someone has access to my server...
I've got a solaris 7 box with remote access only.
many of the services don't have passwords
and someone recently messed with the shadow file
-the root: line was changed:
. password field was changed to NP
. the number after that was changed too
The intruders seem to be using us to relay spam mainly,
but I'm concerned they may have made other doors.
(I stopped sendmail once and someone else restarted
it later that night.)
I changed the root password
I'm a newbie, so ordered:
"Practical Unix and Internet Security"
O'reilly's Essential System Admin
Books aren't here yet, but anyways...
Where should I begin?
Any other books I should get?
First, you have already been hacked - whether it was from an inside source or outside. You need to build a new server (if possible) and replace the old keeping the old for investigation into who did what.
If you can't do that, then disconnect the server, rebuild it, shut off all services after rebuilding but add ssh to the server. Insure your version of Sendmail is set up to not allow relays. Make sure your group is the only one with root. Don't allow root remote logins. Put it back on-line.
Check out the following links:
To check if you are a open-relay:
Network Abuse Clearinghouse
If you are using Sendmail:
Sendmail
Solaris 7 may have the Sunscreen Lite product for free - use it and
read up on securing your Solaris server.
If you are running more than Sendmail on the server, remove the other apps and put them on their own box. The more a hacker has to use against you the worst off you are.
Search Sunsolve BigAdmin
The server is located over 1000 miles away...
I have remote access only. (via a windows machine)
It's a Solaris 7 box with many of the system files safe on nfs,
and I've got a backup of everything I had access to from a
week prior to the hack.
Can I just restore from my archive, change all passwords, and
build/install ssh (should I use ssh2 version 3.1.0 or should I
stick to something like v2.0.13)
When setting passwords for things like daemon, bin, sys, adm...
Do I have to make changes to other files (configs) to allow
proper access for services, etc.
Also, thoughts on software like cops or satan?
It is great that we can telecomute but once in a while, you just have to be there. Our company laid off the only guy we had to do our servers 1300 miles away. The next time one needs an upgrade or service, one of us may have to go there. We have remote access to the console which still allows us to change things all the way down to the boot prom. If you don't have this type of access, you might want to get the equipment and software together and take a road trip.
I don't remember who said in these forums, but I'm sure they will respond back with horror at this statement. NFS is not considered secure - it probably the easiest way to get access into your server.
You better be sure that is prior to the hack or you may miss the files the hacker changed to backdoor you. That is why it should be built from scratch.
I don't think I said it before, but I'll say it now! Secure on NFS? Is that an oxymoron?
Seriously, bring the box down. Rebuild. Changing passwords won't help a thing if the attacker was decent, or even used to a good rootkit (that are very very easy to find)... He probably replaced a few of your binaries in order to hide himself from ps, netstat, fuser, etc... There's no way to know. I've even seen a few that will not respond to a port scan, but are "activated" when a specially constructed packet hits it.
Reinstall from read-only media (CDROM works well), and use the backup tapes to only move over the old files. leave the binaries behind.
And if you don't do it because it's a hassle, think about all of the people that are being attacked and spammed from your box. On top of that, since you are aware that you have been compromised, you are 100% liable for every attack / spam from that box.
If you are trying to help... Forget it!
If I had the time and money, I'd go...
But, I don't! (until mid-summer)
As for the nfs mounted system files that are a CD image,
the other box might be a hole, but that's not my concern.
I've informed that boxes admin, now it's his...
Isn't the CD safe up on the shelf, no one can write to it
without putting it in somesort of device, not even me?
(If you know the trick, please let me know...)
The backup program the admin of nfs system logs files
that have changed. There were a few unknown changes
that couldn't be blamed on anyone who was supposed
to have access about three days ago. The archive is
from prior to that and really seems to be my only option
until more time can be... (like I said "mid-summer")
How should I go about securing this box from here?
Which log files from the hacked box should I be looking
at to discover how they got in? (I think I need to plug
that hole first while keeping an eye out for their next
attempt/hack)
Anything about passwords for things like bin, sys, adm...?
What about cops?
The NFS system is backed up to CD after any changes to bins...
When I said the nfs system was safe I meant I can have my
buddy stick the CD back in and...
I've shut down my sendmail and no one has restarted it. (yet?)
I think I was the leak... About a week ago while away I needed
to access the box. I was just going to add a user, set his pass,
and got out. I had to connect via telnet. (only option)
I telnet in as a standard user then used ssh root?
Guess someone watching the stream...
Fantastic news...
A friend has an old Sun box to spare.
I'd like to setup the box to serve the sites on the hacked server,
but I don't want to leave the same holes open...
How can I setup this box to take the place of the current?
Of course I need more security than I currently have/had...
The box will only be serving pages til late july when I plan to
go down to the facility to see what's up... (and redo my box)
At that time I will be starting from scratch again, sort of...
the boxes are the same, plan on keeping bins on the remote
nfs system, the question:
Where should I look (hacked server log files) to find the hole?
I don't know exactly how you are set up but here are a few pointers.
(Assuming the cd backup can be brought up to allow compares of files) Compare the checksum (man sum) information for all files. Write a script to check them and output the ones that are different.
Start reading - check out the links provided in earlier messages - The folks responding to your questions are not responsible for your system - you are. You need to get up to speed by doing some research. Search the web for Solaris security, hardening Solaris, check out SunSolve's security, insure the recommended security patches are on.
Once you get an idea of what you need and what you don't, turn off services via /etc/inetd.conf. Get ssh installed on the system so you are getting to the system via a secure connection (well, more secure than telnet). Turn off telnet - you don't need it for Sendmail (assuming this is ALL that this server is suppose to be doing).
If you have a separate /usr partition, mount it read-only, if possible. You and any hacker will not be able to change anything in that partition unless the system /etc/vfstab is changed and the system rebooted.
Run a checksum against all files systems that should not have changes - there used to be a program from SUN but I don't remember the name.
If Solaris 7 does not have Sunscreen Lite as a 'free' product, install Solaris 8 on the new server and use Sunscreen Lite. If you can push buying a firewall product, then do that (you now have the case/documentation of why it's worth it)