Hacker attack
Hello All,
Some hacker attacked to my Fedora 14 behind the firewall. I recovered it with counter attack but could someone tell me what this is and how I can change it back to normal name? I google'd it but didnt find anything related to it yet. Please let me know if you know it. Thanks ------- When you run 'who' where I am not sure how to get rid of dabdall yet. It was a hacker and I was able to trace it. It was coming from greece. root :0 2010-09-21 11:18 dabdall pts/0 2010-09-21 11:18 (:0) root pts/1 2010-09-21 11:47 (:0.0) root pts/2 2010-09-21 13:05 (192.168.1.1) |
you didnt provide any information about the attack type and if you made some backups/images of your hard disk.
|
Quote:
thanks |
Quote:
Code:
kill -9 `ps -ef | grep pts\/0 | grep -v grep | awk '{ print $2 }'` |
Quote:
I tried as it was still there: [root@localhost ~]# kill -9 `ps -ef | grep pts\/0 | grep -v grep | awk '{ print $2 }'` kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec] [root@localhost ~]# who root :0 2010-09-21 11:18 dabdall pts/0 2010-09-21 11:18 (:0) root pts/1 2010-09-21 11:47 (:0.0) |
It seems he/she open multiple terminals (check with ps -ef | grep pts\/0). If so, try to kill all of them:
Code:
ps -ef | grep pts\/0 | grep -v grep | awk '{ print $2 }' | while read p; do kill -9 $p; done |
Quote:
No use to loop through the processes to kill them all. Just kill the parent process with kill -9 and the rest (children) get killed also. For example: Code:
ps -ef | grep pts\/0 | grep -v grep Code:
kill -9 8503 EDIT: This killed of course my SSH session. Kind regards, Eric |
Quote:
It seems no process is running, but name is still displayed there. I deleted that the stupid hacker created account right away. But it is still showing...I know this is no brainer but I am trying to figure it out... Let me know any ideas... Thanks much again... |
Quote:
[root@localhost ~]# who root :0 2010-09-21 11:18 dabdall pts/0 2010-09-21 11:18 (:0) root pts/1 2010-09-21 11:47 (:0.0) |
Excuse me, but can we stop treating the symptoms and focus on the problem? If someone was able to create an account, your system was compromised and cannot be trusted. Simply killing the ssh connection doesn't change that. So lets look at this properly.
- Isolate this machine from the internet either by pulling the network cable or by putting up a firewall that denies all access except SSH from trusted IP addresses. - Start gathering evidence. You need to look at log files to determine when this suspect account was created. Look at your root .bash_history as well - Start looking for running processes. Commands to run are ps -afxwwwe, lsof -Pwn, netstat -pane. Those should give you an idea of what is running on the machine and you should be on the lookout for things that aren't expected. -The CERT Checklist is a good thing to work through to try and figure out what happened. Simply messing with the suspect account isn't going to get you where you need to be. |
Quote:
2. Wipe and re-install, paying special attention to fixing the flaw that allowed him to get in in the first place. That's how you get rid of "dabdall," and more importantly, how you get rid of anything else he might have done. -- Ah, Hangdog gave the how-to's, even better. I should have read the entire thread before posting. |
Quote:
|
Quote:
Please have a read of what I posted, that will get you started on figuring out how the cracker got in. Feel free to post the results or any questions you have. We have people here willing to help, but it is your responsibility to gather the data needed to analyze the problem. |
Quote:
|
I fixed the issue. hacker was blocked with no harm.
|
All times are GMT -5. The time now is 11:01 AM. |