I got hacked 3 times

I got hacked 3 times

Post by roman dissertor » Sat, 28 Jun 2003 18:07:23



Hello anyone,

I'm using the operating System Linux  - RedHat9
I'm totally a newbie in linux-security and that's why I've got a Problem:
A month ago, I got hacked by someone 3 times!
I always had to reinstall my distribution for security reasons.
Poeple in groups.google suggested to do so after a successful hack.
I changed the _standard known_ portnumbers and I denied the access for all
incoming internet connections to the ports 0-1024 and mysql per protocol tcp
and udp in my ipchains.
Is that enough or - what should else should I do to prevent him/her from
hacking into my computer again (and it would be nice if i could trace him
back  and do something about it)
Any suggestions?

 
 
 

I got hacked 3 times

Post by Bash 139289523 » Sat, 28 Jun 2003 18:13:27


On Fri, 27 Jun 2003 11:07:23 +0200

RD> Hello anyone,
RD>
RD> I'm using the operating System Linux  - RedHat9
RD> I'm totally a newbie in linux-security and that's why I've got a Problem:
RD> A month ago, I got hacked by someone 3 times!
RD> I always had to reinstall my distribution for security reasons.
RD> Poeple in groups.google suggested to do so after a successful hack.
RD> I changed the _standard known_ portnumbers and I denied the access for all
RD> incoming internet connections to the ports 0-1024 and mysql per protocol tcp
RD> and udp in my ipchains.
RD> Is that enough or - what should else should I do to prevent him/her from
RD> hacking into my computer again (and it would be nice if i could trace him
RD> back  and do something about it)
RD> Any suggestions?

Keep your soft up-today. And read Security News for your's RH Linux.

--
Biomechanical Artificial Sabotage Humanoid

 
 
 

I got hacked 3 times

Post by Georg Armbruste » Sat, 28 Jun 2003 18:28:32



> Hello anyone,

> I'm using the operating System Linux  - RedHat9
> I'm totally a newbie in linux-security and that's why I've got a Problem:
> A month ago, I got hacked by someone 3 times!
> I always had to reinstall my distribution for security reasons.
> Poeple in groups.google suggested to do so after a successful hack.
> I changed the _standard known_ portnumbers and I denied the access for all
> incoming internet connections to the ports 0-1024 and mysql per protocol tcp
> and udp in my ipchains.
> Is that enough or - what should else should I do to prevent him/her from
> hacking into my computer again (and it would be nice if i could trace him
> back  and do something about it)
> Any suggestions?

Hi Roman!
First of all, use iptables instead of ipchains; it offers stateful-
inspection capabilities.

Then, don't change the port numbers of services; security through
obscurity was never supposed to work.

Use iptables to close all ports incoming, and only allow those
outgoing that you need (http/https/ftp/ssh, I guess).

Do not run any services that you don't use.

Make the services you decide to use listen only to the internal
interface.

Run an intrusion detection system like snort to get a couple of
points what is going on in your network.

Choose your system passwords carefully (your username backwars
is not a very secure password).

Use up2date to update your system regularly.

This should keep you quite safe :)
Peace,
Georg

 
 
 

I got hacked 3 times

Post by Nils Petter Vaskin » Sat, 28 Jun 2003 18:35:38



> Hello anyone,

> I'm using the operating System Linux  - RedHat9 I'm totally a newbie in
[snip]
> Any suggestions?

I assume that when you write hacked you actually mean cracked. The act of
breaking into a computer is cracking not hacking, although the press
refuse to understand that.

You already got good advice but there is more:

Make sure you actually got cracked, and didn't just run a trojan of some
sort. To avoid trojans: Don't run any {script,Makefile,programs,anything
else executable} from an untrusted source without lookin over it first,
and certainly don't run it as root.

hth
NPV

 
 
 

I got hacked 3 times

Post by Khayma » Sat, 28 Jun 2003 19:11:47




Quote:> I'm using the operating System Linux  - RedHat9
> I'm totally a newbie in linux-security and that's why I've got a
> Problem: A month ago, I got hacked by someone 3 times!

How did you get "hacked"?
Why do you think you were "hacked"?

Quote:> I always had to reinstall my distribution for security reasons.
> Poeple in groups.google suggested to do so after a successful hack.
> I changed the _standard known_ portnumbers and I denied the access for
> all incoming internet connections to the ports 0-1024 and mysql per
> protocol tcp and udp in my ipchains.

Did you verify by scanning your system from the outside that this was
really effective? If indeed you closed off all incoming ports with an
effective ipchains setup, there are very few ways anyone could ever crack
you...

Khay.

 
 
 

I got hacked 3 times

Post by roman dissertor » Sat, 28 Jun 2003 21:28:31


Ok, thank you very much everyone!
These advices are very useful to me
- I'll always look for updates for this linux-distribution
- Scanning my ports for any security holes from outside.

ps:
He/She cracked (thanks for teaching me the difference) my Computer trough an
open Port, I don't know which one.
I noticed that hacker because he/she made _one_ mistake: He/She forgot to
delete the data in the /tmp folder where I found his evil scripts that
he/she executed -> One Script for example was for moving the logfiles into
/dev/null and lots of other stuff.

pps:
Sorry I don't use ipchains. I wrote it I know, but that was wrong -> I'm
using iptables.
I don't know much about the difference, but iptables is newer, right? (and I
guess better)


Quote:> Hello anyone,

> I'm using the operating System Linux  - RedHat9
> I'm totally a newbie in linux-security and that's why I've got a Problem:
> A month ago, I got hacked by someone 3 times!
> I always had to reinstall my distribution for security reasons.
> Poeple in groups.google suggested to do so after a successful hack.
> I changed the _standard known_ portnumbers and I denied the access for all
> incoming internet connections to the ports 0-1024 and mysql per protocol
tcp
> and udp in my ipchains.
> Is that enough or - what should else should I do to prevent him/her from
> hacking into my computer again (and it would be nice if i could trace him
> back  and do something about it)
> Any suggestions?

 
 
 

I got hacked 3 times

Post by Khayma » Sat, 28 Jun 2003 21:50:45




Quote:> Ok, thank you very much everyone!
> These advices are very useful to me
> - I'll always look for updates for this linux-distribution
> - Scanning my ports for any security holes from outside.

Sounds like a good start!
Good sites for scanning from the outside is grc.com (a little windows-
aimed and hyped, but still) and pcflank.com.
Nmap is a very good (and free) tool you can use for this as well.

Quote:> ps:
> He/She cracked (thanks for teaching me the difference) my Computer
> trough an open Port, I don't know which one.

Well, it's not that the port was open, it's more that you had some
service sitting there unupdated!
Number one security tip: Make sure that the services you are running are
needed - running RPC/portmap/etc with no reason is not just unneccessary,
it's also quite dangerous!

Take a look at "netstat -tupan" - it will show which services are
listening to the internet, if nothing is listening then nothing can be
"hacked", atleast not remotely.

Quote:> I noticed that hacker because he/she made _one_ mistake: He/She forgot
> to delete the data in the /tmp folder where I found his evil scripts
> that he/she executed -> One Script for example was for moving the
> logfiles into /dev/null and lots of other stuff.

Remember that once people run a so called "rootkit", or "hack" your linux
system, it's not your system anymore!
Any command can be lying to you - "ps"/"pstree" can be hiding evil
programs, "ls" can be hiding directories from you - if you know what to
do and how to clean up the mess they did, ok no need to re-install.
If you don't then please re-install your server and try better the next
time!

Quote:> Sorry I don't use ipchains. I wrote it I know, but that was wrong ->
> I'm using iptables.
> I don't know much about the difference, but iptables is newer, right?
> (and I guess better)

Ah well.. ipchains is older, came with the 2.2 series of kernel -
iptables is newer and better. They both lack the most important component
needed to create a near perfect firewall - a good administrator.
That's where you has to come in!

Good luck!

Khay.

 
 
 

I got hacked 3 times

Post by Nico Kadel-Garci » Sat, 28 Jun 2003 21:52:44



> Hello anyone,

> I'm using the operating System Linux  - RedHat9
> I'm totally a newbie in linux-security and that's why I've got a Problem:
> A month ago, I got hacked by someone 3 times!
> I always had to reinstall my distribution for security reasons.
> Poeple in groups.google suggested to do so after a successful hack.
> I changed the _standard known_ portnumbers and I denied the access for all
> incoming internet connections to the ports 0-1024 and mysql per protocol tcp
> and udp in my ipchains.
> Is that enough or - what should else should I do to prevent him/her from
> hacking into my computer again (and it would be nice if i could trace him
> back  and do something about it)
> Any suggestions?

Have you installed all the security patches before exposing it to the
Net? Did you change *all* your passwords? How did they hack you?
 
 
 

I got hacked 3 times

Post by roman dissertor » Sat, 28 Jun 2003 22:14:52




> > Hello anyone,

> > I'm using the operating System Linux  - RedHat9
> > I'm totally a newbie in linux-security and that's why I've got a
Problem:
> > A month ago, I got hacked by someone 3 times!
> > I always had to reinstall my distribution for security reasons.
> > Poeple in groups.google suggested to do so after a successful hack.
> > I changed the _standard known_ portnumbers and I denied the access for
all
> > incoming internet connections to the ports 0-1024 and mysql per protocol
tcp
> > and udp in my ipchains.
> > Is that enough or - what should else should I do to prevent him/her from
> > hacking into my computer again (and it would be nice if i could trace
him
> > back  and do something about it)
> > Any suggestions?

> Have you installed all the security patches before exposing it to the
> Net? Did you change *all* your passwords? How did they hack you?

- No, I haven't, but I will do it as soon as possible
- Of Course I changed all standard-password into non-standard passwords
- They hacked me (read text above)
 
 
 

I got hacked 3 times

Post by Bill Unr » Sun, 29 Jun 2003 03:15:45


]Hello anyone,

]I'm using the operating System Linux  - RedHat9
]I'm totally a newbie in linux-security and that's why I've got a Problem:
]A month ago, I got hacked by someone 3 times!
]I always had to reinstall my distribution for security reasons.

Yes. Was it a complete reinstall?
If not you also need to use the new find to search through the stuff you
did not reinstall for suid files.
Also you have to change all passwords.
And install allof the security updates.
And make sure that things you do not use (ftp, http,etc) are not enabled
in xinetd of /etc/rc?.d

]Poeple in groups.google suggested to do so after a successful hack.
]I changed the _standard known_ portnumbers and I denied the access for all
]incoming internet connections to the ports 0-1024 and mysql per protocol tcp
]and udp in my ipchains.
]Is that enough or - what should else should I do to prevent him/her from
]hacking into my computer again (and it would be nice if i could trace him
]back  and do something about it)
]Any suggestions?

 
 
 

I got hacked 3 times

Post by Bill Unr » Sun, 29 Jun 2003 03:17:25


]>
]> Have you installed all the security patches before exposing it to the
]> Net? Did you change *all* your passwords? How did they hack you?
]>
]- No, I haven't, but I will do it as soon as possible
]- Of Course I changed all standard-password into non-standard passwords

What standard passwords? There are none. ALL passwords of all users on
the system need to change their passwords, including root.

]- They hacked me (read text above)

Yes, he asked how. What was the evidence you have that you were hacked?

 
 
 

I got hacked 3 times

Post by Doug Laidla » Sat, 28 Jun 2003 20:03:01



> Hello anyone,

> I'm using the operating System Linux  - RedHat9
> I'm totally a newbie in linux-security and that's why I've got a Problem:
> A month ago, I got hacked by someone 3 times!
> I always had to reinstall my distribution for security reasons.
> Poeple in groups.google suggested to do so after a successful hack.
> I changed the _standard known_ portnumbers and I denied the access for all
> incoming internet connections to the ports 0-1024 and mysql per protocol
> tcp and udp in my ipchains.
> Is that enough or - what should else should I do to prevent him/her from
> hacking into my computer again (and it would be nice if i could trace him
> back  and do something about it)
> Any suggestions?

Recently, I was sure that I was hacked.  I had at least half a dozen signs.  
But one by one, they turned out to be "normal."  Someone from outside tried
to set up their own user account and failed.  This is the only thing I can
regard as a genuine "hack" and the hacker didn't win.

So, listen to the others asking "are you sure?"

HTH,

Doug.
--
Linux: in a world without fences, who needs Gates?

 
 
 

I got hacked 3 times

Post by Nico Kadel-Garci » Sun, 29 Jun 2003 09:17:42






>>>Hello anyone,

>>>I'm using the operating System Linux  - RedHat9
>>>I'm totally a newbie in linux-security and that's why I've got a

> Problem:

>>>A month ago, I got hacked by someone 3 times!
>>>I always had to reinstall my distribution for security reasons.
>>>Poeple in groups.google suggested to do so after a successful hack.
>>>I changed the _standard known_ portnumbers and I denied the access for

> all

>>>incoming internet connections to the ports 0-1024 and mysql per protocol

> tcp

>>>and udp in my ipchains.
>>>Is that enough or - what should else should I do to prevent him/her from
>>>hacking into my computer again (and it would be nice if i could trace

> him

>>>back  and do something about it)
>>>Any suggestions?

>>Have you installed all the security patches before exposing it to the
>>Net? Did you change *all* your passwords? How did they hack you?

> - No, I haven't, but I will do it as soon as possible
> - Of Course I changed all standard-password into non-standard passwords
> - They hacked me (read text above)

This doesn't say how they *did* hack you. Could be an old SSH version
vulnerability, a flaw in your HTTP CGI scripts, sniffing passwords from
an FTP service that some user of yours refuses to keep distinct from
their user password, etc., etc.

Which services are you running? All of them, not just the ones active today!

 
 
 

I got hacked 3 times

Post by Johan Lindqvis » Wed, 02 Jul 2003 16:58:26



> He/She cracked (thanks for teaching me the difference) my Computer trough an
> open Port, I don't know which one.

If you don't know which one, how do you know it was done this way?

If you reinstall everything just the same way as before, you will also
reinstall the same hole that the attacker used last time.

/lindq

--
Remove the Fnurt to reply.
--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/E d+ s:+ a C++(+++)$ ULOSI*++(++++)$ P+++$>++++$ L++ E>++$ W+(+++)

!X- R tv b++ DI++++ D+ G++ e+++ h---- r+++ y++++
------END GEEK CODE BLOCK------

 
 
 

I got hacked 3 times

Post by Michael Forste » Tue, 01 Jul 2003 03:03:21


I was hacked once but since then I installed the latest security patch - the
problem is usually ssh
There is a ssh vunerability, luckily I use ssh to connect to my system as
what they did was changed the user and group of several major programs  ls
ps lsof netstat ifconfig
and login and su.   on top of that they also patched them so it wouldn't
work either, luckily I had the foresight to have more than one linux box and
was able to ssh into the box locally.

so make sure you update your sshd and any other programs that may need it -
remember the distro disks do not have the latest version

Mike.


Quote:> Hello anyone,

> I'm using the operating System Linux  - RedHat9
> I'm totally a newbie in linux-security and that's why I've got a Problem:
> A month ago, I got hacked by someone 3 times!
> I always had to reinstall my distribution for security reasons.
> Poeple in groups.google suggested to do so after a successful hack.
> I changed the _standard known_ portnumbers and I denied the access for all
> incoming internet connections to the ports 0-1024 and mysql per protocol
tcp
> and udp in my ipchains.
> Is that enough or - what should else should I do to prevent him/her from
> hacking into my computer again (and it would be nice if i could trace him
> back  and do something about it)
> Any suggestions?

 
 
 

1. Getting time from time servers

How do I tell a RedHat Linux 6.2 system to retrieve the time from a
server using ntp and set the system clock to that new time?  It's
connected all the time to the internet through a cable modem, and i'd
like to schedule it to set the clock like once a day or something like
that.

Any help would be appreciated.

Thanks in advance,
Kevin

2. Unresolved symbol _mmx_memcpy

3. Getting FPU status in SIGFPE handler -- must hack kernel?

4. CDROM I/O error

5. Help - I'm getting hacked

6. Anyone interested in helping setup SAP R/3 newsgroup?

7. Am I getting hacked?

8. Frozen Users

9. are we getting hacked?

10. 402 Genie protocol. Am I getting hacked?

11. Getting CONNECT speed from dctrl- chat hack works!

12. Bill Gates Gets Hacked!!

13. are we getting hacked?