Re: Compromised Machine

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sep 22, 2004, at 2:31 PM, Brian D. McGrew wrote:

It would appear that one of our machines was compromised last night via ssh. It turns out that one of our accounts called 'operator' didn't have a password on it (Hey, it's not 'my' machine) and someone came in via ssh. This was made obvious when we discovered the root password had been changed and the 'last' showed two logins from overseas. The machine was shut down immediately and they called me.

My questions are:

1) As an unprivileged user, how can someone change the root password? Our operator account is the lowest privileged account on the system, they can't shutdown, su or do anything. But the root password is changed.

Rootkit.

2) While bringing the machine back up, it hung while starting the network on device eth0 with the error that said "Error loading module ppp.o'. We don't use ppp or anything even close. This machine is on a LAN and it's even very rarely logged into. Is it feasible to think that some sort of malicious software was installed or ran on the system and if so, how can I tell?

It's likely that core utilities (modprobe, netstat, ls, etc) have been replaced. Don't trust anything.


3) Short of reinstalling the system, how can I tell what was done and go about fixing it? I know a reinstall would of course do it; and in the case of this machine we've only changed one line of one file otherwise it's a stock install.

Reinstall. Chalk it up to a learning experience. If you have the extra hardware, and you're so inclined, unplug the box and reinstall on a new system. Use the non-networked machine as an opportunity to practice your forensics skills.



-- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net



--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux