user reappears even if operating system is reinstalled and 3x formatted
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hallo noway2,
I already know that this IP is Google !! That was the first thing I figured out !
And I agree that I don't believe that google forces for any reason access to my computers !
But we should stop believing and start knowing.
And I know that hackers compromising other networks for sure do not use their own IP and MAC address !
beep, bad answer !
Fact is that that a computer with this IP is able to go through my netgear router, actually configured to REJECT all incoming connections !
Evidence of firewall accepted ?
Or reacts my firewall paranoid, just while somebody tries to connect in STEALTH mode at port 80 even their is no
webserver at this computer.
Fact is that I am asking more experienced people actually Linuxquestions.org if they can tell me why sometimes a username appears at login
that actually has be empty ?
Fact is as well that I had bluetooth processes with high priority that couldn't get killed even I do not got a bluetooth device !
I will not repeat the other facts described before.
Fact is as well, that you don't got any idea what causes that issues.
If you don't trust me or do not understand what's on, why do you contribute such totally useless attempts of help ?
I want facts and solutions from professionals, sorry but your contribution was NO help at all .
The only helpful ideas came fro unSpawn.
thanks , a little bit disappointed
robeich
Dear linuxquestions,
I really get rid of totally unqualified answers to that incidents described earlier in this thread.
If I have a look at some answers, it seems that people should keep staying with facebook and
not pretend technical qualifications they obviously do NOT have.
There are definitely some people answering my questions overestimating their own qualifications !
And to cover up their lack of understanding of very simple to understand very serious security
issues like attacks over port 80 going through at least one firewall will be commented with sentences like this
"Given the level of paranoia you are expressing on a public forum, I can only guess how you come across in person. *It would not surprise me in the least to learn that someone is deliberately "yanking your chain" for lulz."
The only person for my point of view is knowing what he is doing is unSpawn !
I started this thread so I am the person to close this thread !
This thread is hereby closed.
One last thing I have to say, after getting more information from very qualified persons.
I doubt that after changes done in Kernel 2,6 udev replacing fstab and .. it will be possible to keep a system really secure.
I want facts and solutions from professionals, sorry but your contribution was NO help at all .
LQ is a community of volunteers that try to help other people. While there are professionals here, not all of us are, but most people here are knowledgeable at least in a few parts of the Linux system. We give away our free time to help people, and do our best with it.
If that is not good enough for you, you should buy professional support. Only then you have the right to blame the people that are trying to help you for not getting a solution for you.
Hi Tobi,
Thanks for that hint but I already bought professional support !
But I really would recommend to some members stopping HELP like this :
"Given the level of paranoia you are expressing on a public forum, I can only guess how you come across in person. *It would not surprise me in the least to learn that someone is deliberately "yanking your chain" for lulz."
As well I'm really missing one question to my firewall entries:
May 20 10:45:04 Mac-Users-MacBook Firewall[55]: Stealth Mode
connection attempt to TCP 192.168.1.40:49279 from 209.85.143.99:80
May 20 10:45:12: --- last message repeated 3 times ---
A experienced person had asked something like this :
Please show me the entries before that entry, did you googled earlier this day ?
No I did not !
regards
robeich
I really would recommend to some members stopping HELP
There is a small group of Incident Response handlers that patrol the Linuxquestions.org Security forum. They are dedicated, knowledgeable and from my experience completely trustworthy. Noway2 is one of them and I'd say you should not misjudge him solely based on two OT sentences.
Quote:
Originally Posted by robeich
Stealth Mode connection attempt to TCP 192.168.1.40:49279 from 209.85.143.99:80
Break that apart and you get:
Code:
TCP # protocol used for data transfer between end points
connection attempt # the SYN bit was set
Stealth Mode # ...but no transmission control block was (yet) allotted (also see RFC 2140) by the kernel
from 209.85.143.99:80 # unless spoofed port TCP/80 indicates a web server
to 192.168.1.40:49279 # local LAN address has ephemeral port number and seems consistent with HTTP return traffic
Given the servers address (AS15169 belongs to a popular search engine company) this could be due to network issues rather than malicious activity. You should not see ipfw log this often.
@robeich, please accept my apologies on my ill chosen words. I honestly meant no offense. I was responding to the multiple statements and your question in your post as to whether or not you were appearing overly concerned about these events. I once had a machine that had a mysterious user name appear on the login screen. It turned out that it was a co-worker attempting to login with his name and this reminded me of your situation. My concern was that if you mentioned these events to someone with physical access to the machine that they may be behind this and they may find it fun, especially if they knew you were concerned about it.
It is also apparent that you are studious about examining your log files. This is a good thing and is one of the most effective things you can do to keep your system safe. In my opinion, this puts you ahead of many users when it comes to maintaining the security of your systems. You have identified some pieces of traffic that appeared out of the ordinary. These entries can be caused by routine scanning traffic (think of it being like air traffic control radar) and malfunctions in the networks, as unSpawn pointed out.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.