# Hacked



## bitingenius (Oct 17, 2009)

One of our servers was hacked last night. I got an email from the server with subject "isdnd: unknown incoming telephone call" which tipped me off. They had replaced the /etc/pam.d files with BT phone related stuff, weird. I could login to my account but there was no root access from anywhere, not even the console. That's fixed, and I think I've secured the original entry point, but I don't know much about back doors and such, does anyone know of a good source for info on this sort of thing? I'd like to make sure they don't still have access to the server.... 

We've only been hacked a couple times in the past 15 years, at least so far as we know...


----------



## SirDice (Oct 17, 2009)

If they were able to modify files in /etc/ that would mean they had root access. Best thing to do is to take the server offline and reinstall everything from scratch. Don't forget to update everything while you're doing that to prevent them from doing it again.


----------



## vivek (Oct 17, 2009)

If I were you,

a) Create disk image and save to some where to trace cracking activity and how they gained back access.
b) As above poster said, format everything, apply all patches including firewall. Secure your apps and go online.


----------



## J65nko (Oct 17, 2009)

Before going online I would recommend to install a file integrity checker like tripwire or aide. That way you you can check whether you have been hacked or not.

Although written six years ago http://onlamp.com/pub/a/bsd/2003/04/03/FreeBSD_Basics.html is still worth reading.


----------



## saxon3049 (Oct 17, 2009)

I would take it off line copy the drive and perform forensics, if you are not going to take it to the police.

If you want to take this to the next level I would also see if your local constabulary has a cyber crime unit I know a few of them are taking this kind of crime very seriously, I believe Liverpool (Merseyside) has one as part of it's fraud department.But do not under any circumstances perform any forensics of your own as this will invalidate any evidence you or the police collect.


----------



## SirDice (Oct 18, 2009)

saxon3049 said:
			
		

> I would take it off line copy the drive and perform forensics, if you really want to take this to the next level I would also see if your local constabulary has a cyber crime unit I know a few of them are taking this kind of crime very seriously, I believe Liverpool (Merseyside) has one as part of it's fraud department.



If you really want to take it the next level, don't do the forensics yourself. Don't do anything to the system until law enforcement can take a look.

If you do meddle with it yourself you're bound to destroy evidence, not to mention the all important chain of evidence.


----------



## Oko (Oct 18, 2009)

J65nko said:
			
		

> Before going online I would recommend to install a file integrity checker like tripwire or aide. That way you you can check whether you have been hacked or not.


I can not believe that that advice came out of your mouth. I have very high opinion of you and your knowledge. Can you honestly trust tripwire or some crap like that. Actually, Sir Dice have given the best advice so far. If he believes that his server is rooted he should call law enforcement which in turn should preform competent forensic analysis. If the content of the server is not that important he should do fresh installation possibly even flushing BIOS first and using completely new HDD.


----------



## saxon3049 (Oct 18, 2009)

SirDice said:
			
		

> If you really want to take it the next level, don't do the forensics yourself. Don't do anything to the system until law enforcement can take a look.
> 
> If you do meddle with it yourself you're bound to destroy evidence, not to mention the all important chain of evidence.



Sorry I forgot to add that, i will edit my post thanks SirDice.


----------



## GPF (Oct 18, 2009)

Well I won't tell you what to do with the server since the obvious thing is to let the police handle it (assuming you are in a country with a serious police force, otherwise reply here).

For future reference, if you are concerned about security issues try using freebsd jails and applying patches more often. man security for more info


----------



## bitingenius (Oct 18, 2009)

Thanks people. I'm going to rebuild the server, which will be no easy task. A local liquor store was hacked last week for 1000's of credit card numbers, so I did call the constable, but they aren't interested unless there's some glory in it, like cc numbers... I had to fetch a new card from my bank twice, they thought they had the liquor store problem fixed, but they didn't... This is all mine to fix...


----------



## saxon3049 (Oct 18, 2009)

Where about are you? there might be a regional office you can contact.


----------



## anomie (Oct 19, 2009)

Actually, I think the HIDS (I recommend aide) advice is very apt. But you need to have created a HIDS db _before_ the system was (supposedly) cracked, or it does you absolutely no good.


----------



## Mormegil (Oct 19, 2009)

Pretty sure j65nko was recommending to install tripwire/aide on the freshly installed system before it's brought online.


----------



## SirDice (Oct 19, 2009)

bitingenius said:
			
		

> Thanks people. I'm going to rebuild the server, which will be no easy task. A local liquor store was hacked last week for 1000's of credit card numbers, so I did call the constable, but they aren't interested unless there's some glory in it, like cc numbers... I had to fetch a new card from my bank twice, they thought they had the liquor store problem fixed, but they didn't... This is all mine to fix...



If the site uses a home mode web application have a long hard look at it. Or have someone else audit the code. Even if you would rebuild the server, apply all the patches etc. if the web app itself is vulnerable you'll be hacked again in no time at all.

Also verify your local laws regarding storage of CC numbers, AFAIK according to US law you're not allow to store those.

Note that even though tripwire and all are quite helpful, they will only aid in detection of modified files _after_ the fact. The best thing to do is to _prevent_ people from getting in in the first place.


----------



## gordon@ (Oct 19, 2009)

SirDice said:
			
		

> Also verify your local laws regarding storage of CC numbers, AFAIK according to US law you're not allow to store those.



That can't be true or just about every reoccurring business charge would be impossible.


----------



## Dru (Oct 20, 2009)

gordon@ said:
			
		

> That can't be true or just about every reoccurring business charge would be impossible.



I think internet business's have to pass a certification/security level before they can hold the card numbers. I dont remember the names of anything or specifics, but someone I knew awhile back was dealing with getting this set up, and the regulations.


----------



## SirDice (Oct 20, 2009)

gordon@ said:
			
		

> That can't be true or just about every reoccurring business charge would be impossible.



https://www.pcisecuritystandards.org/


----------



## phospher (Oct 21, 2009)

> I think internet business's have to pass a certification/security level before they can hold the card numbers. I dont remember the names of anything or specifics, but someone I knew awhile back was dealing with getting this set up, and the regulations.




yep, it's PCI/DSS your referring to. they are allowed to store them as long as they are encrypted.i deal with this crap all the time. PCI is really a joke...


----------

