You probably still have ftp or ssh access from that machine, so you can copy your data off of it onto another server. But I'd say your best bet is unplug it from the internet, copy off all your data (not programs!), wipe clean, and reinstall. You never know what kinds of rootkits were installed, and you can't rely on any system info to be accurate since some rootkits are rather advanced. Did you have SSL running without the recent (as in past month or so) patches? -Marc -----Original Message----- From: Richard Goodman [mailto:dick@goodman1.net] Sent: Wednesday, October 23, 2002 9:31 AM To: wlug@mail.wlug.org Subject: [Wlug] RH7.0 Hacked I have two RH7.0 and two RH7.3 servers ... it appears that between 5-6am Tuesday both the 7.0 servers were hacked - identically. They are on the same ISP and often their firewalls pick up the same scans and probes. I'm no expert, but this is what I think happened. The first clue was that I couldn't log in through ssh - got the message "The program does not understand the servers's version of the protocol" Looking at /var/log/secure I saw: 10/22 5:34 xinetd fail ftp libwrap from 195.157.17.177 then two fails from 127.0.0.1 I'm running an unpatched wu-ftpd (which I'm sure didn't help me) but the host.allow/deny were set to only allow ftp from the internal network and one specified outside IP# 10/22 5:48 (twice) xinetd start pop3 pid=10804 from 127.0.0.1 [not me-sleeping] 10/22 6:09 Listener created on port 22 Daemon is running Some poking around showed in /etc/ssh sshd (which should have been approx 200K was 2,621,812 and dated 10/22, so probably a trojan? ssh_host_key, ssh_host_key_pub, ssh_random_seed, sshd_config all had 10/22 modified dates My web server also was not running (or at least serving local pages) I accidently rebooted, the web server came back, but ssh did not. Later I attempted to delete and reinstall sshd. rpm said it couldn't uninstall because it wasn't there, and couldn't install because it was there. I think it finally installed with --force, and sshd was about 186K, but the symptoms were the same It turns out that ftp is also now not operational from the internal network. There is a message about xinetd/ftp in the startup, but its probably not important at this point After the reboot, ps -ax listed: 1811 D /sbin/modprobe -s -k block-major 7 [which I could not kill] Obviously, I'm going to have to wipe the server (plan to offload a few .conf and mail config files, firewall script and leave /var/www - should that be safe?) and will probably load RH7.3 and patches. Any comments on what happened, or on rebuilding? The hard drive is partitioned (a) / (b) /home (c) /var - and /home has only mail files. If I format (a) and delete some (which?) directories on /var, should I be ok? Would prefer not to rebuild the /var/www directories if possible. With ftp and ssh both down, my only way to offload is to floppies? Boy, I miss not having ssh access! Dick _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug