[lug] Hacked Debian server - was Problematic Debian server

Gordon Golding gordongoldin at aim.com
Thu Jul 15 13:41:42 MDT 2010 

 Gateway PC (Vista dual boot with last October Debian install) was stalling during reboot with a Nautilus error, the GUI wouldn't come up.

On july 12 - the main gateway router needed to be reset - a very rare occurrence. 
Also, many files in bin and sbin were replaced with a 543237 byte executable.

So - for many "user" commands, like cat, ifconfig, route.. and ones run at startup, like mount, fsck...
there were 3 files:

cat - 543237 bytes with old date
cat with name cat + string "wti6mjpJg3PyaTsCzq0s" july 12
cat with name cat + string "didn't write this one down" july 12
 
When you run cat (or anything), it runs normally, returns to command lne.  Then after a pause, there is a message"tried to access /dev/mem between 2bf000->2c1000

/root/.ssh was changed on july 12, also things like ssl libraries.  Lots of things were changed, maybe by an automatic update, but don't think that matters at this point.

Actually isn't my machine - I use Fedora and haven't used Debian.   I'm trying to do what I can to help out, they aren't heavy linux people.
Biggest worry is- we get it back up, and someone just hacks it the same way.

At this point, I'm thinking: Just bring it back up fresh, but Need advice on securing it - or any other good advice  ;-)

This machine was installed last October by someone not around any more, so no idea how it was set up.

It runs:
Samba
Subversion
Apache2 - also running PHP
     Pet peeve of mine - 1.5 years ago, lost several servers, very secure Fedora and RedHat and a Mac, and others - programmer opened
     up PHP includes and let hackers inside.
ssh
The router is only open to those ports.
Machine is being reinstalled on fresh disk drive (keeping old drive for user data).  Will get all newest updates.

What to do after this?  When I saw a hack elsewhere through PHP, it looked totally different - this looks like a stumbled root kit.
Seen anything like this?

I used to use the CIS procedures as a guide for hardening Fedora, before they fell behind the rapid releases.  What's a good resource for Debian hardening?

Specific question:
This machine is accessed by users in Germany. The hacked machine was trying to talk back to Germany.
This machine used keys for easy user access.
I've heard the argument that:
"Their machine gets hacked, now they are on your machine.  Always make a user sign in with a strong password."

Just out of curiosity:  Is the main gateway router dying the same day these files were changed just a coincidence?  
I don't remember hearing before of a hacked server bringing down the gateway router.

Thoughts?  Advice?


Gordon Golding
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20100715/c8c92423/attachment.html>

More information about the LUG mailing list