Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Is anything unauthorized is running at startup

  1. #1
    Join Date
    Apr 2008
    Location
    Kansas City
    Beans
    509

    Finding out why a server was compromised / hacked

    I powered up some old hardware that was running Ubuntu 10.04 and plugged it in and forgot about it for a few months, got busy doing other things, then one day it started sending out a bunch of DoS attacks, so many that it ate all my bandwidth and I couldn't get to the internet.

    Internet is back now that I shut the server down. ^phew^

    But how can I see what was going on with it?

    When I boot it up without a network connection I can't login, it must be constantly running a process that makes it too busy to respond to my login request. So I signed on in single user mode and got access to the system.

    I checked sshd_config and root logins were permitted, but root should never have had a password configured for it, and root hadn't logged in according to /var/log/auth.log.

    I'd like to know what it was running, and what account was compromised, and if it was out of date on security patches or not.

  2. #2
    Join Date
    Apr 2008
    Location
    Kansas City
    Beans
    509

    Is anything unauthorized is running at startup

    A Ubuntu 10.04 box was hacked.

    The network cable was pulled because it was eating all the bandwidth on the network.

    I wasn't able to login anymore, so I started single user mode and changed the root password, and still can't login normally.

    I suspect something is running that shouldn't be.

    How can I find this rogue process and remove it from starting up?

    nothing unusual is in cron or /etc/rc.local

  3. #3
    Join Date
    Jul 2007
    Location
    Magic City of the Plains
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Is anything unauthorized is running at startup

    Moved to Security Discussions.

  4. #4
    Join Date
    Oct 2005
    Location
    Wabasha MN
    Beans
    2,206
    Distro
    Ubuntu 12.10 Quantal Quetzal

    Re: Is anything unauthorized is running at startup

    If you run
    Code:
    top
    in a terminal it would tell you what is running and what is using CPU, Memory, and swap.
    Last edited by CharlesA; September 21st, 2012 at 10:14 PM. Reason: fixed case sensitive top ;-)
    My hometown on the Mississippi River.
    Using a Asus 3632QM laptop with 8gig RAM, 750gig Hybrid.
    Machine Registered 366271, 366273, 366275.
    Registered Ubuntu user number 18630. Registered Linux user number 458093.

  5. #5
    Join Date
    May 2010
    Beans
    462
    Distro
    Ubuntu Development Release

    Re: Is anything unauthorized is running at startup

    If nothing is important down there. Format it is a quick way to your solution,otherwise it will consume lot of your time doing your forensic and troubleshooting.

  6. #6
    Join Date
    Feb 2006
    Beans
    457

    Re: Is anything unauthorized is running at startup

    Slash and burn,slash and burn.
    Install a clean operating system then add in backups, you are then ready to go. may well be fastest, surest way to up and running.

  7. #7
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Is anything unauthorized is running at startup

    Quote Originally Posted by Kissell View Post
    How can I find this rogue process and remove it from starting up?
    If the attacker has root, you can't do anything. There could be a rootkit, etc. It will take *far* more time to forensically analyze it than it's worth.

    Is this a desktop box or a server? You should attempt to figure out *how* you got hacked so you will learn a lesson for next time. But regardless, you need to format and reinstall fresh.
    Occam's Razor for computers: Viruses must never be postulated without necessity -- nevius

    My Blog

  8. #8
    Join Date
    Apr 2008
    Location
    Kansas City
    Beans
    509

    Re: Is anything unauthorized is running at startup

    "top" won't work, cause I can't get into the server except in single user mode, and then it's clean at that point.

    I already copied the data off to another disk and built a new server, just messing with this old one to try to find out how it was compromised.

    I'd like to be able to prove either an account had a weak password that was brute forced, or a security exploit was taken advantage of, some solid evidence other than "i don't know, it just got owned"

  9. #9
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Is anything unauthorized is running at startup

    Quote Originally Posted by rookcifer View Post
    If the attacker has root, you can't do anything. There could be a rootkit, etc. It will take *far* more time to forensically analyze it than it's worth.

    Is this a desktop box or a server? You should attempt to figure out *how* you got hacked so you will learn a lesson for next time. But regardless, you need to format and reinstall fresh.
    Agreed. Just wipe the box and go on with your life.

    Quote Originally Posted by Kissell View Post
    "top" won't work, cause I can't get into the server except in single user mode, and then it's clean at that point.

    I already copied the data off to another disk and built a new server, just messing with this old one to try to find out how it was compromised.

    I'd like to be able to prove either an account had a weak password that was brute forced, or a security exploit was taken advantage of, some solid evidence other than "i don't know, it just got owned"
    top should run fine even in single user mode. As for seeing what happened, check here https://wiki.ubuntu.com/BasicSecurity/DidIJustGetOwned
    Last edited by CharlesA; September 21st, 2012 at 10:17 PM. Reason: spaces make all the difference
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  10. #10
    Join Date
    Sep 2011
    Beans
    1,531

    Re: Is anything unauthorized is running at startup

    Quote Originally Posted by Kissell View Post
    I'd like to be able to prove either an account had a weak password that was brute forced, or a security exploit was taken advantage of, some solid evidence other than "i don't know, it just got owned"
    Can you answer some of those questions right now? Someone knows the usernames & passwords existing on the server, right? And someone knows if and how it got patched regularly, right? You know what services were running & on what ports, right? Who had access? What were they allowed to run? You'll probably uncover several security holes if you answer all those questions. That's what you present as the reason.

    If you can't answer these questions based on the existing documentation of the server, then that was your problem. Lesson = document everything, set policies & enforce them.

    IMO that will be a far quicker way to find out what went wrong then analyzing the box forensically.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •