dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1456
share rss forum feed


Muldjin

@199.116.116.x

Linux hacked?! Permissions don't work

I set a file to octal 000 but root can still read it! Someone has hacked my system are there any ideas on how I can fix this? root should not be able to read this file but it can. I have ran rootkit hunter but it didn't find anything.

root@Muldjin:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
 
root@Muldjin:/tmp# echo "I think I am hacked" > /tmp/test
 
root@Muldjin:/tmp# stat /tmp/test
  File: `/tmp/test'
  Size: 20        	Blocks: 8          IO Block: 4096   regular file
Device: 802h/2050d	Inode: 1049648     Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2013-10-16 11:37:15.784118265 -0500
Modify: 2013-10-16 11:37:15.784118265 -0500
Change: 2013-10-16 11:37:15.784118265 -0500
 Birth: -
 
root@Muldjin:/tmp# chmod 000 /tmp/test
 
root@Muldjin:/tmp# cat /tmp/test
I think I am hacked
 
root@Muldjin:/tmp#
 

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8

10 recommendations

I think you must be trolling. Or else you don't know what root privilege actually means.



graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

2 recommendations

reply to Muldjin

Securely wipe the hard drive and give up on Linux You don't understand it



leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET

2 recommendations

reply to Muldjin

It is working exactly as it should.

If you really want to prevent root from accessing the file you should look at SELinux (security enhanced linux), specifically at Extended Attributes (security namespace) and Access Control Lists.

Without those (or similar) additions the normal behavior for any unix like operating system is that the superuser (root) has unrestricted access to everything.

Additional hint: if you do want to restrict access to a file, don't have it owned by the user you want to restrict it from. The restricted user can simply grant himself the necessary rights if you leave him the owner of it. In your example you left the file owned by root.
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!



Archivis
Your Daddy
Premium
join:2001-11-26
Earth
kudos:19
reply to Muldjin

Good troll.



leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET

I agree that it suspiciously looks like a troll, but I'm giving it the benefit of the doubt.

The origin of the anon post is a colocation facility in Atlanta and therefore it might really just be an inexperienced administrator trying to secure their linux server.
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8

1 recommendation

If you mean he works for the co-location facility, that might be a company to avoid...



leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET

1 recommendation

The difference between a hosting company and a colocation facility is that the former owns the equipment and manages it (including system administration) while the latter provides racks, cabinets and cages (along with power and network connectivity) with the customers bringing their own equipment and maintain it themselves (to save money). If the post is genuine and not a troll then I would take it to be from a customer of that facility and not from their staff.

To forestall arguments: I'm well aware that most public data centers provide many different levels of service ranging from unassisted colocation to fully managed hosting (regardless which label is applied to them for whatever reasons).
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!



Muldjin

@199.116.116.x
reply to dave

I do not work for the company I am trying to secure a server that was on an IRC botnet



justin
..needs sleep
Australian
join:1999-05-28
kudos:15
Reviews:
·iiNet

Ok then just re-install the later version (latest) version of the OS, and re-install the client packages. If it was hacked you're not going to be able to identify exactly what has been modified.

After re-install depending on the version of linux you might find it comes with a firewall you can enable for everything except for the services you want. Or you can download and install such a firewall. I'd say do it yourself using iptables but if you're not experienced that is a big step.

What distribution and version is it?
What services was it running? if web, what web server and version. Anything else?



Muldjin

@199.116.116.x

From the looks of it it looks like they got in from Plesk and there is a perl IRC bot that was running I think I found it and got it going just wasn't sure about the root issues. Looks like I'm all fixed up!



leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET

1 recommendation

reply to Muldjin

Even with the rootkit check that you already performed, it is not a good idea to trust a server once it has been hacked. Ideally you would have multiple generations of backups and can pick one that predates the intrusion.
I would completely remove the disk(s) in the server and restore the backup to a fresh set of drives. Use the old drives to preserve any evidence that may be needed for further investigation as well as to extract any needed data (if you are in the unfortunate situation that you need to recover data that was added to the server after the last good backup).
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!



justin
..needs sleep
Australian
join:1999-05-28
kudos:15
Reviews:
·iiNet
reply to Muldjin

I wouldn't trust plesk
»blog.sucuri.net/2013/06/plesk-0-···ild.html
can't you firewall it except to a few whitelisted IPs?



rchandra
Stargate Universe fan
Premium
join:2000-11-09
14225-2105

2 recommendations

reply to Muldjin

I agree with many previous posters. Once compromised, one cannot truly determine if a computer has been scrubbed of the infection unless one takes known good media (CD, DVD, or whatever) and reinstalls everything, including retaining no data whatsoever (which includes making ALL brand new filesystems). It's a somewhat advanced topic, but everything in the boot path has to be rewritten, such as the MBR and anything it accesses.

Unless as leibold See Profile suggests you want to retain the original disks for forensics, the easiest, prepackaged way I know of to do this is to boot up Darik's Boot And Nuke (DBAN). You will be left with absolutely squeaky clean hard disks. For your application, single pass mode will do as you're not likely at all to be doing data recovery. (Plus I've read that with most modern HDDs, multipass doesn't gain you anything, and if you really want industrial espionage/NSA grade unreadability of the platters, physical destruction is the only way.)

Really, seriously...you don't have to be playing around with octal. It's far easier just to think symbolically with ugoa+-=rwx. (Readers' Digest version: u is user, g is group, o is other, a is all, + is add bits, - is take away bits, = is make it exactly this. There are also more arcane bits available, like t and s. man -s 1 chmod for all the details.) So for example chmod a= /tmp/test would be the symbolic equivalent of what you tried. Similar useful constructs would be:


  • chmod a+rx myshellscript

  • chmod u=rwx,go=rx ashellscript

  • chmod go-w FileToRemoveGroupAndOtherWritability

  • chmod o= FileWhereOtherHasNoRights


--
English is a difficult enough language to interpret correctly when its rules are followed, let alone when a writer chooses not to follow those rules.

Jeopardy! replies and randomcaps REALLY suck!


Archivis
Your Daddy
Premium
join:2001-11-26
Earth
kudos:19
reply to Muldjin

I think what hasn't been mentioned is that there a form of Anti-Virus that comes with most Linux distributions called SELinux. Where firewalls, outdated kernels and packages, and other poor security measures fail, SELinux prevails.

It takes a little bit of learning, but if the box's function stays relatively static, SELinux works wonderfully to sandbox exploited processes from allowing an intruder to gain root access.
--
A government big enough to give you everything you want, is strong enough to take everything you have. -MLK



GILXA1226
Premium,MVM
join:2000-12-29
Dayton, OH

said by Archivis:

I think what hasn't been mentioned is that there a form of Anti-Virus that comes with most Linux distributions called SELinux. Where firewalls, outdated kernels and packages, and other poor security measures fail, SELinux prevails.

SELinux is not anti-virus. It's a set of security tools to lock down a system based on roles in order to further limit what people can do on the system.
--
We don't give a d@mn for the whole state of Michigan... we're from OHIO! O!H! ... I!O!

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8

And (seriously, no insult to OP intended) SELinux would be a big step for an admin who's still unclear on the basic concept of root privilege.



leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET

Which is why Justin's question about distribution and version (which the OP failed to answer) does indeed matter.

In some distributions (SuSE Linux for example, but I'm sure there are others) it is very easy to raise the level of security by enabling SELinux with vendor provided default settings. This is not a perfect solution but probably the best option for someone that lacks both the experience to create the customized hardening of a server themselves and the money to hire someone else to do it for them.
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!



dennismurphy
Put me on hold? I'll put YOU on hold
Premium
join:2002-11-19
Parsippany, NJ
kudos:3
Reviews:
·Verizon FiOS
reply to rchandra

said by rchandra:

Really, seriously...you don't have to be playing around with octal.

I find Octal much, much easier. Much quicker as well. Most Unix admins I know do; in fact, I don't know of ANY that use the ugoa syntax.


rchandra
Stargate Universe fan
Premium
join:2000-11-09
14225-2105

Well, now you do (know one). (well....not know well)



Archivis
Your Daddy
Premium
join:2001-11-26
Earth
kudos:19
reply to dennismurphy

Each has their own place. If I went to set static permissions for a folder or file(s), I use the octal. What happens if you want to strip away read access for all "other" users in a folder while keeping other permissions intact? You can't do that with octal.
--
A government big enough to give you everything you want, is strong enough to take everything you have. -MLK



dennismurphy
Put me on hold? I'll put YOU on hold
Premium
join:2002-11-19
Parsippany, NJ
kudos:3
Reviews:
·Verizon FiOS

said by Archivis:

What happens if you want to strip away read access for all "other" users in a folder while keeping other permissions intact? You can't do that with octal.

Huh? chmod 660 - read/write for user, group, not other.
chmod 750 - rwx for user, read/exectute for group, none for other.

What can't you do with octal?

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8

Your examples do not leave user+group permissions unchanged. They set them to specific values.



leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET

1 recommendation

reply to dennismurphy

The u/g/o/a +/-/= r/w/x syntax allows you to add or remove some privileges while keeping the remaining permissions unmodified. This is helpful when you want to change permissions on a large set of files that have different permissions and you need to preserve some of those differences (for example remove the writable attribute from all files in a directory that contains both data files without the execute bit and programs with the execute bit).

Before:

rw-rw-rw- prog.conf
rwxrwxrwx prog.sh

Chmod: a-w *

After:

r--r--r-- prog.conf
r-xr-xr-x prog.sh
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!


jscarville
Premium
join:2013-09-21
Glendora, CA

Be careful if you have directories that will be included by the "*" wildcard. The chmod command will remove write from them as well. That may not be what you intended.

This only changes attributes for files in the current directory

find . -type f -maxdepth 1 -exec chmod a-w {} \;



rchandra
Stargate Universe fan
Premium
join:2000-11-09
14225-2105

I very rarely if ever use the -exec option. Almost invariably, unless requirements actually necessitate using "{}", I use xargs, and often xargs -t to see what it's doing. If in a GNU environment (such as Linux), often I will add -print0 to find(1) and use xargs -0 -t.

Another thing to note is the capital symbolic modes. For example, X behaves differently for files and directories. For example:
chmod -R ug+X .
It makes directories searchable whilst not altering the executability of files.

--
English is a difficult enough language to interpret correctly when its rules are followed, let alone when a writer chooses not to follow those rules.

Jeopardy! replies and randomcaps REALLY suck!