|
Muldjin
Anon
2013-Oct-16 1:03 pm
Linux hacked?! Permissions don't workI set a file to octal 000 but root can still read it! Someone has hacked my system are there any ideas on how I can fix this? root should not be able to read this file but it can. I have ran rootkit hunter but it didn't find anything. root@Muldjin:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@Muldjin:/tmp# echo "I think I am hacked" > /tmp/test
root@Muldjin:/tmp# stat /tmp/test
File: `/tmp/test'
Size: 20 	Blocks: 8 IO Block: 4096 regular file
Device: 802h/2050d	Inode: 1049648 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2013-10-16 11:37:15.784118265 -0500
Modify: 2013-10-16 11:37:15.784118265 -0500
Change: 2013-10-16 11:37:15.784118265 -0500
Birth: -
root@Muldjin:/tmp# chmod 000 /tmp/test
root@Muldjin:/tmp# cat /tmp/test
I think I am hacked
root@Muldjin:/tmp#
|
|
dave Premium Member join:2000-05-04 not in ohio
10 recommendations |
dave
Premium Member
2013-Oct-16 1:05 pm
I think you must be trolling. Or else you don't know what root privilege actually means. |
|
graysonf MVM join:1999-07-16 Fort Lauderdale, FL
2 recommendations |
to Muldjin
Securely wipe the hard drive and give up on Linux You don't understand it |
|
leibold MVM join:2002-07-09 Sunnyvale, CA Netgear CG3000DCR ZyXEL P-663HN-51
2 recommendations |
to Muldjin
It is working exactly as it should.
If you really want to prevent root from accessing the file you should look at SELinux (security enhanced linux), specifically at Extended Attributes (security namespace) and Access Control Lists.
Without those (or similar) additions the normal behavior for any unix like operating system is that the superuser (root) has unrestricted access to everything.
Additional hint: if you do want to restrict access to a file, don't have it owned by the user you want to restrict it from. The restricted user can simply grant himself the necessary rights if you leave him the owner of it. In your example you left the file owned by root. |
|
ExodusYour Daddy Premium Member join:2001-11-26 Earth |
to Muldjin
Good troll. |
|
leibold MVM join:2002-07-09 Sunnyvale, CA Netgear CG3000DCR ZyXEL P-663HN-51
|
I agree that it suspiciously looks like a troll, but I'm giving it the benefit of the doubt.
The origin of the anon post is a colocation facility in Atlanta and therefore it might really just be an inexperienced administrator trying to secure their linux server. |
|
dave Premium Member join:2000-05-04 not in ohio
1 recommendation |
dave
Premium Member
2013-Oct-16 4:28 pm
If you mean he works for the co-location facility, that might be a company to avoid... |
|
leibold MVM join:2002-07-09 Sunnyvale, CA Netgear CG3000DCR ZyXEL P-663HN-51
1 recommendation |
The difference between a hosting company and a colocation facility is that the former owns the equipment and manages it (including system administration) while the latter provides racks, cabinets and cages (along with power and network connectivity) with the customers bringing their own equipment and maintain it themselves (to save money). If the post is genuine and not a troll then I would take it to be from a customer of that facility and not from their staff.
To forestall arguments: I'm well aware that most public data centers provide many different levels of service ranging from unassisted colocation to fully managed hosting (regardless which label is applied to them for whatever reasons). |
|
|
|
Muldjin to dave
Anon
2013-Oct-16 4:55 pm
to dave
I do not work for the company I am trying to secure a server that was on an IRC botnet |
|
justin..needs sleep Mod join:1999-05-28 2031 Billion BiPAC 7800N Apple AirPort Extreme (2011)
|
justin
Mod
2013-Oct-16 5:05 pm
Ok then just re-install the later version (latest) version of the OS, and re-install the client packages. If it was hacked you're not going to be able to identify exactly what has been modified.
After re-install depending on the version of linux you might find it comes with a firewall you can enable for everything except for the services you want. Or you can download and install such a firewall. I'd say do it yourself using iptables but if you're not experienced that is a big step.
What distribution and version is it? What services was it running? if web, what web server and version. Anything else? |
|
|
Muldjin
Anon
2013-Oct-16 5:06 pm
From the looks of it it looks like they got in from Plesk and there is a perl IRC bot that was running I think I found it and got it going just wasn't sure about the root issues. Looks like I'm all fixed up! |
|
leibold MVM join:2002-07-09 Sunnyvale, CA Netgear CG3000DCR ZyXEL P-663HN-51
1 recommendation |
to Muldjin
Even with the rootkit check that you already performed, it is not a good idea to trust a server once it has been hacked. Ideally you would have multiple generations of backups and can pick one that predates the intrusion. I would completely remove the disk(s) in the server and restore the backup to a fresh set of drives. Use the old drives to preserve any evidence that may be needed for further investigation as well as to extract any needed data (if you are in the unfortunate situation that you need to recover data that was added to the server after the last good backup). |
|
justin..needs sleep Mod join:1999-05-28 2031 Billion BiPAC 7800N Apple AirPort Extreme (2011)
|
to Muldjin
I wouldn't trust plesk » blog.sucuri.net/2013/06/ ··· ild.htmlcan't you firewall it except to a few whitelisted IPs? |
|
rchandraStargate Universe fan Premium Member join:2000-11-09 14225-2105 ARRIS ONT1000GJ4 EnGenius EAP1250
2 recommendations |
to Muldjin
I agree with many previous posters. Once compromised, one cannot truly determine if a computer has been scrubbed of the infection unless one takes known good media (CD, DVD, or whatever) and reinstalls everything, including retaining no data whatsoever (which includes making ALL brand new filesystems). It's a somewhat advanced topic, but everything in the boot path has to be rewritten, such as the MBR and anything it accesses. Unless as leibold suggests you want to retain the original disks for forensics, the easiest, prepackaged way I know of to do this is to boot up Darik's Boot And Nuke (DBAN). You will be left with absolutely squeaky clean hard disks. For your application, single pass mode will do as you're not likely at all to be doing data recovery. (Plus I've read that with most modern HDDs, multipass doesn't gain you anything, and if you really want industrial espionage/NSA grade unreadability of the platters, physical destruction is the only way.) Really, seriously...you don't have to be playing around with octal. It's far easier just to think symbolically with ugoa+-=rwx. (Readers' Digest version: u is user, g is group, o is other, a is all, + is add bits, - is take away bits, = is make it exactly this. There are also more arcane bits available, like t and s. man -s 1 chmod for all the details.) So for example chmod a= /tmp/test would be the symbolic equivalent of what you tried. Similar useful constructs would be:
- chmod a+rx myshellscript
- chmod u=rwx,go=rx ashellscript
- chmod go-w FileToRemoveGroupAndOtherWritability
- chmod o= FileWhereOtherHasNoRights
|
|
ExodusYour Daddy Premium Member join:2001-11-26 Earth |
to Muldjin
I think what hasn't been mentioned is that there a form of Anti-Virus that comes with most Linux distributions called SELinux. Where firewalls, outdated kernels and packages, and other poor security measures fail, SELinux prevails.
It takes a little bit of learning, but if the box's function stays relatively static, SELinux works wonderfully to sandbox exploited processes from allowing an intruder to gain root access. |
|
|
said by Exodus:I think what hasn't been mentioned is that there a form of Anti-Virus that comes with most Linux distributions called SELinux. Where firewalls, outdated kernels and packages, and other poor security measures fail, SELinux prevails. SELinux is not anti-virus. It's a set of security tools to lock down a system based on roles in order to further limit what people can do on the system. |
|
dave Premium Member join:2000-05-04 not in ohio |
dave
Premium Member
2013-Oct-17 7:49 am
And (seriously, no insult to OP intended) SELinux would be a big step for an admin who's still unclear on the basic concept of root privilege. |
|
leibold MVM join:2002-07-09 Sunnyvale, CA Netgear CG3000DCR ZyXEL P-663HN-51
|
Which is why Justin's question about distribution and version (which the OP failed to answer) does indeed matter.
In some distributions (SuSE Linux for example, but I'm sure there are others) it is very easy to raise the level of security by enabling SELinux with vendor provided default settings. This is not a perfect solution but probably the best option for someone that lacks both the experience to create the customized hardening of a server themselves and the money to hire someone else to do it for them. |
|
dennismurphyPut me on hold? I'll put YOU on hold Premium Member join:2002-11-19 Parsippany, NJ |
to rchandra
said by rchandra:Really, seriously...you don't have to be playing around with octal. I find Octal much, much easier. Much quicker as well. Most Unix admins I know do; in fact, I don't know of ANY that use the ugoa syntax. |
|
rchandraStargate Universe fan Premium Member join:2000-11-09 14225-2105 |
rchandra
Premium Member
2013-Oct-18 9:35 am
Well, now you do (know one). (well....not know well) |
|
ExodusYour Daddy Premium Member join:2001-11-26 Earth |
to dennismurphy
Each has their own place. If I went to set static permissions for a folder or file(s), I use the octal. What happens if you want to strip away read access for all "other" users in a folder while keeping other permissions intact? You can't do that with octal. |
|
dennismurphyPut me on hold? I'll put YOU on hold Premium Member join:2002-11-19 Parsippany, NJ |
said by Exodus:What happens if you want to strip away read access for all "other" users in a folder while keeping other permissions intact? You can't do that with octal. Huh? chmod 660 - read/write for user, group, not other. chmod 750 - rwx for user, read/exectute for group, none for other. What can't you do with octal? |
|
dave Premium Member join:2000-05-04 not in ohio |
dave
Premium Member
2013-Oct-18 12:28 pm
Your examples do not leave user+group permissions unchanged. They set them to specific values. |
|
leibold MVM join:2002-07-09 Sunnyvale, CA Netgear CG3000DCR ZyXEL P-663HN-51
1 recommendation |
to dennismurphy
The u/g/o/a +/-/= r/w/x syntax allows you to add or remove some privileges while keeping the remaining permissions unmodified. This is helpful when you want to change permissions on a large set of files that have different permissions and you need to preserve some of those differences (for example remove the writable attribute from all files in a directory that contains both data files without the execute bit and programs with the execute bit).
Before:
rw-rw-rw- prog.conf rwxrwxrwx prog.sh
Chmod: a-w *
After:
r--r--r-- prog.conf r-xr-xr-x prog.sh |
|
jscarville Premium Member join:2013-09-21 Glendora, CA |
Be careful if you have directories that will be included by the "*" wildcard. The chmod command will remove write from them as well. That may not be what you intended.
This only changes attributes for files in the current directory
find . -type f -maxdepth 1 -exec chmod a-w {} \; |
|
rchandraStargate Universe fan Premium Member join:2000-11-09 14225-2105 ARRIS ONT1000GJ4 EnGenius EAP1250
|
rchandra
Premium Member
2013-Nov-8 8:08 pm
I very rarely if ever use the -exec option. Almost invariably, unless requirements actually necessitate using "{}", I use xargs, and often xargs -t to see what it's doing. If in a GNU environment (such as Linux), often I will add -print0 to find(1) and use xargs -0 -t.
Another thing to note is the capital symbolic modes. For example, X behaves differently for files and directories. For example:
chmod -R ug+X . It makes directories searchable whilst not altering the executability of files. |
|