WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: hacked - need advice  (Read 6062 times)

Offline alu

  • Sr. Member
  • ****
  • Posts: 429
hacked - need advice
« on: December 30, 2009, 12:34:43 PM »
one of my wlan servers has been attacked recently; i am running mc 2.7 without firewall on it, and i control it by ssh; i have vsftpd on and 3 users in ~ added to tc; i just wanted to share some pictures and video of familly with relatives and friends; i have a fixed ip (from provider) and i have forwarded 21 and 22 ports.

the att-hack: a hacker has hacked a user account in ~ on the server, and he has installed a rtpd daemon; i have no damage on anything, but my connection was obviously very low. It tooks me a couple of hours in order to find the problem.

first reflex: i have restarted the server and installed the tinycore-2.6.29 firewall; but i want to prevent such attacks in the future and want to know your mind about possible solutions in order to secure my server at best.

Offline robc

  • Sr. Member
  • ****
  • Posts: 447
Re: hacked - need advice
« Reply #1 on: December 30, 2009, 01:11:56 PM »
I always disable external uptime detection and icmp ping responses. Makes it harder to find. Just put this in bootlocal.sh:
Code: [Select]
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

With vsftpd you can change the ftp port number, I would change this to a unique number (http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers). I would also utilize the chroot ftp features in vsftpd. The ssl version can also be used, depending on who the attacker is and the strength of your cert this can either improve your security or make it worse. There are many options with this, I would recommend reviewing the configuration options here: http://vsftpd.beasts.org/vsftpd_conf.html
"Never give up! Never surrender!" - Commander Peter Quincy Taggart

"Make it so." - Captain Picard

Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 10668
Re: hacked - need advice
« Reply #2 on: December 30, 2009, 01:50:49 PM »
If you haven't already, enable syslog. And just to be sure, change all passwords.
The only barriers that can stop you are the ones you create yourself.

Offline gerald_clark

  • TinyCore Moderator
  • Hero Member
  • *****
  • Posts: 4254
Re: hacked - need advice
« Reply #3 on: December 30, 2009, 02:10:19 PM »
Get rid of ftp and use scp.

Offline althalus

  • Sr. Member
  • ****
  • Posts: 351
Re: hacked - need advice
« Reply #4 on: December 30, 2009, 02:58:17 PM »
Get rid of ftp and use scp.
And disable ssh access via passwords and only allow access via keys. Show your friends and family how to use winSCP to access the files.

Offline bmarkus

  • Administrator
  • Hero Member
  • *****
  • Posts: 7166
    • My Community Forum
Re: hacked - need advice
« Reply #5 on: December 30, 2009, 03:17:53 PM »

the att-hack: a hacker has hacked a user account in ~ on the server, and he has installed a rtpd daemon; i have no damage on anything, but my connection was obviously very low. It tooks me a couple of hours in order to find the problem.


My first question is not how to prevent but to understand how it happened?
Béla
Ham Radio callsign: HA5DI

"Amateur Radio: The First Technology-Based Social Network."

Offline gerald_clark

  • TinyCore Moderator
  • Hero Member
  • *****
  • Posts: 4254
Re: hacked - need advice
« Reply #6 on: December 30, 2009, 03:27:44 PM »
If he was any good, you will never know.

Offline philip

  • Full Member
  • ***
  • Posts: 125
Re: hacked - need advice
« Reply #7 on: December 30, 2009, 11:11:13 PM »
I got hacked once too, at work. It made our sysadmin's usual paranoia seem wise. He pointed out that everything on a system that has been compromised is tainted and cannot be trusted. It's imperative to verify that all your files and extensions are exact copies of the official versions in the repository, and to replace any that are not. jpeters provides a script that automates this process. Also mc's self-cleaning architecture is a real asset at times like this: just reboot! But then find a way to safeguard the integrity of your extensions: mine is to store them all on a USB key that I physically unplug from the machine soon after booting it. [This suggestions comes in addition to your own wise countermeasures and the good advice of others in this thread.]

Offline alu

  • Sr. Member
  • ****
  • Posts: 429
Re: hacked - need advice
« Reply #8 on: December 31, 2009, 01:22:10 AM »
thanks to all for your answers; frankly, i don't know how the attacker did it (i hadn't a syslog daemon on); i had disabled the ping detection on my router, and i had chrooted the users in vsftpd; what had happened is the following:

1. the attacker has found a possibility to log in as one of the users on my server; i assume that he had detected my public IP and found the password of this user in order to log in, and that he probably did it through the port 21;
2. he had copied files within the directory of this user in order to start a chat program (the rtpd daemon);
3. he had started a rtpd daemon as user, what i have seen with netstat -a; but it was impossible to stop or delete the daemon (i have tried to kill the PID of the rtpd daemon as root, without success).

you should be right saying that i should only use ssh and scp; also, i am using mc from a cf-card with only a few extensions (the wireless extensions, openssh), and i keep my files on a separate usb disk; i then mount only a few directories in the userland of each users; i was thinking about the possibility to encrypt the mountpoints or the users' accounts - do you think that this is possible and that it would reinforce the security on my server? 

Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 10668
Re: hacked - need advice
« Reply #9 on: December 31, 2009, 01:56:00 AM »
If you keep them mounted, it doesn't matter if they are encrypted or not.
The only barriers that can stop you are the ones you create yourself.

Offline Pats

  • Sr. Member
  • ****
  • Posts: 322
Re: hacked - need advice
« Reply #10 on: January 01, 2010, 05:49:55 AM »
Hi I am just a learner and naive in Linux.
But would like to share my experience here:
My previous employers office network used to get hacked many-a-times.
The experienced admin of the system used to take all the possible security care as per the Security RedBook. But still the attacks were going on for a while , and ultimately the culprit was the negligence of one of the employees psword which he used to writedown just below his mousepad. I read somewhere that most of the time the problem is found somewhere in the users pwword habits rather than outside threats !

Somebody on this forum had suggested abt the custom remastering of the
TCL along with custom security needs ! Is that meaningful ?

Off-cource nobody can stop the determined hacker - they say !
~ Pats

aus9

  • Guest
Re: hacked - need advice
« Reply #11 on: April 20, 2010, 04:24:21 PM »
hi

all the advice above on hardening is good...I could suggest more but re-look at this intention pls?

Quote
i just wanted to share some pictures and video of familly with relatives and friends

Why not upload to a file sharing site?

I am aware I can not advertise such sites here but a google will show them. I am talking free only below.

Some allow private viewing and some need to be public viewing.
Some need to show ads
Some are time based....if nothing downloaded they close
Some are time based before a download starts......and you get cute ads to watch in the meantime

good luck