LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 09-23-2010, 12:49 AM   #16
quanta
Member
 
Registered: Aug 2007
Location: Vietnam
Distribution: RedHat based, Debian based, Slackware, Gentoo
Posts: 724

Rep: Reputation: 100Reputation: 100

Quote:
Originally Posted by cmontr View Post
I fixed the issue. hacker was blocked with no harm.
Let's share with us.
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 09-23-2010, 07:12 AM   #17
vinaytp
Member
 
Registered: Apr 2009
Location: Bengaluru, India
Distribution: RHEL 5.4, 6.0, Ubuntu 10.04
Posts: 704

Rep: Reputation: 55
Quote:
Originally Posted by cmontr View Post
I fixed the issue. hacker was blocked with no harm.
How did you fix the issue? Please share with us. We can take some preventive measures on such attacks.
 
Old 09-23-2010, 08:24 AM   #18
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Quote:
Originally Posted by cmontr View Post
I fixed the issue. hacker was blocked with no harm.

I hope you understand that we view such claims somewhat skeptically unless backed up by an explaination/evidence. The sad truth is that most of these kinds of threads end up with the OP sticking their head in the sand and pretending that everything is OK. I know you've said that this box isn't particularly important, but if you've treated the symptoms instead of solving the problem, your machine and network could still be at risk.
 
2 members found this post helpful.
Old 09-23-2010, 09:27 AM   #19
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by Hangdog42 View Post
I hope you understand that we view such claims somewhat skeptically unless backed up by an explaination/evidence. The sad truth is that most of these kinds of threads end up with the OP sticking their head in the sand and pretending that everything is OK. I know you've said that this box isn't particularly important, but if you've treated the symptoms instead of solving the problem, your machine and network could still be at risk.
I agree with Hangdog42.

If you're sick and you take something that keeps you from sneezing, you're STILL sick...you're still contagious. Your focus should be aimed at getting rid of the sickness instead of trying to get rid of the symptoms.
 
Old 09-25-2010, 12:23 AM   #20
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,281

Rep: Reputation: 61
It is nice that is is all fixed, what security measures have you now taken to stop this from happening again, a few things I know from your post, someone was able to login as root through ssh, which means root logins through ssh was not disabled. Your root account on the machine was not disabled and had a weak password, otherwise they wouldn't have bee able to log in as root in the first place. You should add a user to the sudoers file to give them root privileges and then disable the root account. I suspect the firewall wasn't configured properly, allowing a user from anywhere to have access to the ssh port, unless you really need users to have access, and they don't have a static ipaddress, otherwise best to configure iptables to allow only from specific address to have access to ssh port
 
Old 09-25-2010, 09:22 PM   #21
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Quote:
a few things I know from your post, someone was able to login as root through ssh, which means root logins through ssh was not disabled.
You know this how? The OP posted a few who listings that did indeed show root logged in, but no evidence that it was the cracker. The only evidence I see that the cracker attained root is that they were able to create a new account.

Quote:
Your root account on the machine was not disabled and had a weak password, otherwise they wouldn't have bee able to log in as root in the first place.
I'm not trying to be confrontational, but there is zero evidence for this. When dealing with intrusions, we prefer to deal in facts please.
Quote:
You should add a user to the sudoers file to give them root privileges and then disable the root account
Personally I see no advantage to this approach over a properly run root account. Security by obscurity never really accomplishes much.

Quote:
I suspect the firewall wasn't configured properly, allowing a user from anywhere to have access to the ssh port, unless you really need users to have access, and they don't have a static ipaddress, otherwise best to configure iptables to allow only from specific address to have access to ssh port
While I agree on the utility of limiting ssh access, again, there is absolutely zero evidence that ssh was the vector of attack.
 
2 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
hacker attack my webserver? shanya Linux - Security 2 09-07-2007 09:04 AM
Apparent hacker Attack lenlutz Linux - Security 2 10-14-2005 09:10 AM
Hacker attack carrion Linux - Security 11 08-23-2004 03:03 PM
hacker attack? firestomper41 Mandriva 8 05-09-2004 05:35 PM
hacker attack? zetsui Linux - General 4 08-04-2003 07:03 AM


All times are GMT -5. The time now is 02:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration