Our system was hacked


Login or Register for Dates, Times and to Reply

 
Thread Tools Search this Thread
# 1  
Our system was hacked

Someone made a mistake, and left our router wide open, pointing all ports to a SCO 6.0.0 system.
Within 24 hours, the following happened.
The contents of all the files (except tar files) in three directories, one directory on each of three different file systems, were replaced with nulls. None of the inode data was changed, meaning that the output of 'ls -l' was the same before and after. In two of the directories the file permissions were 0664, and in the last, the permissions were 0644 and files owned by root.
I have not been able to find anything in any of the log files to indicate who or when this happened.
Since we had adequate backups there was no long term damage.
Any thoughts would be appreciated.
This User Gave Thanks to jgt For This Post:
# 2  
Turn on logging including router logging and closely monitor the logs.

Create a honeypot to lure the hackers into your logging traps, if you are interested to discover who is responsible.

Good job on keeping your backups up to date!
This User Gave Thanks to Neo For This Post:
# 3  
Look in root's homedir for .history .bash_history or similar files.
Run the history command in the respective shell(s).

Ordinary system logins are listed with the last command.

Consult the system logs, for system access and unusual events.
Is there a su or sudo log in /var/log/ or /var/adm/?
Do you happen to have system accounting (sa) running?

Run netstat -a and look for LISTEN; what services are running that use the ports?
Do these services have extra logs?

How good is your root pw? The longer the better.
Did you switch from the 13byte Unix crypt to another crypt that allows longer pws?

Are you sure your system was hacked at all?
Maybe there was a fatal human error like
Code:
tar cf - dir | tar xf -

where the read files are already opened for writing, and such data corruptions can occur.
This User Gave Thanks to MadeInGermany For This Post:
# 4  
Here is a high level overview:

When you think you are hacked, you should make sure that all your logfiles are preserved.

It's often best to image the disk and make a full copy of the "hacked" disk before you recover from backup.

Then, you can do your analysis on a mounted "hacked" disk images, since you will lose that information (more than likely) when you recover from backup.

However, if you think you have been hacked; you need to also focus on detection. The triad to think about is:
  • Detection
  • Recovery
  • Prevention

If you just casually recover from backup, you will likely lose a lot of valuable forensic information, so as mentioned, you should make a copy of the hacked disk before you recover from backup.

Then, you should move toward hardening the system to insure your log files are logging on the "maybe hacked" computer and any network devices in the path.

You should not start making changes that would lock out the "hacker" (if there actually was one) without considering if you want to try to trap and trace them. If you block them quickly, the "hacker" will know you are on to them and stop, generally speaking. It's a game of cat and mouse.

So, it's good to set up "honeypots" or any simple way to fool an intruder to thinking they have access, while you log their activities.

A simple example is to write a wrapper around various system commands which logs before it executes. I recently did this with curl on a system I manage. Hackers often use commands like curl or even sh or bash (all os dependent of course) to download and install malicious code, etc.

Or maybe you are not interested in (future) detection?

Then of course you can work on logfile and file system analysis (so you can do a better job at prevention).

One of the cool things I do these days is to use github to backup critical logs and configuration files as well as critical filesystems.

Then, if there is some suspicious activity, I use the private github files to check for changes (file system integrity).

A lot of people do not realize how useful git and github can be for file system analysis, related to "hack analysis". git is not only useful for tracking code changes when developing code. git can be a great filesystem integrity tool in the toolkit of IT security.

Recently, I used github to check the entire filesystem after a suspicious incident and could easily see what file system changes had occurred (in this case, it was none, as I caught the attempted malware injection before it could write to the filesystem ...)

So, whatever you use, you need some way to manage and check the integrity of your filesystem(s) on critical systems.

I don't want to distract you with too much IT security mumbo-jumbo, so let me sign-off before I start another chapter on basic IT security in this post.

Cheers.
Login or Register for Dates, Times and to Reply

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

3 More Discussions You Might Find Interesting

1. Cybersecurity

Server hacked on known port

Hi, There is a recent case whereby it was reported that one of the production servers was hacked on port 1521. However, I am not sure how this was possible, as I checked that the OS firewall (iptables) is on : # /etc/init.d/iptables status Table: nat Chain PREROUTING (policy ACCEPT) num ... (7 Replies)
Discussion started by: anaigini45
7 Replies

2. Cybersecurity

How to know when you've been hacked

One of the most important ways to keep tou machine secure is to know when it has been broken into. The less time hackers have on your system, the less they can do to it, and the greater you chancens of kicking them off and repairing the damage. The more sophisticated the hacker, the less likely... (8 Replies)
Discussion started by: binhnx2000
8 Replies

3. Linux

pc hacked

Hi, i think someone has hacked my server, the following rules used to come which i haven't put. Please help me i couldnt find out how this rules are apply, i think someone has put an script which generates enables the rules. But after restarting the iptables everything seems to be working... (0 Replies)
Discussion started by: naik_mit
0 Replies

Featured Tech Videos