Hacked

B

bitingenius

One of our servers was hacked last night. I got an email from the server with subject "isdnd: unknown incoming telephone call" which tipped me off. They had replaced the /etc/pam.d files with BT phone related stuff, weird. I could login to my account but there was no root access from anywhere, not even the console. That's fixed, and I think I've secured the original entry point, but I don't know much about back doors and such, does anyone know of a good source for info on this sort of thing? I'd like to make sure they don't still have access to the server....

We've only been hacked a couple times in the past 15 years, at least so far as we know...
 
If they were able to modify files in /etc/ that would mean they had root access. Best thing to do is to take the server offline and reinstall everything from scratch. Don't forget to update everything while you're doing that to prevent them from doing it again.
 
If I were you,

a) Create disk image and save to some where to trace cracking activity and how they gained back access.
b) As above poster said, format everything, apply all patches including firewall. Secure your apps and go online.
 
I would take it off line copy the drive and perform forensics, if you are not going to take it to the police.

If you want to take this to the next level I would also see if your local constabulary has a cyber crime unit I know a few of them are taking this kind of crime very seriously, I believe Liverpool (Merseyside) has one as part of it's fraud department.But do not under any circumstances perform any forensics of your own as this will invalidate any evidence you or the police collect.
 
saxon3049 said:
I would take it off line copy the drive and perform forensics, if you really want to take this to the next level I would also see if your local constabulary has a cyber crime unit I know a few of them are taking this kind of crime very seriously, I believe Liverpool (Merseyside) has one as part of it's fraud department.
Click to expand...

If you really want to take it the next level, don't do the forensics yourself. Don't do anything to the system until law enforcement can take a look.

If you do meddle with it yourself you're bound to destroy evidence, not to mention the all important chain of evidence.
 
J65nko said:
Before going online I would recommend to install a file integrity checker like tripwire or aide. That way you you can check whether you have been hacked or not.
Click to expand...
I can not believe that that advice came out of your mouth. I have very high opinion of you and your knowledge. Can you honestly trust tripwire or some crap like that. Actually, Sir Dice have given the best advice so far. If he believes that his server is rooted he should call law enforcement which in turn should preform competent forensic analysis. If the content of the server is not that important he should do fresh installation possibly even flushing BIOS first and using completely new HDD.
 
SirDice said:
If you really want to take it the next level, don't do the forensics yourself. Don't do anything to the system until law enforcement can take a look.

If you do meddle with it yourself you're bound to destroy evidence, not to mention the all important chain of evidence.
Click to expand...

Sorry I forgot to add that, i will edit my post thanks SirDice.
 
Well I won't tell you what to do with the server since the obvious thing is to let the police handle it (assuming you are in a country with a serious police force, otherwise reply here).

For future reference, if you are concerned about security issues try using freebsd jails and applying patches more often. man security for more info
 
Thanks people. I'm going to rebuild the server, which will be no easy task. A local liquor store was hacked last week for 1000's of credit card numbers, so I did call the constable, but they aren't interested unless there's some glory in it, like cc numbers... I had to fetch a new card from my bank twice, they thought they had the liquor store problem fixed, but they didn't... This is all mine to fix...
 
Actually, I think the HIDS (I recommend aide) advice is very apt. But you need to have created a HIDS db before the system was (supposedly) cracked, or it does you absolutely no good. ;)
 
Pretty sure j65nko was recommending to install tripwire/aide on the freshly installed system before it's brought online.
 
bitingenius said:
Thanks people. I'm going to rebuild the server, which will be no easy task. A local liquor store was hacked last week for 1000's of credit card numbers, so I did call the constable, but they aren't interested unless there's some glory in it, like cc numbers... I had to fetch a new card from my bank twice, they thought they had the liquor store problem fixed, but they didn't... This is all mine to fix...
Click to expand...

If the site uses a home mode web application have a long hard look at it. Or have someone else audit the code. Even if you would rebuild the server, apply all the patches etc. if the web app itself is vulnerable you'll be hacked again in no time at all.

Also verify your local laws regarding storage of CC numbers, AFAIK according to US law you're not allow to store those.

Note that even though tripwire and all are quite helpful, they will only aid in detection of modified files after the fact. The best thing to do is to prevent people from getting in in the first place.
 
SirDice said:
Also verify your local laws regarding storage of CC numbers, AFAIK according to US law you're not allow to store those.
Click to expand...

That can't be true or just about every reoccurring business charge would be impossible.
 
gordon@ said:
That can't be true or just about every reoccurring business charge would be impossible.
Click to expand...

I think internet business's have to pass a certification/security level before they can hold the card numbers. I dont remember the names of anything or specifics, but someone I knew awhile back was dealing with getting this set up, and the regulations.
 
I think internet business's have to pass a certification/security level before they can hold the card numbers. I dont remember the names of anything or specifics, but someone I knew awhile back was dealing with getting this set up, and the regulations.
Click to expand...


yep, it's PCI/DSS your referring to. they are allowed to store them as long as they are encrypted.i deal with this crap all the time. PCI is really a joke...
 
You must log in or register to reply here.
Back
Top