Linux Security: Trace hacker?

[mikeshn]

My server Red Hat 7.2 was hacked yesterday

It is possbile to see an IP address of a person that was login on my server. How can I see and find out who was login in the server?

Thanks
M.S

 

[Saltin]

Is it even possible to hack a Linux machine!??? OMG!

 

[Barnaby W. Füi]

This is why you shouldn't be running a server if you don't know what you're doing.

Check your logs in /var/log, likely auth.log or something similar. The commands "last", "who", and "w" may also be of some use.

 

[n0cmonkey]

That could be a fun forensics toy, but what will you gain by that? Use this as a lesson to motivate you to learn how to better protect your system.

 

[drag]

Yep Yep firewall/router it and pay attention!!! Redhat ain't hardly more secure than any windows box... Minimilization is the first step towards security, the less windows and doors on your system the better of you be!

BTW so how did he get into your system?

I had somebody try to do a dns hack and do a man-in-the-middle attack on my nightly ssh sesions I do from work when I get bored, but they stopped when I did some agressive port scanning on their boxes... Of course I didn't know how long they've been doing it, so that box that was my ssh/ftp server is now retired and disconnected from my network waiting for a full format and reinstall and all the passwords on the rest of my s**t has been changed... They didn't make it in as far as I can tell, but it's still pretty irritating. My bandwidth being used to support warez is not something I really want to be doing!

 

[drag]

OH btw.. sure it's possible as long as your servers log that sort of thing. I don't know if Redhat is setup to do that or not... And even if it did keep proper logs how do you know the cracker didn't just modify the logs to keep his identity secret.

Oh and if he didn't do that and you have a login and ip address, it's probably gonna be impossible to track him anyways. He could be your neighbor but he will probably reroute his traffic thru a variaty of pre-cracked servers/routers, telnet servers and proxies. And if any of these is located out of your country like china or denmark or someplace then not even the FBI will be able to track him thru there without violating serveral international treaties and breaking the laws of the countries in question. Good Luck

 

[burnedout]

Originally posted by: mikeshn
My server Red Hat 7.2 was hacked yesterday

It is possbile to see an IP address of a person that was login on my server. How can I see and find out who was login in the server?

Thanks
M.S

cd /var/log

cat secure | less

RH 7.2 should make a new secure and maillog file for you weekly in the directory. You might look in /var/log/secure.1 as well. Also check in /var/www/logs/access_log, if you are running httpd service and your box is configured for such logging.

For access_log file in the /var/www/logs directory, use grep and the date. For example:

grep 04/April/2003 access_log | less

 

[Soybomb]

What happened to it to make your say its hacked?

You can search your logs, but any reasonable person should have cleared themselves from it.

If you want to poke around you might download a program called chkrootkit and see if it finds anything of interest.

Be sure its off the network, and format and reinstall before you put it back on.

How long since you'd done any patching?