[CentOS] I've been hacked -- what should I do next?

Fri Dec 1 12:31:33 UTC 2006
Alfred von Campe <alfred at 110.net>

> Right ... however, if a weak account/passwd was created in useradd  
> (for
> backups) and if something was not done to prevent ssh logins for that
> user, then someone may have logged into ssh via that account and port
> 22.

Yes, this is what happened.  I have set the shell to /sbin/nologin  
for that account now, something I neglected to do when I created it.

> There are many ways to combat this specific issue (use key only logins
> to ssh, etc.).  But the simplest way I have found (if you want  
> password
> access) is to use the AllowGroups option in /etc/ssh/sshd_config.
>
> AllowGroups sshusers
>
> That will make it so only people in the group sshusers can ssh in.

Excellent idea, I'll do this.

> I would also highly recommend that you do not use port 22 for ssh from
> the outside ... pick a non standard port (like 3333 or 22222, etc.)  
> and
> add this option as well to sshd_config
>
> port 22
> port 3333
>
> You can then port forward port 3333 from linksys to 3333 on your  
> centos
> machine ... you can ssh in via that port from outside and still use  
> port
> 22 from inside your firewall (via other machines inside your  
> firewall).
> (you will also need to open up port 3333 tcp on iptables if you have
> iptables on).

What about simply forwarding a non standard port from my Linksys  
router to port 22 on my CentOS system?  This way I wouldn't have to  
reconfigure anything except for the router itself.

> rkhunter and / or chkrootkit ... both good things.

I'll get them and run them when I get back home tonight or over the  
weekend.

> Another thing to worry about is that once a user is logged in on that
> machine and in, they may try to use a local use exploit to gain root
> privileges.  So, you need to proceed assuming that they logged in as
> backup ... and exploited to get a root shell ... and had access to
> everything.

This is what I am worried about.

> That would mean that you need to either reinstall or do:
>
> rpm -V -qa
>
> and figure out everything that is different and verify that you do not
> have binary files for things like top, ps that have been modified to
> hide certain things.

I ran this and will go over the output tonight.

> Reinstall, that is my advise.

That's what I've done in the past too, but I am trying to avoid that  
option if possible.

Thanks for the quick response and advice.

Alfred