Topic: hacked 4.5.1

[Barry Rogers]

Hello All,
about 2 months ago, we were hacked into with all .htm(l) pages changed by "pSico_b0y - N0f3ar" to a page in a language I do not understand.
my question is how?
the information they gleaned form the server and was in the replaced Web pages, was the following:
[ uname ] Linux server 2.2.16-22 #1 Tue Aug 22 16:16:55 EDT 2000 i586 unknown
[ id ] uid=0(root) gid=0(root) groups=104(www),500(shared),102(admin),502(ibay),503(ibay),504(ibay),5015(ibay)
[ Server Name ] e-smith.servername.com
fortunatley, they did not kill any ibays or change any data... whew!
the server was remade, with a new disk as I was now paranoid about a Trojan, and upgraded to 5.1.2 with the upgrade later added.
can anybody let me know how this occurred and how do I either stop it in future or make it very hard for this person or anybody else to do this or worse?
we are a small company and it only wasted lots of my time, and annoyed me. however, i would like to stop it happening again!
anybody, any ideas?
also, this person obviously killed the log for web access to hide their tracks. however it still exists on the 2nd hdd and if I could restore the link, could possibly find where this person came from?
any help would be appreciated.

[guestHH]

please forward your info to smesecurity@e-smith.com

[Barry Rogers]

Hello RequestedDeletion,
The post and affected page has been sent.

[Ray Mitchell]

Barry
You are talking about an older version of e-smith, perhaps you did not apply all the updates or you may have installed other packages which had security holes in them that were  nothing to do with e-smith server.
I'm sure there were some security updates issued for 4.1.2 (never heard of a 4.5.1 release).

I note you have updated to v5.1.2, why not update to at least v5.5 or better still to 5.6 to get the latest and best security. As far as I can see 5.6 is stable (with only a couple of issues possibly to be resolved) and security has been tightened compared to earlier versions (not that they were bad anyway).

Regards
Ray Mitchell

[Barry Rogers]

Hello Ray Mitchell,
Yes, you are right, V4.1.2, not V4.5.1.
With V4.1.2, no extra programs were installed and all updates had been applied to this version. So, it was as secure as eSmith made it!

[Ray Mitchell]

Barry
Problem is that the last updates seem to have been issued around mid-late 2001.
A lot has happened since then, and as far as I know e-smith (now Mitel) are not really supporting v4.1.2 any more. They still appear to be supplying "security only" fixes for v5.0, 5.1.1, 5.1.2, 5.5 & of course 5.6.
As far as I can see, bug fixes are really only being supplied for the latest v 5.6.

If I had a live server online I certainly would have at least 5.1.2 or 5.5 on it, and if there was no reason for my situation not to, then I would have v5.6 (eg suitablility of rpms and hardware and the odd "supposed" bug with v5.6).

Particularly as your v4.1.2 seems to have been hacked, you ought to update for your own "peace of mind". I would personally recommend a clean instal too, and re-enter your configuration manually rather than an upgrade (although an upgrade is technically possible). I have experienced some difficulties with the upgrading process from v4.1.2 to v5.5. Also, if you upgrade you may carry over any hackers trojans or whatever.

Regards
Ray Mitchell

[Barry Rogers]

Hello Ray Mitchell,
I removed the hacked HDD and replaced it with a new HDD. My thoughts on trojans, etc  are the same as yours.
I installed a fresh 5.1.2 as it appeared to be very stable at that time, changed all passwords, and all has gone OK, except for a strange email bug for 2 weeks.
The hacked drive is offline, not mounted, and any information on it, remains.
That is why I would love to re-create the HTTP access log, to see who hacked into the server. This is possible, but I do not know how!

[Ray Mitchell]

In /var/log/.... there are the log files. If you load that old drive into an old PC for testing, then you may find some details in the old log files. If the files are deleted then there is not much you can do. Did you ever do any system backups, the logs may be there. Even if you found something there may be very little you could do about it.
Regards
Ray

[Ray Mitchell]

By the way Barry,, you did change all your users and the admin passwords, didn't you ?

Ray

[Barry Rogers]

Hello Ray Mitchell,
The hacker killed all of the access logs. If the was done by deleting the FDB or whatever it is in Linux, then it is possible to search the HDD and re-link it.
It is possible, but as I said, I do not have the knowledge in Linux to do so.
Backups were from before this event, so are useless.