Quake3World

So I had left my linux webserver running for like a week or whatever. Today I turned on the monitor and noticed that the firewall I was using had crashed. I was like "okay whatever" and restarted the firewall. Then I installed MySQL server onto it. After that I logged out and logged back in because I forgot the command to restart the GNOME panel. So when I log back in, I can't run any programs. When I do, it gives me the error "can't run program as root." The thing is, I hadn't logged in as root nor was I in the first place.

So uh. What? Have I been haxed or something? It wouldn't surprise me since I don't know that much about Linux and webserver security.

I've used Linux a bit for development and what you're currently telling me is quite dodgey...firewall down + an aparrent log in as root?

Yeah, i'd be very suspecious. Obviously you'd tried a full system restart and whatnot?

Could be a mysql worm thing, are you running iptables with the mysql port blocked? what services are currently open?
Are you running debian?
if so: apt-get install chkrootkit
when done, run "chkrootkit" from command line with no options
With other distro, download the source and compile it (check the README, as my instructions are from about a year or so ago and things change in the linux community occasionally)
wget f t p : //ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar zxvf chkrootkit.tar.gz
cd chkrootkitxxx(whatever version blah blah)
./configure
make
make install
from the extracted directory, then again, simply run ./chkrootkit
if it does not compile or install correctly and you've had no troubles like this in the past, I would blow it away as soon as possible and re-install if you're protecting sensitive data behind it. If it's just a home firewall, you can piss around with it, do some googling on Autopsy Forensic Browser and tweaks that will help you dive into and possibly catch any shit fucks dicking with your gear. Whatever the case, it definately does not sound good--best of luck to you mate.

oh haha i guess no ftp links allowed ... do a google on downloading chkrootkit, it should be in your top two or three links.

also, it doesn't hurt to try a little passive promiscuity:
tethereal -i eth0
(run it first on the outside then the inside interfaces)
netstat -peat
you're looking for odd traffic and connected ports.
good times are ahead, man don't panic you'll get it sorted.

eepberries wrote: So when I log back in, I can't run any programs. When I do, it gives me the error "can't run program as root."

that's normal, actually if you're logged in as a regular user and trying to run admin applications like the networking control panel or tweak the services.
If other binaries don't work as su from commandline then there's little question you're in some kind of trouble. The only sane thing to do would be a very selective backup of /etc and /var or whereever you keep any tweaks and modified files or directories and reinstall

Underpants? wrote:also, it doesn't hurt to try a little passive promiscuity:
tethereal -i eth0
(run it first on the outside then the inside interfaces)
netstat -peat
you're looking for odd traffic and connected ports.
good times are ahead, man don't panic you'll get it sorted.

Problem is, if I were to root a box, `netstat` would, along with `ps`, be the first tool I replaced with a homebrew version. You might want to boot up a rescue disk for this.

good point--not always the case but it sure would be likely on a rooted box.
chkrootkit should find whatever netstat lies about though

and along those lines chkrootkit's not always going to tell you 100% of the story as sometimes awk sed and grep are raped by a rootkit as well, but it should regardless spit out some glory one way or another. On a side note, suspicious file reporting can be misleading.

Actually, I tried restarting it like suggested and the problem is gone. However, what things should I do in general in terms of security? Also, there really isn't anything important on the computer. The only thing I use it for is image hosting. Besides that I don't touch it, and since I can upload to it remotely I never actually physically touch it anyway :icon26:. The only ports I have open on it (assuming it works right) are html to the internet, ssh to my main computer, and now sql to my main computer.

Really the only thing I'm worried about is the Linux computer getting compromised and then messing up the other computers on my network.

unplug the box from its outlet and put in closet.

If you're using it for monkey tasks like that consider using a CD bootable distro.

eepberries wrote:The only ports I have open on it (assuming it works right) are html to the internet, ssh to my main computer, and now sql to my main computer.

What does `netstat -tulp` (as root) say?

eepberries wrote:Also, there really isn't anything important on the computer. The only thing I use it for is image hosting.

specify that in your first post next time, piss-cock.

eepberries wrote: However, what things should I do in general in terms of security?

Lock down your chains/firewall rules, and remove all unnecessary packages, using RPM, yum or apt. I wouldn't just remove the links and be comfortable, though that's all some admins will do.
As far as I know your firewall should never shut down or "crash" under normal circumstances. Run a service restart and check your logs for fucked up rulesets and other errors. If you find none, suspect the worst.
I would particularly worry if your web server is running customized PHP upload or editing scripts, backends (such as php/postnuke), or blog packages.

and for christ's sake....

chkrootkit.

^misantropia^ wrote:

eepberries wrote:The only ports I have open on it (assuming it works right) are html to the internet, ssh to my main computer, and now sql to my main computer.

What does `netstat -tulp` (as root) say?

This would be good for possibly noticing connected hosts, but as this ^ guy mentioned earlier, if your box is compromised, you'll most likely see nothing from the netstat command. eep I would start with a careful check of the firewall rules first since this is what you noticed as a problem initially. Iptables/chains will filter or even mask, depending on the rule, most of the ports you'll find open in a netstat.
In other words, starting here would be like walking to the corner newspaper stand before putting on your underpants, or in doombrain's case, girdle.

Underpants? wrote:specify that in your first post next time, piss-cock.

:oL0:

I'm quickly growing tired of Linux

[lvlshot]http://ohshi.dyndns.org/testingground/junk/screenshot.png[/lvlshot]

I'm seriously considering giving in and buying another copy of XP

as much as i love Linux, its a workhorse.. through and through.. i still dont feel that it does a good job as a workhorse... but not as a desktop system

eepberries wrote:I'm quickly growing tired of Linux

I wager you weren't root when you executed that.

^misantropia^ wrote:

eepberries wrote:I'm quickly growing tired of Linux

I wager you weren't root when you executed that.

Rite. Was I supposed to be?

AmIdYfReAk wrote:as much as i love Linux, its a workhorse.. through and through.. i still dont feel that it does a good job as a workhorse... but not as a desktop system

I've been using GNU/Linux - more specifically, Debian - for years now, not just to run servers but as a desktop system, too. It takes some getting used to, but after that, there's no going back to the limiting kiddie playground that is Windows.

"Linux, putting the power back in power user since 1991" to coin a (admittedly corny) phrase.

eepberries wrote:Rite. Was I supposed to be?

Yep. You wouldn't want just anyone to install or remove new software system-wide.

^misantropia^ wrote:

AmIdYfReAk wrote:as much as i love Linux, its a workhorse.. through and through.. i still dont feel that it does a good job as a workhorse... but not as a desktop system

I've been using GNU/Linux - more specifically, Debian - for years now, not just to run servers but as a desktop system, too. It takes some getting used to, but after that, there's no going back to the limiting kiddie playground that is Windows.

"Linux, putting the power back in power user since 1991" to coin a (admittedly corny) phrase.

to each there own

AmIdYfReAk wrote:as much as i love Linux, its a workhorse.. through and through.. i still dont feel that it does a good job as a workhorse... but not as a desktop system

it does a fine job as a workstation.