I have two RH7.0 and two RH7.3 servers ... it appears that between 5-6am Tuesday both the 7.0 servers were hacked - identically. They are on the same ISP and often their firewalls pick up the same scans and probes. I'm no expert, but this is what I think happened. The first clue was that I couldn't log in through ssh - got the message "The program does not understand the servers's version of the protocol" Looking at /var/log/secure I saw: 10/22 5:34 xinetd fail ftp libwrap from 195.157.17.177 then two fails from 127.0.0.1 I'm running an unpatched wu-ftpd (which I'm sure didn't help me) but the host.allow/deny were set to only allow ftp from the internal network and one specified outside IP# 10/22 5:48 (twice) xinetd start pop3 pid=10804 from 127.0.0.1 [not me-sleeping] 10/22 6:09 Listener created on port 22 Daemon is running Some poking around showed in /etc/ssh sshd (which should have been approx 200K was 2,621,812 and dated 10/22, so probably a trojan? ssh_host_key, ssh_host_key_pub, ssh_random_seed, sshd_config all had 10/22 modified dates My web server also was not running (or at least serving local pages) I accidently rebooted, the web server came back, but ssh did not. Later I attempted to delete and reinstall sshd. rpm said it couldn't uninstall because it wasn't there, and couldn't install because it was there. I think it finally installed with --force, and sshd was about 186K, but the symptoms were the same It turns out that ftp is also now not operational from the internal network. There is a message about xinetd/ftp in the startup, but its probably not important at this point After the reboot, ps -ax listed: 1811 D /sbin/modprobe -s -k block-major 7 [which I could not kill] Obviously, I'm going to have to wipe the server (plan to offload a few .conf and mail config files, firewall script and leave /var/www - should that be safe?) and will probably load RH7.3 and patches. Any comments on what happened, or on rebuilding? The hard drive is partitioned (a) / (b) /home (c) /var - and /home has only mail files. If I format (a) and delete some (which?) directories on /var, should I be ok? Would prefer not to rebuild the /var/www directories if possible. With ftp and ssh both down, my only way to offload is to floppies? Boy, I miss not having ssh access! Dick
Did you not run redhat's up2date program? I agree with marc that you should have ftp client access to ftp from that machine to another. On Wed, 23 Oct 2002, Richard Goodman wrote:
I have two RH7.0 and two RH7.3 servers ... it appears that between 5-6am Tuesday both the 7.0 servers were hacked - identically. They are on the same ISP and often their firewalls pick up the same scans and probes.
I'm no expert, but this is what I think happened.
The first clue was that I couldn't log in through ssh - got the message "The program does not understand the servers's version of the protocol"
Looking at /var/log/secure I saw: 10/22 5:34 xinetd fail ftp libwrap from 195.157.17.177 then two fails from 127.0.0.1 I'm running an unpatched wu-ftpd (which I'm sure didn't help me) but the host.allow/deny were set to only allow ftp from the internal network and one specified outside IP#
10/22 5:48 (twice) xinetd start pop3 pid=10804 from 127.0.0.1 [not me-sleeping] 10/22 6:09 Listener created on port 22 Daemon is running
Some poking around showed in /etc/ssh sshd (which should have been approx 200K was 2,621,812 and dated 10/22, so probably a trojan? ssh_host_key, ssh_host_key_pub, ssh_random_seed, sshd_config all had 10/22 modified dates
My web server also was not running (or at least serving local pages)
I accidently rebooted, the web server came back, but ssh did not. Later I attempted to delete and reinstall sshd. rpm said it couldn't uninstall because it wasn't there, and couldn't install because it was there. I think it finally installed with --force, and sshd was about 186K, but the symptoms were the same
It turns out that ftp is also now not operational from the internal network. There is a message about xinetd/ftp in the startup, but its probably not important at this point
After the reboot, ps -ax listed: 1811 D /sbin/modprobe -s -k block-major 7 [which I could not kill]
Obviously, I'm going to have to wipe the server (plan to offload a few .conf and mail config files, firewall script and leave /var/www - should that be safe?) and will probably load RH7.3 and patches.
Any comments on what happened, or on rebuilding? The hard drive is partitioned (a) / (b) /home (c) /var - and /home has only mail files. If I format (a) and delete some (which?) directories on /var, should I be ok? Would prefer not to rebuild the /var/www directories if possible. With ftp and ssh both down, my only way to offload is to floppies?
Boy, I miss not having ssh access!
Dick
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
-- ¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø Karl Hiramoto <karl@hiramoto.org> Work: 978-425-2090 ext 25 Cell: 508-517-4819 Personal web page: http://karl.hiramoto.org/ Zoop Productions: http://www.zoop.org/ KTEQ Rapid City: http://www.kteq.org/ AOL IM ID = KarlH420 Yahoo_IM = karl_hiramoto ¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø You have an ambitious nature and may make a name for yourself.
participants (2)
-
Karl Hiramoto -
Richard Goodman