Slashdot Mirror

← Back to Stories (view on slashdot.org)

Forensics On a Cracked Linux Server

Posted by kdawson on from the hmmm-ls-looks-funny dept.

This blog entry is the step-by-step process that one administrator followed to figure out what was going on with a cracked Linux server. It's quite interesting to me, since I have had the exact same problem (a misbehaving ls -h command) on a development server quite a while back. As it turns out, my server was cracked, maybe with the same tool, and this analysis is much more thorough than the one I was able to do at the time. If you've ever wondered how to diagnose a Linux server that has been hijacked, this short article is a good starting point.

21 of 219 comments (clear)

  1. Story is FUD from a M$ shill by Anonymous Coward · · Score: 2, Funny

    A Cracked Linux Server? Ha! He should live so long!

    1. Re:Story is FUD from a M$ shill by Anonymous Coward · · Score: 0, Funny

      Cracked Linux server? Oh Noes, that's unpossible! Teh Lunix is UNBREAKABLE!

  2. Yeah obvious FUD article by Anonymous Coward · · Score: 5, Funny

    Why Slashdot would such obvious anti-Linux FUD is beyond me. Maybe the M$ advertising dollars are turning their heads.

    The bottom line is that a LINUX SERVER CAN'T BE CRACKED.

    Maybe this admin got his login info phished by Nigerian scammers, I don't know. The guy probably is wondering why his Ebay account has a bunch of negative feedback and his MySpace is all jacked up and hasn't put 2 and 2 together with that time he responsed to that clever email asking for the triple whammy of MySpace/Ebay/root on your servers so that you could clear the money transfer.

    That or he didn't have his updates turned on and had an outdated BIND. And its not like BIND means Linux is unsecure.

    Even not that the idea that Linux is crackable is laughable and not worht front page at digg let alone slashdot. You don;t see Technorait or Bruce Perens' site posting garbage like this ever so why slashdot editors can't see thru it i dont kno.

    1. Re:Yeah obvious FUD article by ATMD · · Score: 5, Funny

      *whoosh*

      --
      Nobody else has this sig.
    2. Re:Yeah obvious FUD article by Anonymous Coward · · Score: 5, Funny

      . o <- Joke

      ..O <- You
      ./|\
      ./ \

    3. Re:Yeah obvious FUD article by suggsjc · · Score: 5, Funny

      Dang HTML Formatted default, forgot the <br>'s

      ASCII art is lame
      If you really want to blast them
      Then try a haiku

      So in my rage, I wrote this (and used the code layout):
      Today I posted
      Today I looked like an ass
      It is Friday, beer

      --
      When I have a kid, I want to put him in one of those strollers for twins and then run around the mall looking frantic.
  3. Looks as if there was another way... by sphealey · · Score: 3, Funny

    Looks as if there was another way to crash his server...

    sPh

  4. I had to do this once. by Anonymous Coward · · Score: 4, Funny

    We had a cracked linux server at work one time and I took it upon myself to find out who did it. Long story short: some server monkey decided it would be a fun idea to ride his bike around inside the data center and smashed into one of the racks.

    1. Re:I had to do this once. by CompMD · · Score: 2, Funny

      im in ur datacenter breakin ur racks

  5. Meta-cracking by CopaceticOpus · · Score: 5, Funny

    Oh, I see, it's a clever DOS attack:

    1. Infect Linux server of some guy with a blog.
    2. Guy blogs about how he dealt with said infection.
    3. Blog posting gets linked to on Slashdot.
    4. Millions of computers attempt to access the blog, hence bringing down the server.

    Don't you see? We've a socially engineered botnet!

    (And please, for the love of all that is sacred and funny, don't reply to this and add steps for "???" and "Profit". It's just tired and completely not funny. And the clever little variation on that theme you're thinking about posting right now isn't funny either.)

    1. Re:Meta-cracking by Anonymous Coward · · Score: 1, Funny

      5. ???
      6. Profit!

      (oh, come on, you asked for it)

    2. Re:Meta-cracking by Anonymous Coward · · Score: 5, Funny

      1. Find clever little variation that is funny
      2. ????
      3. Profit!

  6. *Bourne* Shell? by Spy+der+Mann · · Score: 4, Funny

    The shell is a working Bourne shell

    I knew it! Jason Bourne was involved in this!

  7. Re:How did he get access and On tools by eln · · Score: 4, Funny

    I think it's probably the fact that the owner of this system had the root password set to "GOD" as all good sysadmins do. The hacker's extensive experience hacking the Gibson made getting into this system a cakewalk.

    Clearly, we as sysadmins should rethink the long-standing policy of setting all root passwords to either love, secret, sex, or god. Perhaps we should at least add another password to the list, like "unhackable" or something truly secure like that.

  8. Raise your hand by tie_guy_matt · · Score: 5, Funny

    Raise your hand if you typed "ls -h" on your box just to make sure it still works right.

    1. Re:Raise your hand by Anonymous Coward · · Score: 5, Funny

      C:\>ls -h
      'ls' is not recognized as an internal or external command,
      operable program or batch file.

      Oh noes!

  9. Re:Forensics by Anonymous Coward · · Score: 5, Funny

    On the one server I have backdoor access to .bash_history is symbolically linked to /dev/random

    It makes for an interesting read :)

    Anonymous in case the admin actually reads slashdot.

  10. Re:Ssshhh.... Secrets Revealed... by dedazo · · Score: 5, Funny

    I am a MS insider

    The 220,000 or so members of the Slashdot Members Who Post Authoritative Statements On The Inner Workings Of Microsoft To Support Their Arguments warmly welcomes you to the club.

    --
    Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
  11. That's it, I'm switching to Windows by Maltheus · · Score: 3, Funny

    Security is very important to me, I can't be screwing around with something that can be so easily cracked.

  12. Re:Forensics by SIIHP · · Score: 2, Funny

    What redundant? Did someone else tell him his post was hilariously funny?

    Are you too stupid to know what redundant means? I guess you are.

    Hey mod you're an dumbass.

    Wait, "dumbass moderator" see, THAT is redundant.

    --
    I only go to buffets for the unlimited soft serve.
  13. Re:Forensics by Antique+Geekmeister · · Score: 4, Funny

    Ohh. I thought you had accidentally copied a newbie-written Perl file to to .bash_history. That explains why it looked so coherent!