Help... I've been hacked!

[ddm at mclinux.com (Derek Martin)]

On Tue, 27 Mar 2001, Chris Janicki wrote:

> Hi, I'm brand new to Linux, although I know Solaris.  I was working on my 
> brand new Red Hat 6.2 Linux machine (soon to be my web server, email 
> server, etc.) when I noticed an email returned to root.  It was from 

If you're going to use a Linux machine for those purposes, the absolute
first thing you must do (immediately after installing RH on it) is
download all the updates from Red Hat's FTP site or a mirror, and upgrade
what you have installed.

The absolute second thing that you must do is learn how to configure your
system to be a firewall, and do it.  Only then should you even think about
running services from this machine.

After you do those things, the third thing that you absolutely must do is
turn off all services that you do not absolutely need.  

The fourth thing you must do is spend time on configuring the services
that you NEED to run, so that you have made them as safe and secure as you
possibly can.  Limit access to those services as much as possible, through
both configuration of the services, and configuration of your firewall and
other mechanisms (like TCP wrappers), where appropriate.

Finally, you must keep up-to-date on security announcements and patches
for your software.  The system security mantra is "Security is a process,
not a product."  You are NEVER DONE!


> Yahoo, saying that the destination's email box was full.  The subject of 
> the email was my IP address! Knowing that I hadn't sent any email, I did 
> 'grep yahoo /bin/*' and found that email address in login, ps, ls, and 
> netstat.  I've been hacked, right?!

Yup, sounds like you were probably the victim of the Lion Worm.  Time to
re-install.  THERE IS NO OTHER WAY!  Once your system has been
compromised, the only sure way to recover is to wipe it clean and install
fresh.  Whereas this was a new machine, this probably won't be too big a
deal for you, as you probably don't have much there that you can't live
without.


> 1) What can I do to replace those files?  I spent many hours configuring 
> box, so I don't want to start from scratch.

If you want to be a responsible Netizen, you MUST start from
scratch.  Otherwise, you can not guarantee that you have completely
cleaned the box and not left behind back doors that were installed by the
worm.  Intrusion Detection Systems such as tripwire (www.tripwire.com) can
HELP identify what has been damaged, but a talented and determined
attacker can defeat virtually any security measure, given enough time.


> 3) Is there any particular hole in RedHat 6.2 that I need to address.  
> (It was preconfigured on the machine I bought from Penguin, in December.)

Several.  The two most commonly exploited holes at the moment are the
statd buffer overflow and various named exploits.  You MUST get the
security updates from Red Hat for these problems.  But there are others
too.  See the support area of Red Hat's website and look at the security
updates.  Install them all.

For more information on the Lion Worm, see this link to an announcement
from the good people at GIAC, on the SANS website:

  http://www.sans.org/y2k/lion.htm


-- 
Derek Martin
Senior System Administrator
Mission Critical Linux
martin at MissionCriticalLinux.com 

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).