Portal Home > Knowledgebase > Articles Database > Help!! Hacked by a .gov server!
Help!! Hacked by a .gov server!
| Posted by LinuxLinuxLinux, 08-10-2014, 03:16 AM |
| I was hacked from a .gov IP!!
RKhunter hasn't found anything and I don't see any unusual files.
That IP has logged in several times.
What should I look for in this case?
|
| Posted by S-Jack, 08-10-2014, 03:40 AM |
| Where/ how did they hack you// get access from?
I don't think the government would hack you though.
|
| Posted by LinuxLinuxLinux, 08-10-2014, 03:55 AM |
| I'm still investigating, they logged in as a user which had a really complicated password, and without any failed login attempts, and then somehow added an SSH key for root.
|
| Posted by Server Management, 08-10-2014, 04:13 AM |
| Some government related servers are actually in worser condition than one would like to think. Recently the NHS came under fire to for having 100's of insecure Wordpress installations across a magnitude of servers.
|
| Posted by LinuxLinuxLinux, 08-10-2014, 04:20 AM |
| Site removed ] as it may be still vulnerable.
|
| Posted by LinuxLinuxLinux, 08-10-2014, 04:46 AM |
| What's weird is every time I log in it says:
Last login: Sun Aug 10 03:44:19 2014 from 207.14.xx.xx
Even if I log back out, then back in quickly, the last login will be from 207.14.xx.xx
|
| Posted by EthernetServers, 08-10-2014, 05:09 AM |
| You really do need a qualified system administrator to investigate this for you. Running anti virus/malware scans won't achieve much. It's all very well removing malware but the key thing is, finding out how the unauthorized access was gained.
|
| Posted by LinuxLinuxLinux, 08-10-2014, 05:20 AM |
| There's definately a rootkit on here, funny that rkhunter didn't detect it.
|
| Posted by Infinitnet, 08-10-2014, 05:22 AM |
| They probably did that to hide their logins. Check the attributes (lsattr) of /var/log/wtmp to see if it has been changed to read-only or something. In any case I would strongly recommend to boot your server in recovery mode, make a full disk backup with dd and download it for further investigation (do that locally or on a server without a public IP) and then reinstall your server.
|
| Posted by Infinitnet, 08-10-2014, 05:23 AM |
| PS: It could be the Ebury SSH Rootkit by the way (too few details to tell for sure), read: https://www.cert-bund.de/ebury-faq
|
| Posted by Server Management, 08-10-2014, 05:37 AM |
| They could of gained entry through an insecure script, plugin or anything else using an privilege escalation so reinstalling the server would do moot...
|
| Posted by Infinitnet, 08-10-2014, 05:39 AM |
| I didn't think it was necessary to mention that of course the disk image should be audited first to find and close the vulnerability - I thought that would go without saying, because it's kinda obvious.
|
| Posted by Server Management, 08-10-2014, 05:46 AM |
| That was different to what you said:
In the above you never said about doing a server audit, locating and fixing the issue then looking to see if any backdoors have been left behind. Instead you just use the knee jerk reaction most use round here and simply reinstall just to find in 2 weeks time the problem is back because your desktop is infected or that custom WHM plugin your using is crap, insecure and lets any user access the root user on your server.
|
| Posted by Infinitnet, 08-10-2014, 06:02 AM |
| Who just reinstalls a server after it was compromised and then doesn't close the security hole that lead to it getting compromised? That would be utterly stupid and not an even half-decent sysadmin would do that or even think about it. The correct sentence would have been:
"In any case I would strongly recommend to boot your server in recovery mode, make a full disk backup with dd and download it for further investigation (do that locally or on a server without a public IP) and then reinstall your server and close the vulnerability that you found during the audit of the image you created, before you make your services publicly accessible again."
|
| Posted by LinuxLinuxLinux, 08-10-2014, 12:01 PM |
| It appears the .gov IP was part of the root kit, and that IP didn't actually hack the server.
I found a vulnerable user application, but I'm not sure how they got root access.
The kernel was 3-6 months old (CentOS 6) and it had a standard lamp stack on it, PHP 5.4.x, MariaDB, Apache 2.2.x., as well as email PostFix, PostGrey, Amavisd, DoveCot, SpamAssassin.
I'm not sure on the exact versions, I actually noticed it was compromised after I ran a yum -y update, so all the versions are new now.
Any ideas how they got root?
|
| Posted by LinuxLinuxLinux, 08-10-2014, 01:37 PM |
| The kernel it has was:
2.6.32-431.11.2.el6.x86_64
Is that one vulnerable?
|
| Posted by Steven, 08-10-2014, 10:40 PM |
| You can fake syslog entries by calling logger directly fwiw.
|
| Posted by LinuxLinuxLinux, 08-10-2014, 11:13 PM |
| Yep those logs are definately spoofed.
Is that kernel secure?
2.6.32-431.11.2.el6.x86_64
It might have had 2.6.32-431.5, if it wasn't rebooted when .11 was installed.
|
| Posted by Srv24x7, 08-11-2014, 09:38 AM |
| Hi,
First of all, restrict the Root SSH access to your IP and then perform following things to get to the root cause.
1. Get a full scan of your server.
2. Search for symlinks to root if any.
3. Check the /tmp directory.
4. Check the secure, audit logs of the server.
|
Add to Favourites 
Print this Article
Also Read
