Forensics On a Cracked Linux Server

This blog entry is the step-by-step process that one administrator followed to figure out what was going on with a cracked Linux server. It's quite interesting to me, since I have had the exact same problem (a misbehaving ls -h command) on a development server quite a while back. As it turns out, my server was cracked, maybe with the same tool, and this analysis is much more thorough than the one I was able to do at the time. If you've ever wondered how to diagnose a Linux server that has been hijacked, this short article is a good starting point.

Story is FUD from a M$ shill

[Anonymous Coward]

A Cracked Linux Server? Ha! He should live so long!

Yeah obvious FUD article

[Anonymous Coward]

Why Slashdot would such obvious anti-Linux FUD is beyond me. Maybe the M$ advertising dollars are turning their heads.

The bottom line is that a LINUX SERVER CAN'T BE CRACKED.

Maybe this admin got his login info phished by Nigerian scammers, I don't know. The guy probably is wondering why his Ebay account has a bunch of negative feedback and his MySpace is all jacked up and hasn't put 2 and 2 together with that time he responsed to that clever email asking for the triple whammy of MySpace/Ebay/root on your servers so that you could clear the money transfer.

That or he didn't have his updates turned on and had an outdated BIND. And its not like BIND means Linux is unsecure.

Even not that the idea that Linux is crackable is laughable and not worht front page at digg let alone slashdot. You don;t see Technorait or Bruce Perens' site posting garbage like this ever so why slashdot editors can't see thru it i dont kno.

Looks as if there was another way...

[sphealey]

Looks as if there was another way to crash his server...

sPh

Re:Story is FUD from a M$ shill

[Anonymous Coward]

Cracked Linux server? Oh Noes, that's unpossible! Teh Lunix is UNBREAKABLE!

I had to do this once.

[Anonymous Coward]

We had a cracked linux server at work one time and I took it upon myself to find out who did it. Long story short: some server monkey decided it would be a fun idea to ride his bike around inside the data center and smashed into one of the racks.

Meta-cracking

[CopaceticOpus]

Oh, I see, it's a clever DOS attack:

1. Infect Linux server of some guy with a blog.
2. Guy blogs about how he dealt with said infection.
3. Blog posting gets linked to on Slashdot.
4. Millions of computers attempt to access the blog, hence bringing down the server.

Don't you see? We've a socially engineered botnet!

(And please, for the love of all that is sacred and funny, don't reply to this and add steps for "???" and "Profit". It's just tired and completely not funny. And the clever little variation on that theme you're thinking about posting right now isn't funny either.)

*Bourne* Shell?

[Spy der Mann]

The shell is a working Bourne shell

I knew it! Jason Bourne was involved in this!

Re:How did he get access and On tools

[eln]

I think it's probably the fact that the owner of this system had the root password set to "GOD" as all good sysadmins do. The hacker's extensive experience hacking the Gibson made getting into this system a cakewalk.

Clearly, we as sysadmins should rethink the long-standing policy of setting all root passwords to either love, secret, sex, or god. Perhaps we should at least add another password to the list, like "unhackable" or something truly secure like that.

Re:Meta-cracking

[Anonymous Coward]

5. ???
6. Profit!

(oh, come on, you asked for it)

Re:Meta-cracking

[Anonymous Coward]

1. Find clever little variation that is funny
2. ????
3. Profit!

Raise your hand

[tie_guy_matt]

Raise your hand if you typed "ls -h" on your box just to make sure it still works right.

Re:Yeah obvious FUD article

[ATMD]

*whoosh*

Re:Forensics

[Anonymous Coward]

On the one server I have backdoor access to .bash_history is symbolically linked to /dev/random

It makes for an interesting read :)

Anonymous in case the admin actually reads slashdot.

Re:Raise your hand

[Anonymous Coward]

C:\>ls -h
'ls' is not recognized as an internal or external command,
operable program or batch file.

Oh noes!

Re:Ssshhh.... Secrets Revealed...

[dedazo]

I am a MS insider

The 220,000 or so members of the Slashdot Members Who Post Authoritative Statements On The Inner Workings Of Microsoft To Support Their Arguments warmly welcomes you to the club.

That's it, I'm switching to Windows

[Maltheus]

Security is very important to me, I can't be screwing around with something that can be so easily cracked.

Re:Yeah obvious FUD article

[Anonymous Coward]

. o <- Joke

..O <- You
./|\
./ \

Re:Yeah obvious FUD article

[suggsjc]

Dang HTML Formatted default, forgot the <br>'s

ASCII art is lame
If you really want to blast them
Then try a haiku

So in my rage, I wrote this (and used the code layout):
Today I posted
Today I looked like an ass
It is Friday, beer

Re:I had to do this once.

[CompMD]

im in ur datacenter breakin ur racks

Re:Forensics

[SIIHP]

What redundant? Did someone else tell him his post was hilariously funny?

Are you too stupid to know what redundant means? I guess you are.

Hey mod you're an dumbass.

Wait, "dumbass moderator" see, THAT is redundant.

Re:Forensics

[Antique Geekmeister]

Ohh. I thought you had accidentally copied a newbie-written Perl file to to .bash_history. That explains why it looked so coherent!