Mailserver Has been Hacking by Somenone

March 5 2008, I developed my mail server into new machine after I found an error message “promiscous mode” on my log mail server. After looked at google site, I found that it occoured of because the server NIC has overload by something. That’s why, I decided to re-built the new mail server.

On March 17 2008, it happen again. After I saw the log mail, I found that my server has been hijack by someone else. I run the #history command and I found :

ps x
kill -9 20053
cat /proc/cpuinfo
cd /var/tmp
tar xzvf psybnc-2.3.2.6 tar.tar
/sbin/iptables -I INPUT -p tcp –dport 31337 -j ACCEPT
cd psybnc
make
ls

Someone has run a psybnc program on mail server. From googling, I found that psybnc is a program which use for an IRC server. My God, the hacker will make my server as an IRC server. The Hacker is already change root password, I can not run the ls and vi command, every time I run that command, it always appear Segmentation Failed error. I tried to trace where’s the hole in my server but I could not find it.

My friend suggested that I have to fix the Firewall Rules, so I did that. Another friends, suggested that I have to install a new server because the server has been contaminating. Hmm… it makes me very stuck…

Finally I ask to Mas asfik for helping me out from this trouble and find the hole in my server. Mas Asfik came to my office on March 20, he look around the configuration and found that I did not close the ssh port from outsider. The hacker accessed my server through  this port. He suggested to me to reinstalling the server again and I agree. He help me to install the server using Ubuntu Server LTS (hmm.. I never touch this variant). After 7 hours all configuration was completed. He taught me how to use the spam blocking, installing ubuntu and tell me what ports should be close from outside. I Thank you to Mas Asfik.

And today, I come to the office again for monitoring the server and looks the server is running well using the spam blocker.

I hope every IT staff will aware to the server security and it can be knowledge for all people.

Again, Thank you Mas asfik

SELinux problem on Samba

Have you ever met the problem like this after installing samba ? This is the story

After installing samba, look at the log server on /var/log/messages using command :

# tail /var/log/messages

And if you see the error messages like this :

Dec 25 23:35:42 fileserver smbd[5001]: [2007/12/25 23:35:42, 0] smbd/service.c:make_connection_snum(911)

Dec 25 23:35:42 fileserver smbd[5001]: ‘/home2/GLOBAL_SHARED’ does not exist or permission denied when connecting to [Global_shared] Error was Permission denied

Dec 25 23:35:42 fileserver smbd[5001]: [2007/12/25 23:35:42, 0] smbd/service.c:make_connection_snum(911)

Dec 25 23:35:42 fileserver smbd[5001]: ‘/home2/GLOBAL_SHARED’ does not exist or permission denied when connecting to [Global_shared] Error was Permission denied

[root@fileserver ON_GOING]# date 16:44:40

date: invalid date `16:44:40′

 

The error happens because the SElinux has been enable when the first time of installation. So, what is the solution ?

The solution is :

run the command below on the console base of your linux :

# setsebool -P smbd_disable_trans 1

# service smb restart

 

After running the command above, you would not have the error again.

Note :

1. I used the CentOS Linux ( it happens to Fedora 8 too)

2. clue of the problem is : Samba_SELinux

Hope this could help you.

Thanks,

Dwi Nugroho