fri, 15 Sep 2006 16:09:34 GMT, Randy Yates wrote:

    >Instead of both sides making empty claims, why not back the claims up
    >with some specific, concrete examples or possibilities? I for one
    >would love to see how these "rootkits" accomplish their nasty tricks,
    >and would like to try my mind at defeating them.


    Security deals in possibilities, not probabilities.

    Many who argue probable outcomes and are shocked when the improbable
    happens.

    Simple precaution: Do not offer public login services. If you must,
    then take great care.

    The other common entry point these days is PHP: people using other's
    scripts --> microsoft-think, letting the data be executable, it is
    inherently non-secure.

    Defeating attacks before or after being compromised? I've been on ADSL
    24/7 well over two years without a problem. My firewall rules are:



    Grant.
    --
    http://bugsplatter.mine.nu/

  15. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    On Sat, 16 Sep 2006 07:01:56 +1000, Grant wrote:
    > On Fri, 15 Sep 2006 16:36:47 GMT, Ignoramus17640 wrote:
    >
    >>I recently saw some linux virus attacks on my server, trying to
    >>exploit vulnerability in some commercial PHP software (which I do not
    >>have installed).

    >
    > Too many install LAMPs (Linux Apache MySQL PHP) boxen and run non-secure
    > PHP crapware


    yes, it seems that a few php features make it easy to make bad
    security mistakes.

    I am running some php software, but very little and mostly use
    mod_perl.

    >> A hacked linux server is a very valuable thing for
    >>hackers, as it often has a lot more power and bandwidth, since it is
    >>more likely to be a dedicated/colocated server.

    >
    > Too true. I see those attacks and am impervious since I don't run PHP,
    > easy enough to run a secure public access system.


    I would not make such far reaching statements, though I share your
    sentiments broadly.

    > As far as compromised systems go, wiping the OS partition and starting
    > over seems safest, and run /usr read-only?


    I would do no less.

    i


+ Reply to Thread
Page 2 of 2 FirstFirst 1 2