Hello All,

Some hacker attacked to my Fedora 14 behind the firewall. I recovered it with counter attack but could someone tell me what this is and how I can change it back to normal name? I google'd it but didnt find anything related to it yet. Please let me know if you know it.

Thanks
-------

When you run 'who' where I am not sure how to get rid of dabdall yet. It was a hacker and I was able to trace it. It was coming from greece.

root :0 2010-09-21 11:18
dabdall pts/0 2010-09-21 11:18 (:0)
root pts/1 2010-09-21 11:47 (:0.0)
root pts/2 2010-09-21 13:05 (192.168.1.1)

you didnt provide any information about the attack type and if you made some backups/images of your hard disk.

I am trying to figure out the type of the attack. It was trying to get sudo / root on my server and apprently got that, i noticed too quickly and removed it. Traced IP that was from greece. Anyhow, how do I get rid of this 'dabdall' at pts/0?

thanks

Try this:
and: http://www.linuxquestions.org/questi...hacked-832148/

Hi again,

I tried as it was still there:

[root@localhost ~]# kill -9 `ps -ef | grep pts\/0 | grep -v grep | awk '{ print $2 }'`
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
[root@localhost ~]# who
root :0 2010-09-21 11:18
dabdall pts/0 2010-09-21 11:18 (:0)
root pts/1 2010-09-21 11:47 (:0.0)

It seems he/she open multiple terminals (check with ps -ef | grep pts\/0). If so, try to kill all of them:

Hi,

No use to loop through the processes to kill them all. Just kill the parent process with kill -9 and the rest (children) get killed also. For example:
is your command without the awk part.
kills all of them.

EDIT: This killed of course my SSH session.

Kind regards,

Eric

I appreciate for the tips.
It seems no process is running, but name is still displayed there. I deleted that the stupid hacker created account right away. But it is still showing...I know this is no brainer but I am trying to figure it out...

Let me know any ideas...

Thanks much again...

[root@localhost ~]# ps -ef | grep pts\/0 | grep -v grep
[root@localhost ~]# who
root :0 2010-09-21 11:18
dabdall pts/0 2010-09-21 11:18 (:0)
root pts/1 2010-09-21 11:47 (:0.0)

Excuse me, but can we stop treating the symptoms and focus on the problem? If someone was able to create an account, your system was compromised and cannot be trusted. Simply killing the ssh connection doesn't change that. So lets look at this properly.

- Isolate this machine from the internet either by pulling the network cable or by putting up a firewall that denies all access except SSH from trusted IP addresses.

- Start gathering evidence. You need to look at log files to determine when this suspect account was created. Look at your root .bash_history as well

- Start looking for running processes. Commands to run are ps -afxwwwe, lsof -Pwn, netstat -pane. Those should give you an idea of what is running on the machine and you should be on the lookout for things that aren't expected.

-The CERT Checklist is a good thing to work through to try and figure out what happened.

Simply messing with the suspect account isn't going to get you where you need to be.

4 members found this post helpful.

1. Find out how he got in.

2. Wipe and re-install, paying special attention to fixing the flaw that allowed him to get in in the first place.

That's how you get rid of "dabdall," and more importantly, how you get rid of anything else he might have done.


-- Ah, Hangdog gave the how-to's, even better. I should have read the entire thread before posting.

Thanks for time anyway. Engineering point of view - I would like to figure out how he go after all this security. I know killing procs will not solve the issue. Anyone knows that. Let's just stop at this point. I will figure it out. Earlier I asked simple question but some did not geet the point. Oh well.

Please have a read of what I posted, that will get you started on figuring out how the cracker got in. Feel free to post the results or any questions you have. We have people here willing to help, but it is your responsibility to gather the data needed to analyze the problem.

Thank you. I know you guys helpful. This is a test machine and I run multiple OS's on it to get to know about them. There is of course securities all over. Let's see what I find out, will let you know.

I fixed the issue. hacker was blocked with no harm.