LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-21-2010, 11:08 PM   #1
cmontr
Member
 
Registered: Sep 2007
Posts: 175

Rep: Reputation: 15
Hacker attack


Hello All,

Some hacker attacked to my Fedora 14 behind the firewall. I recovered it with counter attack but could someone tell me what this is and how I can change it back to normal name? I google'd it but didnt find anything related to it yet. Please let me know if you know it.

Thanks
-------

When you run 'who' where I am not sure how to get rid of dabdall yet. It was a hacker and I was able to trace it. It was coming from greece.

root :0 2010-09-21 11:18
dabdall pts/0 2010-09-21 11:18 (:0)
root pts/1 2010-09-21 11:47 (:0.0)
root pts/2 2010-09-21 13:05 (192.168.1.1)
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 09-22-2010, 04:38 AM   #2
yooy
Senior Member
 
Registered: Dec 2009
Posts: 1,154

Rep: Reputation: 134Reputation: 134
you didnt provide any information about the attack type and if you made some backups/images of your hard disk.
 
Old 09-22-2010, 05:18 AM   #3
cmontr
Member
 
Registered: Sep 2007
Posts: 175

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by yooy View Post
you didnt provide any information about the attack type and if you made some backups/images of your hard disk.
I am trying to figure out the type of the attack. It was trying to get sudo / root on my server and apprently got that, i noticed too quickly and removed it. Traced IP that was from greece. Anyhow, how do I get rid of this 'dabdall' at pts/0?

thanks
 
Old 09-22-2010, 05:35 AM   #4
quanta
Member
 
Registered: Aug 2007
Location: Vietnam
Distribution: RedHat based, Debian based, Slackware, Gentoo
Posts: 724

Rep: Reputation: 100Reputation: 100
Quote:
Originally Posted by cmontr View Post
how do I get rid of this 'dabdall' at pts/0?
Try this:
Code:
kill -9 `ps -ef | grep pts\/0 | grep -v grep | awk '{ print $2 }'`
and: http://www.linuxquestions.org/questi...hacked-832148/
 
Old 09-22-2010, 05:38 AM   #5
cmontr
Member
 
Registered: Sep 2007
Posts: 175

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by quanta View Post
Try this:
Code:
kill -9 `ps -ef | grep pts\/0 | grep -v grep | awk '{ print $2 }'`
and: http://www.linuxquestions.org/questi...hacked-832148/
Hi again,

I tried as it was still there:

[root@localhost ~]# kill -9 `ps -ef | grep pts\/0 | grep -v grep | awk '{ print $2 }'`
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
[root@localhost ~]# who
root :0 2010-09-21 11:18
dabdall pts/0 2010-09-21 11:18 (:0)
root pts/1 2010-09-21 11:47 (:0.0)
 
Old 09-22-2010, 05:47 AM   #6
quanta
Member
 
Registered: Aug 2007
Location: Vietnam
Distribution: RedHat based, Debian based, Slackware, Gentoo
Posts: 724

Rep: Reputation: 100Reputation: 100
It seems he/she open multiple terminals (check with ps -ef | grep pts\/0). If so, try to kill all of them:
Code:
ps -ef | grep pts\/0 | grep -v grep | awk '{ print $2 }' | while read p; do kill -9 $p; done
 
Old 09-22-2010, 05:50 AM   #7
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290
Quote:
Originally Posted by quanta View Post
It seems he/she open multiple terminals (check with ps -ef | grep pts\/0). If so, try to kill all of them:
Code:
ps -ef | grep pts\/0 | grep -v grep | awk '{ print $2 }' | while read p; do kill -9 $p; done
Hi,

No use to loop through the processes to kill them all. Just kill the parent process with kill -9 and the rest (children) get killed also. For example:
Code:
ps -ef | grep pts\/0 | grep -v grep
root      8503  1252  0 07:33 ?        00:00:00 sshd: root@pts/0
root      8505  8503  0 07:33 pts/0    00:00:00 -bash
root     13970  8505  0 12:48 pts/0    00:00:00 ps -ef
is your command without the awk part.
Code:
kill -9 8503
kills all of them.

EDIT: This killed of course my SSH session.

Kind regards,

Eric

Last edited by EricTRA; 09-22-2010 at 05:53 AM.
 
Old 09-22-2010, 06:24 AM   #8
cmontr
Member
 
Registered: Sep 2007
Posts: 175

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by EricTRA View Post
Hi,

No use to loop through the processes to kill them all. Just kill the parent process with kill -9 and the rest (children) get killed also. For example:
Code:
ps -ef | grep pts\/0 | grep -v grep
root      8503  1252  0 07:33 ?        00:00:00 sshd: root@pts/0
root      8505  8503  0 07:33 pts/0    00:00:00 -bash
root     13970  8505  0 12:48 pts/0    00:00:00 ps -ef
is your command without the awk part.
Code:
kill -9 8503
kills all of them.

EDIT: This killed of course my SSH session.

Kind regards,

Eric
I appreciate for the tips.
It seems no process is running, but name is still displayed there. I deleted that the stupid hacker created account right away. But it is still showing...I know this is no brainer but I am trying to figure it out...

Let me know any ideas...

Thanks much again...
 
Old 09-22-2010, 06:25 AM   #9
cmontr
Member
 
Registered: Sep 2007
Posts: 175

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by cmontr View Post
I appreciate for the tips.
It seems no process is running, but name is still displayed there. I deleted that the stupid hacker created account right away. But it is still showing...I know this is no brainer but I am trying to figure it out...

Let me know any ideas...

Thanks much again...
[root@localhost ~]# ps -ef | grep pts\/0 | grep -v grep
[root@localhost ~]# who
root :0 2010-09-21 11:18
dabdall pts/0 2010-09-21 11:18 (:0)
root pts/1 2010-09-21 11:47 (:0.0)
 
Old 09-22-2010, 06:53 AM   #10
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,790
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Excuse me, but can we stop treating the symptoms and focus on the problem? If someone was able to create an account, your system was compromised and cannot be trusted. Simply killing the ssh connection doesn't change that. So lets look at this properly.

- Isolate this machine from the internet either by pulling the network cable or by putting up a firewall that denies all access except SSH from trusted IP addresses.

- Start gathering evidence. You need to look at log files to determine when this suspect account was created. Look at your root .bash_history as well

- Start looking for running processes. Commands to run are ps -afxwwwe, lsof -Pwn, netstat -pane. Those should give you an idea of what is running on the machine and you should be on the lookout for things that aren't expected.

-The CERT Checklist is a good thing to work through to try and figure out what happened.

Simply messing with the suspect account isn't going to get you where you need to be.
 
4 members found this post helpful.
Old 09-22-2010, 07:54 AM   #11
moxieman99
Member
 
Registered: Feb 2004
Distribution: Dabble, but latest used are Fedora 13 and Ubuntu 10.4.1
Posts: 413

Rep: Reputation: 82
Quote:
Originally Posted by cmontr View Post
I am trying to figure out the type of the attack. It was trying to get sudo / root on my server and apprently got that, i noticed too quickly and removed it. Traced IP that was from greece. Anyhow, how do I get rid of this 'dabdall' at pts/0?

thanks
1. Find out how he got in.

2. Wipe and re-install, paying special attention to fixing the flaw that allowed him to get in in the first place.

That's how you get rid of "dabdall," and more importantly, how you get rid of anything else he might have done.


-- Ah, Hangdog gave the how-to's, even better. I should have read the entire thread before posting.

Last edited by moxieman99; 09-22-2010 at 07:55 AM.
 
Old 09-22-2010, 08:12 AM   #12
cmontr
Member
 
Registered: Sep 2007
Posts: 175

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by moxieman99 View Post
1. Find out how he got in.

2. Wipe and re-install, paying special attention to fixing the flaw that allowed him to get in in the first place.

That's how you get rid of "dabdall," and more importantly, how you get rid of anything else he might have done.


-- Ah, Hangdog gave the how-to's, even better. I should have read the entire thread before posting.
Thanks for time anyway. Engineering point of view - I would like to figure out how he go after all this security. I know killing procs will not solve the issue. Anyone knows that. Let's just stop at this point. I will figure it out. Earlier I asked simple question but some did not geet the point. Oh well.
 
Old 09-22-2010, 08:20 AM   #13
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,790
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Quote:
Originally Posted by cmontr View Post
Thanks for time anyway. Engineering point of view - I would like to figure out how he go after all this security. I know killing procs will not solve the issue. Anyone knows that. Let's just stop at this point. I will figure it out. Earlier I asked simple question but some did not geet the point. Oh well.

Please have a read of what I posted, that will get you started on figuring out how the cracker got in. Feel free to post the results or any questions you have. We have people here willing to help, but it is your responsibility to gather the data needed to analyze the problem.
 
Old 09-22-2010, 08:27 AM   #14
cmontr
Member
 
Registered: Sep 2007
Posts: 175

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Hangdog42 View Post
Please have a read of what I posted, that will get you started on figuring out how the cracker got in. Feel free to post the results or any questions you have. We have people here willing to help, but it is your responsibility to gather the data needed to analyze the problem.
Thank you. I know you guys helpful. This is a test machine and I run multiple OS's on it to get to know about them. There is of course securities all over. Let's see what I find out, will let you know.
 
Old 09-22-2010, 11:30 PM   #15
cmontr
Member
 
Registered: Sep 2007
Posts: 175

Original Poster
Rep: Reputation: 15
I fixed the issue. hacker was blocked with no harm.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
hacker attack my webserver? shanya Linux - Security 2 09-07-2007 08:04 AM
Apparent hacker Attack lenlutz Linux - Security 2 10-14-2005 08:10 AM
Hacker attack carrion Linux - Security 11 08-23-2004 02:03 PM
hacker attack? firestomper41 Mandriva 8 05-09-2004 04:35 PM
hacker attack? zetsui Linux - General 4 08-04-2003 06:03 AM


All times are GMT -5. The time now is 08:48 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration