GoFuckYourself.com - Adult Webmaster Forum - View Single Post

SplitInfinity · 08-18-2004, 01:01 AM

Hola! Sorry to hear of your hacker incidents.

Some things you need to do right now:

nmap your server from another clean box:

Such as: nmap -p 1-65535 yourServersIPhere

Will produce results showing which backdoors if any port based ones
are listening in for the hacker to return. Look for ports that are not supposed
to be running. Ones that really stand out are ones that spell things with numbers such as: 31337 Which in hacker world spells elite (yeah they spell wrong)

Also look for hidden files and processes. When your server is hacked, the intruder
runs a rootkit which runs hidden processes on your system which you cannot see
because they replace your normal ps binary with a rooted/hacked ps binary that hides any process they wish to hide.

You can get a linux binary here:
http://www.splitinfinity.com/resources/cp

that you can run on your server.
Right click on that and choose save-as, then put it on the hacked box and type:
chmod 0755 cp
then:
./cp

the results will show you any hidden processes running in your process tables.
It's a nice utility I use constantly to security audit machines here at SplitInfinity.

If your system has socklist installed, also run it: socklist
and study the results as they may point to hidden processes and ports running
as well.

Another great thing is: lsof
You use this to find where the hacker hid the files that are running as hidden processed because sometimes they can be hard to locate. lsof will show you the
source of the programs running and keeping files and ports open int he system.
before you kill any hidden processes, its always good to run lsof and take a look so you can actually FIND the crap they installed on your box so they can't remotely trigger it again. (Sometimes they install things in the public_html directories, or even startup items that restart their hack kits when you reboot)

Normally when your server is hacked, they replace all of the following binaries:

ls
lsof
md5sum
dir
ps
top
w
who
dirtree
socklist
ifconfig
/bin/login
sshd
ssh
proftpd
wuftpd
xinetd
inetd

and etc.... It is imperative that you start by installing a NEW md5sum package
and checking ALL your binaries against a known clean system and make sure the md5sum's match. Basically the md5sums are like fingerprints and if the file is at all what it is not supposed to be, those fingerprints wont match what the real file should be.

Example:

md5sum /bin/ls
typing that produces this result:
49da757b7b5ba585836ceb00086b6d98 /bin/ls

now if my /bin/ls was hacked, and a known true md5sum is the one above,
it would show completely different:

117c50271e390ba65561bce063301e7d /bin/ls

now I know that 49da757b7b5ba585836ceb00086b6d98 is the REAL md5sum
so if I get 117c50271e390ba65561bce063301e7d it must have been altered.

Also using the find command can find files that have been recently modified.
This only works if the hacker is sloppy as they normally replace find as well
and alter the dates so you cannot tell they modified anything....

Hidden files....
A simple:
locate ...
locate ".. "
might reveal some hidden directories they planted on your system
however keep in mind that locate was most likely hacked as well.

Anytime your system is compromised, you can replace all the binaries.
It's a good idea to back a backup of your system prior to putting it online
so you can simply restore a full set of binaries like /bin or /sbin in one fell swoop.
Once you know the binaries are ok, you can start to clean things up because you have the proper VIEW of your system.

Alot of people get hacked and then think they got the hacker out, but they only
think this because of the VIEW the hacker is giving them of their system.
They make things look normal when in fact they are far from it.
A hacker will sit an watch you and laugh about it the entire time.

If you need anything, security work, etc, feel free to call on us.

SplitInfinity Networks - Web Hosting, Co-location and Dedicated Servers
Managed - or Not. But always secure.

:-)

08-18-2004, 01:01 AM
SplitInfinity Confirmed User Join Date: Dec 2002 Location: San Diego, CA Posts: 3,047	Hola! Sorry to hear of your hacker incidents. Some things you need to do right now: nmap your server from another clean box: Such as: nmap -p 1-65535 yourServersIPhere Will produce results showing which backdoors if any port based ones are listening in for the hacker to return. Look for ports that are not supposed to be running. Ones that really stand out are ones that spell things with numbers such as: 31337 Which in hacker world spells elite (yeah they spell wrong) Also look for hidden files and processes. When your server is hacked, the intruder runs a rootkit which runs hidden processes on your system which you cannot see because they replace your normal ps binary with a rooted/hacked ps binary that hides any process they wish to hide. You can get a linux binary here: http://www.splitinfinity.com/resources/cp that you can run on your server. Right click on that and choose save-as, then put it on the hacked box and type: chmod 0755 cp then: ./cp the results will show you any hidden processes running in your process tables. It's a nice utility I use constantly to security audit machines here at SplitInfinity. If your system has socklist installed, also run it: socklist and study the results as they may point to hidden processes and ports running as well. Another great thing is: lsof You use this to find where the hacker hid the files that are running as hidden processed because sometimes they can be hard to locate. lsof will show you the source of the programs running and keeping files and ports open int he system. before you kill any hidden processes, its always good to run lsof and take a look so you can actually FIND the crap they installed on your box so they can't remotely trigger it again. (Sometimes they install things in the public_html directories, or even startup items that restart their hack kits when you reboot) Normally when your server is hacked, they replace all of the following binaries: ls lsof md5sum dir ps top w who dirtree socklist ifconfig /bin/login sshd ssh proftpd wuftpd xinetd inetd and etc.... It is imperative that you start by installing a NEW md5sum package and checking ALL your binaries against a known clean system and make sure the md5sum's match. Basically the md5sums are like fingerprints and if the file is at all what it is not supposed to be, those fingerprints wont match what the real file should be. Example: md5sum /bin/ls typing that produces this result: 49da757b7b5ba585836ceb00086b6d98 /bin/ls now if my /bin/ls was hacked, and a known true md5sum is the one above, it would show completely different: 117c50271e390ba65561bce063301e7d /bin/ls now I know that 49da757b7b5ba585836ceb00086b6d98 is the REAL md5sum so if I get 117c50271e390ba65561bce063301e7d it must have been altered. Also using the find command can find files that have been recently modified. This only works if the hacker is sloppy as they normally replace find as well and alter the dates so you cannot tell they modified anything.... Hidden files.... A simple: locate ... locate ".. " might reveal some hidden directories they planted on your system however keep in mind that locate was most likely hacked as well. Anytime your system is compromised, you can replace all the binaries. It's a good idea to back a backup of your system prior to putting it online so you can simply restore a full set of binaries like /bin or /sbin in one fell swoop. Once you know the binaries are ok, you can start to clean things up because you have the proper VIEW of your system. Alot of people get hacked and then think they got the hacker out, but they only think this because of the VIEW the hacker is giving them of their system. They make things look normal when in fact they are far from it. A hacker will sit an watch you and laugh about it the entire time. If you need anything, security work, etc, feel free to call on us. SplitInfinity Networks - Web Hosting, Co-location and Dedicated Servers Managed - or Not. But always secure. :-)