| View previous topic :: View next topic |
| Author |
Message |
aajpotter
n00b
Joined: 13 Feb 2011
Posts: 3
|
 Posted: Sun Feb 13, 2011 5:51 am Post subject: Hacked Gentoo Server: Apache needs to be completely removed |
 |
|
A gentoo box was rooted - the password was obtained through a compromised OSX iMac with a keylogger (I have become aware that the iMac has a root kit) - where I had been using ssh - and it was noted the next day that the gentoo server's root filesystem had been remounted as read-only by someone else!! This was the huge giveaway!!
After the next reboot apache stopped functioning completely with the following error:
| Quote: | apache2: apr_sockaddr_info_get() failed for mozart
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
no listening sockets available, shutting down
Unable to open logs |
Apache worked fine before the server was rooted. Therefore it appears to have been sabotaged - or nuked in some kind of way - Apache needs to be completely removed from the system and reinstalled.
Running...
| Quote: | emerge --unmerge apache
emerge apache
|
Has not solved the problem. So presumably this is to do with configuration and/or permissions which may have been tampered with - correct me if I am wrong.
Everything else works absolutely fine - as before - including the CCTV system (using video4linux2). However, Apache is useful and needed for certain other tasks and I need to get it working again at some point - it isn't vitally important, but useful.
Any tips would be appreciated.
Andy James Potter |
|
| Back to top |
|
 |
platojones
Veteran
Joined: 23 Oct 2002
Posts: 1602
Location: Just over the horizon
|
| Posted: Sun Feb 13, 2011 6:32 am Post subject: |
|
|
| If you've truly been rooted, your only real option to secure that machine again is to wipe to drives clean and re-install from scratch in a locked down environment. |
|
| Back to top |
|
|
XQYZ
Apprentice
Joined: 19 Jul 2009
Posts: 231
Location: Europe
|
| Posted: Sun Feb 13, 2011 9:52 am Post subject: |
|
|
| platojones wrote: | | If you've truly been rooted, your only real option to secure that machine again is to wipe to drives clean and re-install from scratch in a locked down environment. |
I agree, there's no telling what somebody with root access can do. At the very least do an emerge -e world. |
|
| Back to top |
|
|
phajdan.jr
Retired Dev
Joined: 23 Mar 2006
Posts: 1777
Location: Poland
|
| Posted: Sun Feb 13, 2011 10:09 am Post subject: |
|
|
| XQYZ wrote: | | At the very least do an emerge -e world. |
If you can emerge -e world, you can re-install just as well. And it's not too hard for an attacker to protect his tools from emerge -e world.
_________________
http://phajdan-jr.blogspot.com/ |
|
| Back to top |
|
|
aajpotter
n00b
Joined: 13 Feb 2011
Posts: 3
|
| Posted: Mon Feb 14, 2011 1:48 am Post subject: Thanks |
|
|
| Thank you. I will rebuild the system! |
|
| Back to top |
|
|
dE_logics
Advocate
Joined: 02 Jan 2009
Posts: 2289
Location: $TERM
|
| Posted: Tue Feb 15, 2011 10:00 am Post subject: Re: Thanks |
|
|
| aajpotter wrote: | | Thank you. I will rebuild the system! |
And this time you might try hardened.
_________________
My blog |
|
| Back to top |
|
|
Anarcho
Advocate
Joined: 06 Jun 2004
Posts: 2970
Location: Germany
|
| Posted: Tue Feb 15, 2011 10:49 am Post subject: Re: Thanks |
|
|
| dE_logics wrote: | | aajpotter wrote: | | Thank you. I will rebuild the system! |
And this time you might try hardened. |
Good idea, though it wouldn't prevent the attack described here, as someone has stolen the password on the client machine.
_________________
...it's only Rock'n'Roll, but I like it! |
|
| Back to top |
|
|
phajdan.jr
Retired Dev
Joined: 23 Mar 2006
Posts: 1777
Location: Poland
|
| Posted: Tue Feb 15, 2011 11:22 am Post subject: Re: Thanks |
|
|
| Anarcho wrote: | | Good idea, though it wouldn't prevent the attack described here, as someone has stolen the password on the client machine. |
Well, switching to key-based authentication in ssh seems to give the biggest gains here. A keylogger can still sniff the passphrase, but now it also has to steal the private key.
By the way, it's probably worth investigating how the Mac got infected with this keylogger. Try to patch the hole there: did you download untrusted software, did someone have unauthorized access, was it a browser exploit? etc.
_________________
http://phajdan-jr.blogspot.com/ |
|
| Back to top |
|
|
Anarcho
Advocate
Joined: 06 Jun 2004
Posts: 2970
Location: Germany
|
| Posted: Tue Feb 15, 2011 12:17 pm Post subject: Re: Thanks |
|
|
| phajdan.jr wrote: | | Anarcho wrote: | | Good idea, though it wouldn't prevent the attack described here, as someone has stolen the password on the client machine. |
Well, switching to key-based authentication in ssh seems to give the biggest gains here. A keylogger can still sniff the passphrase, but now it also has to steal the private key. |
That's the reason why I only use key-based auth on all of my linux systems, even on the Nokia N810. And I really recommend everyone to do so. I have a USB-Stick with the encrypted key with me, so I can use it on foreign computers if I must.
_________________
...it's only Rock'n'Roll, but I like it! |
|
| Back to top |
|
|
dE_logics
Advocate
Joined: 02 Jan 2009
Posts: 2289
Location: $TERM
|
| Posted: Tue Feb 15, 2011 1:05 pm Post subject: Re: Thanks |
|
|
| Anarcho wrote: | | phajdan.jr wrote: | | Anarcho wrote: | | Good idea, though it wouldn't prevent the attack described here, as someone has stolen the password on the client machine. |
Well, switching to key-based authentication in ssh seems to give the biggest gains here. A keylogger can still sniff the passphrase, but now it also has to steal the private key. |
That's the reason why I only use key-based auth on all of my linux systems, even on the Nokia N810. And I really recommend everyone to do so. I have a USB-Stick with the encrypted key with me, so I can use it on foreign computers if I must. |
+1 same policy here.
_________________
My blog |
|
| Back to top |
|
|
aajpotter
n00b
Joined: 13 Feb 2011
Posts: 3
|
| Posted: Tue Feb 15, 2011 6:46 pm Post subject: Re: Thanks |
|
|
| phajdan.jr wrote: |
By the way, it's probably worth investigating how the Mac got infected with this keylogger. Try to patch the hole there: did you download untrusted software, did someone have unauthorized access, was it a browser exploit? etc. |
I have no idea what method was used. The problem with OSX is that I am certain there are numerous backdoors which cannot be patched by the average person but could be exploited by sophisticated organisations. |
|
| Back to top |
|
|
|
Networking & Security
