Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
OT:
- please don't shout. We hear you OK.
- and you can *edit* a post, you don't have to post twice...
I'm wondering what it will be..: user leaving CC info unencrypted for anyone to access, a vulnerability in any part of Linux, sniffing the wire or social engineering. So, OK, I'd be interested to know what events lead to this stealing of CC information. Could you give us a timeline and detailed description of events? And since this involved serious damage, I take it you have also informed the distro's maintainers?
an distro is as secure as the user who works on it... I would like a more detailed description as well as I don't think Mepis goes around stealing peoples cards.
I'm wondering what it will be..: user leaving CC info unencrypted for anyone to access, a vulnerability in any part of Linux, sniffing the wire or social engineering. So, OK, I'd be interested to know what events lead to this stealing of CC information. Could you give us a timeline and detailed description of events? And since this involved serious damage, I take it you have also informed the distro's maintainers?
I'm not deep enough into Linux to answer most of your questions (that is why I just want to re-format and re-install another distro)but I'll try.
About 1 month ago I went into kuser user manager there were way more users with directories than you see here. I think one was called "man" and there were a bunch of others. This list below reflects my list as of now. Up until then, I thought that "root" and my other alias were the only 2.
root /root
bin /bin
sys /dev
sync /bin
mail /var/mail
uucp /var/spool/uucp
ftp /home/ftp
There were at least 20 in there before, so they looked suspicious and I deleted a bunch. Because I spotted this a month ago, I should have reformatted back then.
Shortly after that, the trouble began.
When I installed this version of Mepis I also installed the Firewall and turned it on, so I thought that I was safe. By default my system was set up to clear the cache each time.
Dan
Last edited by techristian; 02-01-2006 at 10:06 AM.
an distro is as secure as the user who works on it... I would like a more detailed description as well as I don't think Mepis goes around stealing peoples cards.
I'm not saying that Mepis stole my card. You have to admit that it is a bit weird seeing a folder on everyones system with the designers name on it. I'm sure people running Windows would get up in arms if they saw a folder on their system that said "Bill Gates" or "Bill Gates" listed as a user.
Let's for a moment just pretend that the author COULD get into any computer running Mepis with a single password or sequence of steps. Wouldn't that be the ultimate password for the hacker to get his/her hands on? What damage could they do with that?
Dan
Last edited by techristian; 02-01-2006 at 10:03 AM.
well, these user accounts you mention are valid (if sometimes obsolete) system accounts. The same might be true for an account called mapis.
I say might because I don't know Mepis, haven't used it at all, but from the little I googled it looks quite popular. So if it did have a backdoor it would be found out by peer review and paranoid bastards like me who watch all packets going in and out of our network.
I understand you're pissed off and paranoid but can you remember what you did? Did you use your credit card in a web browser on that machine? Which site?
As a fellow noob my approach to Linux experimentation has been to assume that the distro is pwned before I even install it. Meaning that the disk has been securely wiped and from the moment I start the install I never enter any valuable information on the test box. That, for starters, is my recommendation for Linux noobs and given how many hack attempts I have seen on my Apache server on my test box I think it is sound advice.
I think the second part of this is how does a person go from ultra paranoid, enter no data, to "OK I feel pretty good about security" and I don't yet have an answer to that. In the Windows world there is a fairly well-accepted plan that works pretty well. You connect to the internet behind a NAT router, install XP, do Windows Update immediately, then software firewall (zonealarm works and is free) and then AV/spy software (I pay for McAfee and MS Antispyware is free). Not complicated and at the end you're pretty well protected if you practice reasonably safe computing.
Is there such a fairly simple path for a Linux user who wants to get up and running on a system that they can enter sensitive data on (use as their main production rig for non-server use)?
that is why I just want to re-format and re-install another distro
Without trying to assess what went wrong you won't learn anything, ergo are prone to making the same mistakes again.
About 1 month ago I went into kuser user manager there were way more users with directories than you see here. I think one was called "man" and there were a bunch of others.(..)There were at least 20 in there before, so they looked suspicious and I deleted a bunch.
Like Acidzebra said those probably are system users. You could easily check them issuing "getent passwd name" where name is one of those accounts. Most system users have an UID (3rd field) between 1 and $UID_MIN (/etc/login.defs, usually 500 on regular boxen), a shell set to something inert like nologin or false (with the exception of accounts like sync, halt, shutdown, news) and their password disabled.
Because I spotted this a month ago, I should have reformatted back then.
If there was malicious activity going on then deleting the crackers data is the best way to shoot yourself in the foot. Doing so makes investigation nearly impossible, ergo leaving you with nothing to learn from to help you defend yourself.
Shortly after that, the trouble began.
What trouble?
When I installed this version of Mepis I also installed the Firewall and turned it on, so I thought that I was safe. By default my system was set up to clear the cache each time.
Unfortunately that is usually not enough to make a Linux system less unsafe to work with. If Mepis doesn't have any docs about security you can find some here at LQ.
BTW: I'm not saying that Mepis stole my card.
Then please do not spread FUD making unfounded accusations.
My advice would be to have your thread title changed to "My credit card stolen" until you can *prove* it was Mepis.
@Mikeurl: [i]Is there such a fairly simple path for a Linux user who wants to get up and running on a system that they can enter sensitive data on (use as their main production rig for non-server use)?[i]
While your question is somewhat related I suggest starting your own thread so this thread can focus on the OP's probs.
@Mikeurl: "You connect to the internet behind a NAT router, install XP, do Windows Update immediately, then software firewall (zonealarm works and is free) and then AV/spy software (I pay for McAfee and MS Antispyware is free)."
...and then remember to run this software on a regular basis, clean out old histories and caches, update the software...
you're right, that doesn't sound complicated at all :P
There were at least 20 in there before, so they looked suspicious and I deleted a bunch. Because I spotted this a month ago, I should have reformatted back then.
Unfortunately, I don't think that you can pin the start of your problems solely on the default accounts on your system. Are you sure that the leakage of your CC number was directly from your system and not some othr vector (ie somewhere else that you entered you CC number)? While a reformat and re-install might make you feel better, you could be setting yourself up for another problem if you use the same configuration on another distro. If the leakage was from your Mepis installation, it could have been due to a vulnerability in an app that you installed or misconfigured.
There are a million and 1 ways that your card info could have been stolen.
1) the most common, an employee can clone your card when you buy somthing in a store or resaurant.
2) you fell for a fishing email, gave a spoofed web-site your CC number
....
....
1,000,001) some-one hacked your computer, and installed a key-logger.
The best thing to do, would be to dis-connect your machine from the internet, and examine it with freely available forensic tools.
maybe your computer is absolutly fine, in which case, that waiter who's always so nice to you at your fave restaurant got away with 1000 $$$.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.