Cybersecurity

someone has access to my server...

I've got a solaris 7 box with remote access only.
many of the services don't have passwords
and someone recently messed with the shadow file
-the root: line was changed:
. password field was changed to NP
. the number after that was changed too

The intruders seem to be using us to relay spam mainly,
but I'm concerned they may have made other doors.
(I stopped sendmail once and someone else restarted
it later that night.)

I changed the root password

I'm a newbie, so ordered:
"Practical Unix and Internet Security"
O'reilly's Essential System Admin

Books aren't here yet, but anyways...

Where should I begin?

Any other books I should get?

First, you have already been hacked - whether it was from an inside source or outside. You need to build a new server (if possible) and replace the old keeping the old for investigation into who did what.

If you can't do that, then disconnect the server, rebuild it, shut off all services after rebuilding but add ssh to the server. Insure your version of Sendmail is set up to not allow relays. Make sure your group is the only one with root. Don't allow root remote logins. Put it back on-line.

Check out the following links:

To check if you are a open-relay:
Network Abuse Clearinghouse

If you are using Sendmail:
Sendmail


Solaris 7 may have the Sunscreen Lite product for free - use it and
read up on securing your Solaris server.


If you are running more than Sendmail on the server, remove the other apps and put them on their own box. The more a hacker has to use against you the worst off you are.
Search Sunsolve BigAdmin

The server is located over 1000 miles away...

I have remote access only. (via a windows machine)

It's a Solaris 7 box with many of the system files safe on nfs,
and I've got a backup of everything I had access to from a
week prior to the hack.

Can I just restore from my archive, change all passwords, and
build/install ssh (should I use ssh2 version 3.1.0 or should I
stick to something like v2.0.13)

When setting passwords for things like daemon, bin, sys, adm...
Do I have to make changes to other files (configs) to allow
proper access for services, etc.

Also, thoughts on software like cops or satan?

It is great that we can telecomute but once in a while, you just have to be there. Our company laid off the only guy we had to do our servers 1300 miles away. The next time one needs an upgrade or service, one of us may have to go there. We have remote access to the console which still allows us to change things all the way down to the boot prom. If you don't have this type of access, you might want to get the equipment and software together and take a road trip.

I don't remember who said in these forums, but I'm sure they will respond back with horror at this statement. NFS is not considered secure - it probably the easiest way to get access into your server.

You better be sure that is prior to the hack or you may miss the files the hacker changed to backdoor you. That is why it should be built from scratch.

I don't think I said it before, but I'll say it now! Secure on NFS? Is that an oxymoron?

Seriously, bring the box down. Rebuild. Changing passwords won't help a thing if the attacker was decent, or even used to a good rootkit (that are very very easy to find)... He probably replaced a few of your binaries in order to hide himself from ps, netstat, fuser, etc... There's no way to know. I've even seen a few that will not respond to a port scan, but are "activated" when a specially constructed packet hits it.

Reinstall from read-only media (CDROM works well), and use the backup tapes to only move over the old files. leave the binaries behind.

And if you don't do it because it's a hassle, think about all of the people that are being attacked and spammed from your box. On top of that, since you are aware that you have been compromised, you are 100% liable for every attack / spam from that box.

If you are trying to help... Forget it!

If I had the time and money, I'd go...
But, I don't! (until mid-summer)

As for the nfs mounted system files that are a CD image,
the other box might be a hole, but that's not my concern.
I've informed that boxes admin, now it's his...

Isn't the CD safe up on the shelf, no one can write to it
without putting it in somesort of device, not even me?
(If you know the trick, please let me know...)

The backup program the admin of nfs system logs files
that have changed. There were a few unknown changes
that couldn't be blamed on anyone who was supposed
to have access about three days ago. The archive is
from prior to that and really seems to be my only option
until more time can be... (like I said "mid-summer")

How should I go about securing this box from here?

Which log files from the hacked box should I be looking
at to discover how they got in? (I think I need to plug
that hole first while keeping an eye out for their next
attempt/hack)

Anything about passwords for things like bin, sys, adm...?

What about cops?

The NFS system is backed up to CD after any changes to bins...

When I said the nfs system was safe I meant I can have my
buddy stick the CD back in and...

I've shut down my sendmail and no one has restarted it. (yet?)

I think I was the leak... About a week ago while away I needed
to access the box. I was just going to add a user, set his pass,
and got out. I had to connect via telnet. (only option)

I telnet in as a standard user then used ssh root?

Guess someone watching the stream...