PDA

View Full Version : Have I been attacked?



antonioct
29-Apr-2014, 15:54
Hi!
It's the first time that I write in this Foro. If it is not the correct site, please tell me which is the correct.
I have a SLES 10 as testing machine. It's exposed to Internet. It had several services like SQUID. I'm saying 'had' becose yesterday I could see that It was clean!!
The root's password has changed!
It's as if the machine had been installed from zero!!

I have logged in as root from a shell (put in the boot process (init:/bin/bash)

What's your opinion?

Thanks for your opinions and help.
Regards!

malcolmlewis
29-Apr-2014, 16:20
On Tue 29 Apr 2014 03:04:01 PM CDT, antonioct wrote:


Hi!
It's the first time that I write in this Foro. If it is not the correct
site, please tell me which is the correct.
I have a SLES 10 as testing machine. It's exposed to Internet. It had
several services like SQUID. I'm saying 'had' becose yesterday I could
see that It was clean!!
The root's password has changed!
It's as if the machine had been installed from zero!!

I have logged in as root from a shell (put in the boot process
(init:/bin/bash)

What's your opinion?

Thanks for your opinions and help.
Regards!




Hi
If you have a similar hard drive is it possible to mirror the suspect
drive via the dd command for analysis?

Disconnect the system from the network. Reboot, check date and
timestamps on files and inspect the logs files in /var/log, check the
root's .bash_history file etc.

--
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.1 Kernel 3.11.10-7-desktop
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

smflood
29-Apr-2014, 16:55
On 29/04/2014 16:04, antonioct wrote:

> It's the first time that I write in this Foro. If it is not the correct
> site, please tell me which is the correct.
> I have a SLES 10 as testing machine. It's exposed to Internet. It had
> several services like SQUID. I'm saying 'had' becose yesterday I could
> see that It was clean!!
> The root's password has changed!
> It's as if the machine had been installed from zero!!
>
> I have logged in as root from a shell (put in the boot process
> (init:/bin/bash)
>
> What's your opinion?

By "SLES 10" do you literally mean SLES 10, as in with no subsequent
Service Pack (for SLES10 there were four Service Packs - SP1 through SP4)?

If SLES10 SP4, was the server fully patched?

Was any third-party software installed?

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------

mikewillis
29-Apr-2014, 17:02
I have a SLES 10 as testing machine. It's exposed to Internet.
Those two sentences sound like cause for concern. What have you been doing in the way of applying updates since general support for SLES 10 ended nearly a year ago?

cjcox
30-Apr-2014, 04:05
On 04/29/2014 10:04 AM, antonioct wrote:
>
> Hi!
> It's the first time that I write in this Foro. If it is not the correct
> site, please tell me which is the correct.
> I have a SLES 10 as testing machine. It's exposed to Internet. It had
> several services like SQUID. I'm saying 'had' becose yesterday I could
> see that It was clean!!
> The root's password has changed!
> It's as if the machine had been installed from zero!!
>
> I have logged in as root from a shell (put in the boot process
> (init:/bin/bash)
>
> What's your opinion?

You've been completely hacked. Don't count out a local attack though, but looks
pretty obvious to me (uses common techniques). The good news... if there is
any, is that the culprit did not try to hide their tracks. You may be able to
find out when and how the compromise was done.

Disconnect the host from the network and troubleshoot it in isolation.

If you do not know how to troubleshoot this, I'd seek the assistance of your
local Linux Users Group for help.