dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1797

Muldjin
@199.116.116.x

Muldjin

Anon

Linux hacked?! Permissions don't work

I set a file to octal 000 but root can still read it! Someone has hacked my system are there any ideas on how I can fix this? root should not be able to read this file but it can. I have ran rootkit hunter but it didn't find anything.

root@Muldjin:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
 
root@Muldjin:/tmp# echo "I think I am hacked" > /tmp/test
 
root@Muldjin:/tmp# stat /tmp/test
  File: `/tmp/test'
  Size: 20        	Blocks: 8          IO Block: 4096   regular file
Device: 802h/2050d	Inode: 1049648     Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2013-10-16 11:37:15.784118265 -0500
Modify: 2013-10-16 11:37:15.784118265 -0500
Change: 2013-10-16 11:37:15.784118265 -0500
 Birth: -
 
root@Muldjin:/tmp# chmod 000 /tmp/test
 
root@Muldjin:/tmp# cat /tmp/test
I think I am hacked
 
root@Muldjin:/tmp#
 
dave
Premium Member
join:2000-05-04
not in ohio

10 recommendations

dave

Premium Member

I think you must be trolling. Or else you don't know what root privilege actually means.

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

2 recommendations

graysonf to Muldjin

MVM

to Muldjin
Securely wipe the hard drive and give up on Linux You don't understand it

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

2 recommendations

leibold to Muldjin

MVM

to Muldjin
It is working exactly as it should.

If you really want to prevent root from accessing the file you should look at SELinux (security enhanced linux), specifically at Extended Attributes (security namespace) and Access Control Lists.

Without those (or similar) additions the normal behavior for any unix like operating system is that the superuser (root) has unrestricted access to everything.

Additional hint: if you do want to restrict access to a file, don't have it owned by the user you want to restrict it from. The restricted user can simply grant himself the necessary rights if you leave him the owner of it. In your example you left the file owned by root.

Exodus
Your Daddy
Premium Member
join:2001-11-26
Earth

Exodus to Muldjin

Premium Member

to Muldjin
Good troll.

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

leibold

MVM

I agree that it suspiciously looks like a troll, but I'm giving it the benefit of the doubt.

The origin of the anon post is a colocation facility in Atlanta and therefore it might really just be an inexperienced administrator trying to secure their linux server.
dave
Premium Member
join:2000-05-04
not in ohio

1 recommendation

dave

Premium Member

If you mean he works for the co-location facility, that might be a company to avoid...

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

1 recommendation

leibold

MVM

The difference between a hosting company and a colocation facility is that the former owns the equipment and manages it (including system administration) while the latter provides racks, cabinets and cages (along with power and network connectivity) with the customers bringing their own equipment and maintain it themselves (to save money). If the post is genuine and not a troll then I would take it to be from a customer of that facility and not from their staff.

To forestall arguments: I'm well aware that most public data centers provide many different levels of service ranging from unassisted colocation to fully managed hosting (regardless which label is applied to them for whatever reasons).

Muldjin
@199.116.116.x

Muldjin to dave

Anon

to dave
I do not work for the company I am trying to secure a server that was on an IRC botnet

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

justin

Mod

Ok then just re-install the later version (latest) version of the OS, and re-install the client packages. If it was hacked you're not going to be able to identify exactly what has been modified.

After re-install depending on the version of linux you might find it comes with a firewall you can enable for everything except for the services you want. Or you can download and install such a firewall. I'd say do it yourself using iptables but if you're not experienced that is a big step.

What distribution and version is it?
What services was it running? if web, what web server and version. Anything else?

Muldjin
@199.116.116.x

Muldjin

Anon

From the looks of it it looks like they got in from Plesk and there is a perl IRC bot that was running I think I found it and got it going just wasn't sure about the root issues. Looks like I'm all fixed up!

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

1 recommendation

leibold to Muldjin

MVM

to Muldjin
Even with the rootkit check that you already performed, it is not a good idea to trust a server once it has been hacked. Ideally you would have multiple generations of backups and can pick one that predates the intrusion.
I would completely remove the disk(s) in the server and restore the backup to a fresh set of drives. Use the old drives to preserve any evidence that may be needed for further investigation as well as to extract any needed data (if you are in the unfortunate situation that you need to recover data that was added to the server after the last good backup).

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

justin to Muldjin

Mod

to Muldjin
I wouldn't trust plesk
»blog.sucuri.net/2013/06/ ··· ild.html
can't you firewall it except to a few whitelisted IPs?

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105
ARRIS ONT1000GJ4
EnGenius EAP1250

2 recommendations

rchandra to Muldjin

Premium Member

to Muldjin
I agree with many previous posters. Once compromised, one cannot truly determine if a computer has been scrubbed of the infection unless one takes known good media (CD, DVD, or whatever) and reinstalls everything, including retaining no data whatsoever (which includes making ALL brand new filesystems). It's a somewhat advanced topic, but everything in the boot path has to be rewritten, such as the MBR and anything it accesses.

Unless as leibold See Profile suggests you want to retain the original disks for forensics, the easiest, prepackaged way I know of to do this is to boot up Darik's Boot And Nuke (DBAN). You will be left with absolutely squeaky clean hard disks. For your application, single pass mode will do as you're not likely at all to be doing data recovery. (Plus I've read that with most modern HDDs, multipass doesn't gain you anything, and if you really want industrial espionage/NSA grade unreadability of the platters, physical destruction is the only way.)

Really, seriously...you don't have to be playing around with octal. It's far easier just to think symbolically with ugoa+-=rwx. (Readers' Digest version: u is user, g is group, o is other, a is all, + is add bits, - is take away bits, = is make it exactly this. There are also more arcane bits available, like t and s. man -s 1 chmod for all the details.) So for example chmod a= /tmp/test would be the symbolic equivalent of what you tried. Similar useful constructs would be:

  • chmod a+rx myshellscript

  • chmod u=rwx,go=rx ashellscript

  • chmod go-w FileToRemoveGroupAndOtherWritability

  • chmod o= FileWhereOtherHasNoRights


Exodus
Your Daddy
Premium Member
join:2001-11-26
Earth

Exodus to Muldjin

Premium Member

to Muldjin
I think what hasn't been mentioned is that there a form of Anti-Virus that comes with most Linux distributions called SELinux. Where firewalls, outdated kernels and packages, and other poor security measures fail, SELinux prevails.

It takes a little bit of learning, but if the box's function stays relatively static, SELinux works wonderfully to sandbox exploited processes from allowing an intruder to gain root access.

GILXA1226
MVM
join:2000-12-29
Dayton, OH

GILXA1226

MVM

said by Exodus:

I think what hasn't been mentioned is that there a form of Anti-Virus that comes with most Linux distributions called SELinux. Where firewalls, outdated kernels and packages, and other poor security measures fail, SELinux prevails.

SELinux is not anti-virus. It's a set of security tools to lock down a system based on roles in order to further limit what people can do on the system.
dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

And (seriously, no insult to OP intended) SELinux would be a big step for an admin who's still unclear on the basic concept of root privilege.

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

leibold

MVM

Which is why Justin's question about distribution and version (which the OP failed to answer) does indeed matter.

In some distributions (SuSE Linux for example, but I'm sure there are others) it is very easy to raise the level of security by enabling SELinux with vendor provided default settings. This is not a perfect solution but probably the best option for someone that lacks both the experience to create the customized hardening of a server themselves and the money to hire someone else to do it for them.

dennismurphy
Put me on hold? I'll put YOU on hold
Premium Member
join:2002-11-19
Parsippany, NJ

dennismurphy to rchandra

Premium Member

to rchandra
said by rchandra:

Really, seriously...you don't have to be playing around with octal.

I find Octal much, much easier. Much quicker as well. Most Unix admins I know do; in fact, I don't know of ANY that use the ugoa syntax.

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105

rchandra

Premium Member

Well, now you do (know one). (well....not know well)

Exodus
Your Daddy
Premium Member
join:2001-11-26
Earth

Exodus to dennismurphy

Premium Member

to dennismurphy
Each has their own place. If I went to set static permissions for a folder or file(s), I use the octal. What happens if you want to strip away read access for all "other" users in a folder while keeping other permissions intact? You can't do that with octal.

dennismurphy
Put me on hold? I'll put YOU on hold
Premium Member
join:2002-11-19
Parsippany, NJ

dennismurphy

Premium Member

said by Exodus:

What happens if you want to strip away read access for all "other" users in a folder while keeping other permissions intact? You can't do that with octal.

Huh? chmod 660 - read/write for user, group, not other.
chmod 750 - rwx for user, read/exectute for group, none for other.

What can't you do with octal?
dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

Your examples do not leave user+group permissions unchanged. They set them to specific values.

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

1 recommendation

leibold to dennismurphy

MVM

to dennismurphy
The u/g/o/a +/-/= r/w/x syntax allows you to add or remove some privileges while keeping the remaining permissions unmodified. This is helpful when you want to change permissions on a large set of files that have different permissions and you need to preserve some of those differences (for example remove the writable attribute from all files in a directory that contains both data files without the execute bit and programs with the execute bit).

Before:

rw-rw-rw- prog.conf
rwxrwxrwx prog.sh

Chmod: a-w *

After:

r--r--r-- prog.conf
r-xr-xr-x prog.sh
jscarville
Premium Member
join:2013-09-21
Glendora, CA

jscarville

Premium Member

Be careful if you have directories that will be included by the "*" wildcard. The chmod command will remove write from them as well. That may not be what you intended.

This only changes attributes for files in the current directory

find . -type f -maxdepth 1 -exec chmod a-w {} \;

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105
ARRIS ONT1000GJ4
EnGenius EAP1250

rchandra

Premium Member

I very rarely if ever use the -exec option. Almost invariably, unless requirements actually necessitate using "{}", I use xargs, and often xargs -t to see what it's doing. If in a GNU environment (such as Linux), often I will add -print0 to find(1) and use xargs -0 -t.

Another thing to note is the capital symbolic modes. For example, X behaves differently for files and directories. For example:
chmod -R ug+X .
It makes directories searchable whilst not altering the executability of files.