LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 04-04-2003, 10:32 AM   #1
mikeshn
Member
 
Registered: Feb 2002
Distribution: Fedora Core 2
Posts: 586

Rep: Reputation: 30
Trace hacker?


My server Red Hat 7.2 was hacked yesterday

It is possbile to see an IP address of a person that was login on my server. How can I see and find out who was login in the server?

Thanks
M.S
 
Old 04-04-2003, 11:46 AM   #2
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 64
"last" will show logins
"lastb" if enabled shows bad logins
"more /etc/httpd/logs/access_log" will show web connections

Do you know which protocol you were hacked with?
 
Old 04-04-2003, 11:52 AM   #3
rshaw
Senior Member
 
Registered: Apr 2001
Location: Perry, Iowa
Distribution: Mepis , Debian
Posts: 2,694

Rep: Reputation: 45
keep in mind that , unless it was a very stupid hacker, they haven't hacked you from there own address. there may be many innocent addresses between your box and the hacker.
 
Old 04-04-2003, 12:11 PM   #4
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 194Reputation: 194
Also this should prompt you to make your server more secure. Try browsing these forums with lots of good information. You might want to disconnect it for now to be safe until you know it is safe to bring back up on the net.
 
Old 04-04-2003, 12:45 PM   #5
mikeshn
Member
 
Registered: Feb 2002
Distribution: Fedora Core 2
Posts: 586

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by david_ross
"last" will show logins
"lastb" if enabled shows bad logins
"more /etc/httpd/logs/access_log" will show web connections

Do you know which protocol you were hacked with?
No Idea
 
Old 04-04-2003, 12:45 PM   #6
rshaw
Senior Member
 
Registered: Apr 2001
Location: Perry, Iowa
Distribution: Mepis , Debian
Posts: 2,694

Rep: Reputation: 45
a new version of chkrootkit is available, run that to see if they root'ed you,
 
Old 04-04-2003, 02:09 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,524
Blog Entries: 51

Rep: Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601
Next to the fact they might be using intermediate servers they might have zapped shell and login history as well. Chkrootkit can find zap AFAIK, but can't find deleted data. If you really want to know what traces they left after they shredded stuff you'll have to dd an image of the disks, partitions and run TCT.

Mind you, it ain't a trivial task so I'd only recommend it for situations where it is crucial to have the knowledge, it'll take lots of time and you have to know how to construct the timeline and interprete the pieces to build the puzzle. Also chances of reconstructing get slimmer the longer the system remains active (disk writes).

Btw, would you mind posting your general network layout (if any), what daemons you where running, if you where up2date and if you got *anything* out of *any* logfiles?
 
Old 04-17-2003, 08:53 AM   #8
mikeshn
Member
 
Registered: Feb 2002
Distribution: Fedora Core 2
Posts: 586

Original Poster
Rep: Reputation: 30
I can login to server through FTP,. So my questions is:

how can i change the password on a machine that i could ftp to


Thanks
 
Old 04-17-2003, 01:30 PM   #9
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 64
Have you only got ftp access? If so - you probably can't.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How can a hacker get in!? Impossible! AC97Conquerer Linux - Security 13 03-24-2005 06:52 PM
bots maybe a possible hacker?? nepcw Linux - Security 3 10-04-2004 05:41 AM
becoming a kernel hacker skywalker27182 Programming 4 08-02-2004 11:01 PM
help much required against hacker TagnikZur Linux - General 7 03-08-2004 05:26 AM
Hacker proof Joey.Dale Linux - General 2 08-11-2003 08:19 PM


All times are GMT -5. The time now is 08:04 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration