LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Gentoo (http://www.linuxquestions.org/questions/gentoo-87/)
-   -   New System taken over by unknown remote.... (http://www.linuxquestions.org/questions/gentoo-87/new-system-taken-over-by-unknown-remote-4175416245/)

dwmolyneux 07-11-2012 08:03 PM

New System taken over by unknown remote....
 
Hi. I had done a fresh install of Gentoo. Installed a few drivers needed. Installed x11.org . installed Gnome.

My computer was then left without any connection to the internet and was shutdown & unplugged for alittle over a month.

I reconnected and powered it up for the first time since. Not even 5 minutes after booting up to run updates and installs, I watched:eek::scratch: as someone had taken remote control of my system and running commands to force download files from some ftp server.:banghead::banghead::banghead::banghead:

How do I regain control of the system and secure it or am I SOL and having to reinstall from scatch again?

I know the information is located some where in the handbook but I was not locating it.

How do I protect a new install from future events of things repeating?

ReaperX7 07-11-2012 08:18 PM

Unplug the system from your network and then go through your accounts and eliminate any remote access accounts, user accounts, reset passwords, and possibly implement a firewall through IPTables as well as look into the Hardening Linux handbooks around the internet on how to prevent a hacker from accessing and controlling your system.

i92guboj 07-14-2012 01:00 PM

Quote:

Originally Posted by dwmolyneux (Post 4725571)
Hi. I had done a fresh install of Gentoo. Installed a few drivers needed. Installed x11.org . installed Gnome.

My computer was then left without any connection to the internet and was shutdown & unplugged for alittle over a month.

I reconnected and powered it up for the first time since. Not even 5 minutes after booting up to run updates and installs, I watched:eek::scratch: as someone had taken remote control of my system and running commands to force download files from some ftp server.:banghead::banghead::banghead::banghead:

How? Where? Describe what you saw. From what you are telling us, what you are seeing could just be the regular output from emerge on a terminal. Details, please.


Quote:

How do I protect a new install from future events of things repeating?
Any casual attacker can't just break into your system using hocus pocus spells. They must reach a server that's running in your machine (apache, lighttpd, amule, mldonkey, mysql, etc.). At most they could break into your user account using specially crafter sites if you are running a vulnerable browser.

So, please, describe the real symptoms instead of telling us what your impressions are.

unSpawn 07-14-2012 01:15 PM

Quote:

Originally Posted by i92guboj (Post 4728107)
How? Where? Describe what you saw. (..) Any casual attacker can't just break into your system using hocus pocus spells. They must reach a server that's running in your machine (apache, lighttpd, amule, mldonkey, mysql, etc.).

I agree: proper analysis and mitigation should be done first.

@OP: while no longer maintained the CERT Intruder Detection Checklist might help you focus your efforts if you don't know where to look.


All times are GMT -5. The time now is 06:29 AM.