Got hacked, "HASCH"

olman · n00b Joined: 02 Mar 2005 Posts: 7

Today i noticed that I got hacked by a group or something named "(H)ackers (A)gainst (S)wedish (C)omputer (H)omos"
The funny is that I ran a update yesterday night (23:30 GMT+1), and today around 10:30 (GMT+1) it was hacked.

Its some kind of script that runs instead of bash when i log on. But its only two users hacked, my standard user and the root user. All other users can login normaly. I've set SSH to only get access to root via the user that got hacked. root cant login as ftp either (my settings).

Now when I've read some logfiles I cant find anything.. Something that made me thinking was that the hole apache2 log directory was empty (/var/log/apache2/) the SSH directory is also empty (/var/log/sshd/). I've found one file at roots home that was named "sorryy" but it didnt contain anything. I'm just intressted in what you pepole think that this hacker did, and what way they got in.

Sorry for my bad english.

BitJam · Posted: Wed Mar 02, 2005 5:35 pm Post subject:

First, I think a re-install is in order. Any data or files you created yourself should be safe. But it is possible (if not likely) that the crackers still have control of your box.

Second, the easiest thing to do to find out what they've done is to emerge chkrootkit and run it. But for safety sake, you should probably boot from the LiveCD and do the chroot trick from the install instructions to access your machine until you've determined for sure that it is clean.

olman · n00b Joined: 02 Mar 2005 Posts: 7

Yeah, Thats what I've done. No network connection and have booted up from the livecd to even could get access to the logfiles. Nothing strange with the .bashrc and so on. A reinstall is going to be made but I wanted to check logfiles and so first.

BitJam · Posted: Wed Mar 02, 2005 5:56 pm Post subject:

chkrootkit?

olman · n00b Joined: 02 Mar 2005 Posts: 7

I've booted up the livecd and mounted the system and then i chrooted into the partion that i mounted. Thats all.

Jayso · n00b Joined: 02 Jul 2003 Posts: 21

out of curiosity....were you running php or any website running php?
what are the top few lines of `last` ?
there could be a number of ways they got in, usually php websites, phpbb phpnuke etc those kinda things have holes
and if they arent patched then you might as well tell someone your root pw.
what commands did they run if any? (.bash_history)
if they seemed to have cleaned very well, then most likely they had a script run to do it for them.
Also, check /tmp or /var/tmp
sometimes you find some funny things in there.... lots of times its nothing though..
but emerge chkrootkit would probably be a good idea if you want to check anything else out,
however a fresh install is probably good.

Sith_Happens · Posted: Wed Mar 02, 2005 11:03 pm Post subject:

But he said he updated on tuesday night, and was hacked after that. If he was using phpBB then he would have the patched version, sans security holes. I think it was put into portage on monday.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall

olman · n00b Joined: 02 Mar 2005 Posts: 7

Yeah, like Sith_Happens said, i updatede the night before. I didnt run any kind of forum. I had php5.0.3, apache2 and mysql. Nothing strange is displayed in .bash_history now I've startade a reinstall and will be thinking of more security. Mabye the were getting in from my mysql querys. Will make they more secure next time.

F.Ultra · Apprentice Joined: 17 Mar 2004 Posts: 169 Location: Sweden

Or do you accept SSH connectsions from anywhere and have a root password that is easy to guess/crack ?

schiotz · Posted: Thu Mar 03, 2005 11:02 am Post subject: