SuperBaby
Sep 23 2006, 07:43 AM
A hacker broke into my system last week and told me about the vulnerabilites. Since he did not threaten me and came in good faith, I offerred him a small fee to give me the solution. He later told me the loopholes and managed to help me patch them up.
A few days ago my server was down 2 ~ 3 times and the hacker admitted that it was due to his activities. Here is a part of advice extracted from his message:
QUOTE
When your server was down a few days ago, It's not because a hardware/OS problem on your server. But It was me testing the kernel vulnerability on your server, because your server kernel (2.4.21 release 2003) has several vulnerability so it can be exploited with some "exploit" tools to get root access on your server. I haven't find solution for this problem. I suggest you to upgrade your kernel on your server to higher version. I'm sorry that it caused your server to be down for a while. Next time I'm gonna test again, I 'll tell you before. Or if you would like it, you can tell me when I can test it.
My question is, is it possible for me to upgrade the kernel (since RHL9 is no longer supported)? I tried upgrading using "
up2date -uf kernel kernel-smp kernel-utils kernel-devel" but the version is still the same after reboot (I used Graceful Reboot under WHM/cPanel to reboot since "shutdown -r now" gave a no-such-command error).
QUOTE
[size=12]# rpm -qi redhat-release
Name : redhat-release Relocations: (not relocateable)
Version : 9 Vendor: Red Hat, Inc.
Release : 3 Build Date: Wed 26 Feb 2003 11:14:41 PM MYT
Install Date: Thu 26 Jun 2003 03:05:38 PM MYT Build Host: porky.devel.redhat.com
Group : System Environment/Base Source RPM: redhat-release-9-3.src.rpm
Size : 1578896 License: GPL
Signature : DSA/SHA1, Thu 27 Feb 2003 01:17:46 AM MYT, Key ID XXXXXXcddYYYYYY60e
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Summary : The Red Hat Linux release file.
Description :
The redhat-release package identifies the release of Red Hat Linux.
# uname -a
Linux server01.XXXX.com 2.4.20-28.9
thedude
Sep 23 2006, 10:14 AM
lol...a ethical hacker
Can't you upgrade your kernel without using up2date?
Grab kernel from www.kernel.org ...latest stable is 2.6.18
TheUniverses
Sep 23 2006, 10:20 AM
Try googling, theres probably someone who has made an RPM of a newer kernel.
SuperBaby
Sep 23 2006, 10:23 AM
QUOTE (thedude)
Can't you upgrade your kernel without using up2date?
Grab kernel from www.kernel.org ...latest stable is 2.6.18
1) Is 2.6.18 application for my version of Linux (RH9)?
2) How do I upgrade if using the file from kernel.org?
Thanks.
eddy2099
Sep 23 2006, 12:09 PM
Hmmm, I have this iky feeling here. Did the hacker plays the sympathy card by duping you into allowing you into your system to plant trojan or something ? Okay, maybe I am paranoid but I just don't trust a thief.
SuperBaby
Sep 23 2006, 12:37 PM
QUOTE (eddy2099)
Hmmm, I have this iky feeling here. Did the hacker plays the sympathy card by duping you into allowing you into your system to plant trojan or something ? Okay, maybe I am paranoid but I just don't trust a thief.
He did not have to play the sympathy card. He already got enough access to detroy me.
I think I probably hire someone to do the kernel upgrade for me. I need to upgrade from 2.4.x to the latest 2.6.18. Know any good and reliable company?
Matt2k
Sep 23 2006, 12:54 PM
Hire someone very competent, upgrade kernel or even better set up a new system from scratch (A backdoor may be placed), and lock the "hacker" out for good. If you're not going to install to a fresh server, you may want to log the hacker's actions and see if he's planted any back doors
thedude
Sep 23 2006, 01:09 PM
I use Acunett to manage my servers.
They do a very good job...its like $50 / month but they manage your server, install security software such as RKhunter, chkrootkit, apf, bfd...harden your OS, /temp directories etc.
part of that package is that they will upgrade your server whenever a new stable kernel is released.
I'm glad I've gone with them......they will be able to do a thorough examination of your server as well and tell you if anything else is exploited. Just tell them whats happened so far, and they'll investigate the issue farther.
And yes that kernel should work for you.
SuperBaby
Sep 23 2006, 01:44 PM
Have contacted Acunett.com. Still waiting for their reply. Thanks for the recommendation.
APC Hosting
Sep 24 2006, 02:58 PM
i recommend platinumservermanagement.com very good company
fpscops.com
Sep 24 2006, 04:12 PM
whoever you choose, get the friendly hacker out of the picture
SuperBaby
Sep 25 2006, 10:31 AM
I contacted the third-party server companies and this is the main feedback that troubles me:
QUOTE
"Most RH 9 servers are not compatible with 2.6 kernels due to NTPL. The kernel will work, but may affect your RPM functionality."
On the other hand, SM staff said they can do the kernel upgrade for me. But they did not make any comment regarding the issue above although I have asked them a few times.
".... affect your RPM functionality", what does that mean? What is the impact? Should I go ahead upgrade the kernel? I cannot do the OS Reload as the tech staff said it will erase all my existing data.
thedude
Sep 25 2006, 10:33 AM
backup your data to a remote site, and re-install a different OS? Like RHE.
Thats one possibility....the other I guess would be just going ahead and installing the kernel, and risk not being able to use rpm packages.
My servers use RHE, so I've never ran into that kernel problem.
klaude
Sep 25 2006, 12:01 PM
Don't deal with the "hacker" at all. Once soneone breaks into the server all data on it is suspicious. Get an OS reload to RHEL4 or CentOS 4 and restore your data from backups.
James Erickson
Sep 25 2006, 12:05 PM
QUOTE (SuperBaby)
I contacted the third-party server companies and this is the main feedback that troubles me:
QUOTE
"Most RH 9 servers are not compatible with 2.6 kernels due to NTPL. The kernel will work, but may affect your RPM functionality."
On the other hand, SM staff said they can do the kernel upgrade for me. But they did not make any comment regarding the issue above although I have asked them a few times.
".... affect your RPM functionality", what does that mean? What is the impact? Should I go ahead upgrade the kernel? I cannot do the OS Reload as the tech staff said it will erase all my existing data.
I believe I actually updated this ticket, and stated that I would not run a 2.6 kernel on RH9, but that there is an updated 2.4 kernel we could install. As previously stated in this thread, as well as your ticket, I would strongly recommend backing up your data and getting an OS Reload. Even if the system does get a new kernel, there is no telling what the 'hacker' has done to your server.
eddy2099
Sep 25 2006, 03:46 PM
QUOTE (SuperBaby)
".... affect your RPM functionality", what does that mean? What is the impact? Should I go ahead upgrade the kernel? I cannot do the OS Reload as the tech staff said it will erase all my existing data.
Well, I believe what it means is like the Kernel will work once you upgrade it but don't expect everything to work as it is.
Personally, I don't think it is a wise idea to upgrade the Kernel. Keep it as it is and then scan through the entire system to see what the hacker as planted in your server, this will be a long and hard process.
The best option would be an OS Reload to a better OS. Your system is most likely already compromised and as I said before, there is no ethical hackers in my books. If they hack, they are already out to no good.
I mean how many burglars you know you can trust to secure your home for you ?
thedude
Sep 25 2006, 05:07 PM
as everyone else has said, you do really need to do a re-install.
I would also suggest once you do a re-install to harden your server..if your not sure how to do it yourself, hire a company to do it. You can usualy get a OS harden for between $50 and $150.
SuperBaby
Sep 25 2006, 11:33 PM
QUOTE (eddy2099)
Personally, I don't think it is a wise idea to upgrade the Kernel. Keep it as it is and then scan through the entire system to see what the hacker as planted in your server, this will be a long and hard process.
Yes, I think this is the best. What I will do is to upgrade to the last version for 2.4.x. That is from 2.4.20 to 2.4.33.
I have also install the Nobody Check Security Tool to inform me when there is any suspicious process running as nobody. Also made a few other improvements.
Basically I do not want an OS Reload now as it will erase everything in my server. Although I have a secondary drive's backup, it still involves a long down-time. So I don't see much difference compared to doing the OS Reload only the time the server is really compromized.
klaude
Sep 26 2006, 12:36 AM
But your server really is compromised. Please get an OS reload.
SuperBaby
Sep 26 2006, 01:14 AM
If that is the case, I will arrange will my customers informing them of the downtime and do it at the earliest convenience.
Thank you all for your advice.
eddy2099
Sep 26 2006, 02:07 AM
That would definitely be a good idea. Ban that hacker from getting right back into your server once and for all.
X-Istence
Sep 26 2006, 03:26 AM
"Sweet my backdoor is installed"
Turns around
"Hey, you need to upgrade your kernel so I can be the only one that has root access to your server, and no others can hack it"
"Okay, let me figure out how to get a kernel upgrade"
"Sweet!"
I personally run FreeBSD, system updates/kernel updates are made easy, simple recompile and one is set.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.