Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Today when I came home to my linux box and booted the syslog came up as failed on startup. When I try to run top it gives me an error about a missing file. My linux box had been running default red hat 7.1 ftp telnet ssh and http servers with no firewall protection. Also when I try to start KDE the task bar doesn't load. The last message in /var/log/messages is of an annonymous ftp login using a very fake sounding email.
So did someone get on my linux box or am I just overreacting. Thanks in advance.
i put my router firewall up again and disabled annonymous ftp access in the ftp users file. Anyone know how I can fix top, kde, and get logging going again. I'm going to take security much more seriously now.
Whilst missing panel bits and startup problems are not a new concept, particularly when you accidentally pull the power lead when you get up from your chair (!), the anonymous ftp screams hack. Get the box offline if you can, and run chkrootkit, also what commands do you see if you use the cursor up keys in root/user accounts. You'll probably have to reinstall. A firewall would be a very good idea.
Jim
It's possible you could re-install the relevant bits and be OK, but you should be afraid. A reinstall is safest, have you got any critical data on the system? Did you install tripwire? I did, and always wondered why, it sends me mail whenever I redo the kernel, which is very irritating, but when I'm worried I've been hacked it doesn't, therefore I've "probably" not been.
Jim
- remove the anonftp package if installed,
- remove /etc/{passwd,group,shadow,ftpusers} entries for user FTP, associated with anonymous ftp account
- find out what the base address is the ftpd chroot's to to allow anon ftp access, and remove all authentication files, binaries, devices and libraries from where the ftp account is
- review your configs and access lists in /etc(/fptd) so user FTP isn't listed, and anything referring to class anonymous is deleted.
- restart ftpd and check logging in, check ftpd log and syslog for errors.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.