LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 06-13-2004, 02:02 PM   #1
TBomb
Member
 
Registered: May 2004
Location: Great Britain
Distribution: Slackware
Posts: 91

Rep: Reputation: 15
Have I been hacked?


I just installed Samba today, and it all seems to be working correctly, I can access my Linux home directory from my Windows PC's, and I can access my Windows computers from my Linux computer.

However, I was browsing my Windows share via Linux, and noticed the following text file:


Code:
Be VERY careful sharing files out on your PC.
I can see your entire drive over the internet and was able to create this file.
I could have deleted anything I wanted or accessed your personal data.
Unshare your drive or other more devious people will do the above!

Have a nice day.

emailmeherenow@email.com 

for more info.

Is this a genuine breakin, or is this file created when I used samba?
 
Old 06-13-2004, 02:14 PM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 22,983
Blog Entries: 11

Rep: Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879
I wouldn't call this a hack :}

You just appear to be wide open to anyone ;)



Cheers,
Tink
 
Old 06-13-2004, 02:22 PM   #3
fluppi
Member
 
Registered: Oct 2003
Location: Switzerland (Europe)
Distribution: OpenSuSE, RedHat, Knoppix, IRIX + MacOSX
Posts: 198

Rep: Reputation: 30
I use samba for years and never found something similar !
First, don't panic! Shut samba down, and get offline. Now think about it:
-Can this be a joke of your friends ?
-What permissions are set (open to the whole world ?)
-Is there a firewall not working ?
-Check if there are other new files or changed files !

And then run a Antivirus tool from CD, not from the harddisk. Don't forget to check ALL files, even those on the linux boxes (a virus can't harm linux, but the windows PC's can get it again).

Finaly close the hole in your security and go online.

I hope it was a dumb joke !
 
Old 06-13-2004, 02:32 PM   #4
TBomb
Member
 
Registered: May 2004
Location: Great Britain
Distribution: Slackware
Posts: 91

Original Poster
Rep: Reputation: 15
Okay. I was hoping it as a system generated message...

If it is a genuine breakin, it's one quick hacker. The file wasn't there earlier, I only activated sharing on my Windows box 35mins ago, and installed samba about 15 mins ago.

I'm behind two router w/ firewalls. The only WAN connections I allow in are on ports 21, 80, and 8080, for my FTP and Web servers. Like I said, they've got in without the 35mins I've enabled sharing.

Could'nt it be a system generated message generated by Windows when I activated sharing. Also, I specified a password that needs to be entered before access to the C: drive is permitted.


I've asked a friend about this and he has'nt ever heard of this happening, either.
 
Old 06-13-2004, 02:50 PM   #5
TBomb
Member
 
Registered: May 2004
Location: Great Britain
Distribution: Slackware
Posts: 91

Original Poster
Rep: Reputation: 15
So is it definatly a breakin?- Not a system generated message?
 
Old 06-13-2004, 02:52 PM   #6
rkef
Member
 
Registered: Mar 2004
Location: bursa
Posts: 110

Rep: Reputation: 15
Google turns up zero matches for any phrase in the text of that file. It's not unlikely that someone could notice your wide-open server within minutes. They were likely just bored and scanning your neighbourhood of IP addresses.

It is likely a good samaritan, running an automated script which leaves the notice, if it can gain the perms.

Last edited by rkef; 06-13-2004 at 02:54 PM.
 
Old 06-13-2004, 02:53 PM   #7
Newb001
LQ Newbie
 
Registered: Jun 2004
Distribution: Phlak
Posts: 20

Rep: Reputation: 0
It's obviously a hack. To say it's a joke makes no sense. It's simply a heads up. Secure your system before someone takes advantage, like the message says.

An interesting statistic: average system is attacked within the first ten minutes of being online.
 
Old 06-13-2004, 02:57 PM   #8
fluppi
Member
 
Registered: Oct 2003
Location: Switzerland (Europe)
Distribution: OpenSuSE, RedHat, Knoppix, IRIX + MacOSX
Posts: 198

Rep: Reputation: 30
A system generated message would be marked as one and it's a strange email address.
What's the name of the file ?
 
Old 06-13-2004, 03:00 PM   #9
TBomb
Member
 
Registered: May 2004
Location: Great Britain
Distribution: Slackware
Posts: 91

Original Poster
Rep: Reputation: 15
Okay, so it is a breakin. Secure my system?- How, when I am unsure how they managed to gain access in the first place...

A password is required to access the share, plus I'm behind two firewalls.... I know it's not impossible, but it seems unlikely that I would be hacked this quickly, with the firewalls and passwords and all...

How should I start to go about securing my system. (BTW, the 'intrusion' is on a Windows XP Home laptop)
 
Old 06-13-2004, 03:02 PM   #10
Newb001
LQ Newbie
 
Registered: Jun 2004
Distribution: Phlak
Posts: 20

Rep: Reputation: 0
Quote:
Originally posted by TBomb
Okay, so it is a breakin. Secure my system?- How, when I am unsure how they managed to gain access in the first place...
1 - Try emailing the guy for details on how he did it.
2 - Check vuln sites like securityfocus.com and the like for vulnerabilities in the software you're using (samba, your firewall, etc.).
3 - Make sure your software is up to date.
 
Old 06-13-2004, 03:07 PM   #11
wrongman
Member
 
Registered: May 2004
Location: Italy
Distribution: Debian Unstable 64bit
Posts: 99

Rep: Reputation: 15
the email is the one you wrote or you just obscured it? it's a strange mail but ... tried to send a mail to it? it say mail me for more info... and you need more info
 
Old 06-13-2004, 03:22 PM   #12
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,128

Rep: Reputation: 319Reputation: 319Reputation: 319Reputation: 319
Also, do a very thorough check for other strange looking files on the share. Just because somebody left a nice note claiming to be a good samaritan doesn't mean they didn't leave something less friendly behind too.

As for fixing this -- is it possible that someone else on your LAN did this as a prank (or is a cracker running some sort of auto-scanner)? If not, double check your firewalls to see if they leak NetBIOS info. Are you using publically-routable IP addresses on your internal network? If not, this becomes somewhat more troubling. Also, you need to make sure that no one got in through any of the ports you do have open. In short, you'll need to do some detective work. Until that's done, it's probably wise to shut down Samba.
 
Old 06-13-2004, 03:23 PM   #13
TBomb
Member
 
Registered: May 2004
Location: Great Britain
Distribution: Slackware
Posts: 91

Original Poster
Rep: Reputation: 15
That is the actual address..... I've tried emailing it, doesn't exist....


The firewalls are part of the routers I use.
 
Old 06-13-2004, 03:28 PM   #14
Newb001
LQ Newbie
 
Registered: Jun 2004
Distribution: Phlak
Posts: 20

Rep: Reputation: 0
Then you don't have a firewall.
You say you're behind two routers? Maybe it was someone else on your network?
 
Old 06-13-2004, 03:58 PM   #15
TBomb
Member
 
Registered: May 2004
Location: Great Britain
Distribution: Slackware
Posts: 91

Original Poster
Rep: Reputation: 15
The two routers have hardware firewalls. DEFINATLY not anyone else on the network, I trust everyone who uses it almost completely... (I'm the only one who uses it....)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Have I been hacked? Please help linuxboy69 Linux - Security 11 09-07-2005 07:20 AM
Hacked? mikeshn Linux - Security 2 03-12-2004 01:57 PM
Help! Have I been hacked? Tenover Linux - Security 1 11-19-2003 03:24 PM
Did we just get hacked? vous Linux - Security 4 11-17-2003 08:11 AM
am i being hacked? tearinox Linux - Security 5 11-13-2003 06:00 PM


All times are GMT -5. The time now is 11:32 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration