Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
09-22-2002, 06:17 PM
|
#1
|
Member
Registered: Jan 2002
Location: Moorpark
Distribution: SLACK 8!
Posts: 230
Rep:
|
Guy got root directory access from my FTP server... how can I fix this?
Some guy, made a file or something called "\" in my ftp share folder. It appears to be a folder, so when I type:
root@Wolf88: cd \
I get this
root@Wolf88:
>_
I dont know what this is.. but I cant forsee it as being good since it allows virutally anyone with ftp access to control and or use my system. Also, when I connect via an FTP client, and enter the "\" folder, it redirects me to my root directory. I need to know what I can do to prevent this.. is it safe to delete this from the ftp share folder. What can I do, and what I can I do to prevent this from happening?
|
|
|
09-22-2002, 06:30 PM
|
#2
|
Member
Registered: Jan 2002
Location: Moorpark
Distribution: SLACK 8!
Posts: 230
Original Poster
Rep:
|
Now, the folder "\" is missing when I log onto the server via FTP client from windows, but when I do an ls of the "Storage" directort on my nix box, its still there.
|
|
|
09-22-2002, 07:19 PM
|
#3
|
Moderator
Registered: May 2001
Posts: 29,415
|
First of all, don't fuss about. The basics are:
- log details
- prevent networked access
- establish system integrity
Log:
netstat -anp >> /tmp/log
w(who|whoson) >> /tmp/log
ps au >> /tmp/log
lsof >> /tmp/log
lsmod >> /tmp/log
Now you've got the basic stuff (if unmodified binaries): connected IP addresses, who is logged on, running processes (not if hidden), running processes + open files, sockets etc, loaded modules (not if hidden). The rest you can scrape off of snort, your firewall and your ftp servers logs (if any).
Disconnect:
Now disconnect your box from the network.
Integrity:
Always state as much in detail as you possibly can. W/o we can't help. Period. This means distro, version, daemon version, any config weirdness, log excerpts, etc.
Now you will have to establish the integrity of your system, this means checking configs, logs and binaries.
If you didn't install and used a system integrity checking app like Aide, Tripwire, Samhain or equiv, then since your system doesn't provide package verification basically you're fscked.
Another chance would be to scan with Chkrootkit(.org) for known rootkits, but this can't flag "new" stuff, nor can it verify the integrity of your binaries.
Post any errors you get or "weird" files you find.
IMO you should wait worrying about deleting stuff till after you made pretty damn sure your system is clean, and till then you should not connect your system to any network. Look for basic steps at Steps for Recovering from a UNIX or NT System Compromise.
Now give us some details that will help us help you add a proper solution for your problems.
|
|
|
09-23-2002, 03:03 AM
|
#4
|
Member
Registered: Jan 2002
Location: Moorpark
Distribution: SLACK 8!
Posts: 230
Original Poster
Rep:
|
I ran chkrootkit... and it turned neg accross the board. I think that they hadnt doen anything ... yet... but, they did make it so that an anymous user could optain access to the root directory. I fixed this partially by double checking the proftpd.conf file and making it so that anonymous users couldnt right anytning. I dont know what to do from this point on though... should I change all my passwords. Can I delete the "\" file/directory outta my ftp "Storage" folder?
|
|
|
09-23-2002, 03:26 AM
|
#5
|
LQ Addict
Registered: Dec 2001
Location: Brooklyn, NY
Distribution: *NIX
Posts: 3,704
Rep:
|
you can delete the file like this
rm -rf "\"
or in querky way
rm -rf \\
|
|
|
09-23-2002, 03:27 AM
|
#6
|
LQ Addict
Registered: Dec 2001
Location: Brooklyn, NY
Distribution: *NIX
Posts: 3,704
Rep:
|
Sorry,
rm -rf '\'
or
rm -rf \\
|
|
|
09-23-2002, 01:08 PM
|
#7
|
LQ Addict
Registered: Dec 2001
Location: Brooklyn, NY
Distribution: *NIX
Posts: 3,704
Rep:
|
A little update, now when my head is clear from yesterdays chaos, if you still can ignore my previous two post, please do so, I obviously wasn't thinking when I hit "Submit" button. Follow unSpawn suggestions, and also look up some case studies, I found one on linuxsecurity. The steps described in the article can be used as a guide on how to proceed, and recover from an attack. Don't concider a single firewall as all means to harden your box security, also I found a good article on how to setup an adaptive firewall to block persistent snoopers http://linuxgazette.com/issue82/veerapen.html http://www.linuxsecurity.com/feature...sis-part1.html
http://www.linuxsecurity.com/feature...sis-part2.html
Last edited by neo77777; 09-23-2002 at 03:46 PM.
|
|
|
09-23-2002, 03:39 PM
|
#8
|
Member
Registered: Jan 2002
Location: Moorpark
Distribution: SLACK 8!
Posts: 230
Original Poster
Rep:
|
when I try and remove the \ file/directory thingy... Ive tried:
rm -rf '\'
rm -rf \\
even rm -rf "\"
but nothing seems to work... all it seems to do it bring this up:
>_
I hit cntrl+c and type ls... and the stupid \ is still there. WTF?!?
|
|
|
09-23-2002, 08:52 PM
|
#9
|
Moderator
Registered: May 2001
Posts: 29,415
|
"When a man points at the moon, the fool looks at his finger."
|
|
|
09-23-2002, 09:49 PM
|
#10
|
LQ Guru
Registered: Jan 2001
Posts: 24,149
|
Quote:
Originally posted by unSpawn
"When a man points at the moon, the fool looks at his finger."
|
Amen to that quote.
|
|
|
09-25-2002, 03:50 PM
|
#11
|
Member
Registered: Jan 2002
Location: Moorpark
Distribution: SLACK 8!
Posts: 230
Original Poster
Rep:
|
ohhhh thats real helpful guys!
|
|
|
09-25-2002, 05:16 PM
|
#12
|
Moderator
Registered: May 2001
Posts: 29,415
|
Innit? You've shown clearly you don't have any interest in securing your box, but find "thinking" it's safe is enough.
The 'net is for all of us, by all of us, so if you willfully allow your box to get broken into making it the weakest link, it will affect other boxen if they manage to use yours as another jump. This attitude is one that gets systems broken into.
Credit gone, game over.
But, since you don't care about that and I have to end this thread in a constructive way, try
rm -rf "\\/"
Last edited by unSpawn; 09-25-2002 at 05:19 PM.
|
|
|
09-25-2002, 10:05 PM
|
#13
|
Member
Registered: Jan 2002
Location: Moorpark
Distribution: SLACK 8!
Posts: 230
Original Poster
Rep:
|
Ok... I tired as well... I cant get that stupid thing to go away. Id really like to know. And dude... I know a lot... but compared to all that is available to know... its a tiny portion. I started using Linux extensivly like 6 months ago, you cant expect someone and or everyone to go leet in that amount of time. Im in it to learn... and then help others do the same.
Last edited by bripage; 09-25-2002 at 10:07 PM.
|
|
|
10-01-2002, 11:40 PM
|
#14
|
Member
Registered: Nov 2001
Location: Hi Hat KY USA
Distribution: RedHat, Mandrake
Posts: 63
Rep:
|
Not trying to knock anyone. But I understand what unSpawn and trickykid are saying. I also understand what you are going through. That said - insted of freaking out and going "Oh my god, Oh my god, Oh my god".
The first thing you need to do (even if you are a newbie you can do this) is unplug the network cable. Second if you can't follow what unSpawn said in his first post, then wipe the drive clean and start over.
This time don't turn on FTP unless you HAVE to HAVE it. Even then TURN OFF ANONYMOUS ACCESS . Also you really should be using SSH if you can.
If you don't know how to turn on / off anonymous access then post that question later.
p.s. unSpawn those instuctions really helped me out. Thanx
Last edited by dewcansam; 10-01-2002 at 11:41 PM.
|
|
|
10-02-2002, 12:07 AM
|
#15
|
Member
Registered: Jan 2002
Location: Moorpark
Distribution: SLACK 8!
Posts: 230
Original Poster
Rep:
|
uhhh thanks... but that was the first thing I did... Im not a moron. And yeah I know how to turn it off... that was the second thing that I did. Any more nonhelping posts?!?
Last edited by trickykid; 10-02-2002 at 10:59 AM.
|
|
|
All times are GMT -5. The time now is 05:20 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|