LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Hacker attack (http://www.linuxquestions.org/questions/linux-security-4/hacker-attack-833683/)

cmontr 09-21-2010 11:08 PM

Hacker attack
 
Hello All,

Some hacker attacked to my Fedora 14 behind the firewall. I recovered it with counter attack but could someone tell me what this is and how I can change it back to normal name? I google'd it but didnt find anything related to it yet. Please let me know if you know it.

Thanks
-------

When you run 'who' where I am not sure how to get rid of dabdall yet. It was a hacker and I was able to trace it. It was coming from greece.

root :0 2010-09-21 11:18
dabdall pts/0 2010-09-21 11:18 (:0)
root pts/1 2010-09-21 11:47 (:0.0)
root pts/2 2010-09-21 13:05 (192.168.1.1)

yooy 09-22-2010 04:38 AM

you didnt provide any information about the attack type and if you made some backups/images of your hard disk.

cmontr 09-22-2010 05:18 AM

Quote:

Originally Posted by yooy (Post 4105493)
you didnt provide any information about the attack type and if you made some backups/images of your hard disk.

I am trying to figure out the type of the attack. It was trying to get sudo / root on my server and apprently got that, i noticed too quickly and removed it. Traced IP that was from greece. Anyhow, how do I get rid of this 'dabdall' at pts/0?

thanks

quanta 09-22-2010 05:35 AM

Quote:

Originally Posted by cmontr (Post 4105527)
how do I get rid of this 'dabdall' at pts/0?

Try this:
Code:

kill -9 `ps -ef | grep pts\/0 | grep -v grep | awk '{ print $2 }'`
and: http://www.linuxquestions.org/questi...hacked-832148/

cmontr 09-22-2010 05:38 AM

Quote:

Originally Posted by quanta (Post 4105541)
Try this:
Code:

kill -9 `ps -ef | grep pts\/0 | grep -v grep | awk '{ print $2 }'`
and: http://www.linuxquestions.org/questi...hacked-832148/

Hi again,

I tried as it was still there:

[root@localhost ~]# kill -9 `ps -ef | grep pts\/0 | grep -v grep | awk '{ print $2 }'`
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
[root@localhost ~]# who
root :0 2010-09-21 11:18
dabdall pts/0 2010-09-21 11:18 (:0)
root pts/1 2010-09-21 11:47 (:0.0)

quanta 09-22-2010 05:47 AM

It seems he/she open multiple terminals (check with ps -ef | grep pts\/0). If so, try to kill all of them:
Code:

ps -ef | grep pts\/0 | grep -v grep | awk '{ print $2 }' | while read p; do kill -9 $p; done

EricTRA 09-22-2010 05:50 AM

Quote:

Originally Posted by quanta (Post 4105553)
It seems he/she open multiple terminals (check with ps -ef | grep pts\/0). If so, try to kill all of them:
Code:

ps -ef | grep pts\/0 | grep -v grep | awk '{ print $2 }' | while read p; do kill -9 $p; done

Hi,

No use to loop through the processes to kill them all. Just kill the parent process with kill -9 and the rest (children) get killed also. For example:
Code:

ps -ef | grep pts\/0 | grep -v grep
root      8503  1252  0 07:33 ?        00:00:00 sshd: root@pts/0
root      8505  8503  0 07:33 pts/0    00:00:00 -bash
root    13970  8505  0 12:48 pts/0    00:00:00 ps -ef

is your command without the awk part.
Code:

kill -9 8503
kills all of them.

EDIT: This killed of course my SSH session.

Kind regards,

Eric

cmontr 09-22-2010 06:24 AM

Quote:

Originally Posted by EricTRA (Post 4105556)
Hi,

No use to loop through the processes to kill them all. Just kill the parent process with kill -9 and the rest (children) get killed also. For example:
Code:

ps -ef | grep pts\/0 | grep -v grep
root      8503  1252  0 07:33 ?        00:00:00 sshd: root@pts/0
root      8505  8503  0 07:33 pts/0    00:00:00 -bash
root    13970  8505  0 12:48 pts/0    00:00:00 ps -ef

is your command without the awk part.
Code:

kill -9 8503
kills all of them.

EDIT: This killed of course my SSH session.

Kind regards,

Eric

I appreciate for the tips.
It seems no process is running, but name is still displayed there. I deleted that the stupid hacker created account right away. But it is still showing...I know this is no brainer but I am trying to figure it out...

Let me know any ideas...

Thanks much again...

cmontr 09-22-2010 06:25 AM

Quote:

Originally Posted by cmontr (Post 4105575)
I appreciate for the tips.
It seems no process is running, but name is still displayed there. I deleted that the stupid hacker created account right away. But it is still showing...I know this is no brainer but I am trying to figure it out...

Let me know any ideas...

Thanks much again...

[root@localhost ~]# ps -ef | grep pts\/0 | grep -v grep
[root@localhost ~]# who
root :0 2010-09-21 11:18
dabdall pts/0 2010-09-21 11:18 (:0)
root pts/1 2010-09-21 11:47 (:0.0)

Hangdog42 09-22-2010 06:53 AM

Excuse me, but can we stop treating the symptoms and focus on the problem? If someone was able to create an account, your system was compromised and cannot be trusted. Simply killing the ssh connection doesn't change that. So lets look at this properly.

- Isolate this machine from the internet either by pulling the network cable or by putting up a firewall that denies all access except SSH from trusted IP addresses.

- Start gathering evidence. You need to look at log files to determine when this suspect account was created. Look at your root .bash_history as well

- Start looking for running processes. Commands to run are ps -afxwwwe, lsof -Pwn, netstat -pane. Those should give you an idea of what is running on the machine and you should be on the lookout for things that aren't expected.

-The CERT Checklist is a good thing to work through to try and figure out what happened.

Simply messing with the suspect account isn't going to get you where you need to be.

moxieman99 09-22-2010 07:54 AM

Quote:

Originally Posted by cmontr (Post 4105527)
I am trying to figure out the type of the attack. It was trying to get sudo / root on my server and apprently got that, i noticed too quickly and removed it. Traced IP that was from greece. Anyhow, how do I get rid of this 'dabdall' at pts/0?

thanks

1. Find out how he got in.

2. Wipe and re-install, paying special attention to fixing the flaw that allowed him to get in in the first place.

That's how you get rid of "dabdall," and more importantly, how you get rid of anything else he might have done.


-- Ah, Hangdog gave the how-to's, even better. I should have read the entire thread before posting.

cmontr 09-22-2010 08:12 AM

Quote:

Originally Posted by moxieman99 (Post 4105632)
1. Find out how he got in.

2. Wipe and re-install, paying special attention to fixing the flaw that allowed him to get in in the first place.

That's how you get rid of "dabdall," and more importantly, how you get rid of anything else he might have done.


-- Ah, Hangdog gave the how-to's, even better. I should have read the entire thread before posting.

Thanks for time anyway. Engineering point of view - I would like to figure out how he go after all this security. I know killing procs will not solve the issue. Anyone knows that. Let's just stop at this point. I will figure it out. Earlier I asked simple question but some did not geet the point. Oh well.

Hangdog42 09-22-2010 08:20 AM

Quote:

Originally Posted by cmontr (Post 4105643)
Thanks for time anyway. Engineering point of view - I would like to figure out how he go after all this security. I know killing procs will not solve the issue. Anyone knows that. Let's just stop at this point. I will figure it out. Earlier I asked simple question but some did not geet the point. Oh well.


Please have a read of what I posted, that will get you started on figuring out how the cracker got in. Feel free to post the results or any questions you have. We have people here willing to help, but it is your responsibility to gather the data needed to analyze the problem.

cmontr 09-22-2010 08:27 AM

Quote:

Originally Posted by Hangdog42 (Post 4105648)
Please have a read of what I posted, that will get you started on figuring out how the cracker got in. Feel free to post the results or any questions you have. We have people here willing to help, but it is your responsibility to gather the data needed to analyze the problem.

Thank you. I know you guys helpful. This is a test machine and I run multiple OS's on it to get to know about them. There is of course securities all over. Let's see what I find out, will let you know.

cmontr 09-22-2010 11:30 PM

I fixed the issue. hacker was blocked with no harm.


All times are GMT -5. The time now is 01:40 AM.