LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-31-2003, 12:19 AM   #1
smallfish
Member
 
Registered: Feb 2003
Location: Hong Kong, China
Distribution: redhat 8
Posts: 36

Rep: Reputation: 15
Unhappy being hacked?


Hi, everyone,

I am quite new to linux and I have to ask for some help here.

Recently, I browse into my home directory and noticed there were some
suspicious hidden files there. One such file is .user60.db. I think I might
be hacked by an intruder.

I have removed the said file with bash command rm .user60.db since then.

Would like to receive some comments and perhaps some good news!

Thank you very much.

smallfish
linux fans
 
Old 07-31-2003, 12:26 AM   #2
DrOzz
Senior Member
 
Registered: May 2003
Location: Sydney, Nova Scotia, Canada
Distribution: slackware
Posts: 4,185

Rep: Reputation: 59
looks like a database file that is used by some program or whatever it may be on your machine.
i don't think you have been hacked thats for sure.
 
Old 07-31-2003, 01:12 AM   #3
ksgill
Senior Member
 
Registered: Apr 2003
Location: Toronto, Canada
Distribution: Ubuntu Jaunty (9.04)
Posts: 1,044

Rep: Reputation: 45
Just for security, check you ports. Download Nmap http://www.insecure.org/nmap/ (If you already dont have it). Its an excellent tool. Check for your ports like this:
nmap localhost
It will give you a list of open ports..close unnecessary ports.
 
Old 07-31-2003, 01:25 AM   #4
Azmeen
Senior Member
 
Registered: May 2003
Location: Malaysia
Distribution: Slackware, LFS, CentOS
Posts: 1,307

Rep: Reputation: 46
A simple way to find out is to see the contents of your /etc/passwd. See if there are any strange users there, especially with a UID of 0 (root UID).

Another way is to examine your logs to see if there are any signs of intrusion (if you had setup iptables to log connections).
 
Old 08-01-2003, 10:19 PM   #5
smallfish
Member
 
Registered: Feb 2003
Location: Hong Kong, China
Distribution: redhat 8
Posts: 36

Original Poster
Rep: Reputation: 15
Smile Bding hacked?

DrOzz,
Thank you for the GOOD NEWS and perhaps the bad news - because I have
already removed the file .user60.db from my home directory due to security
concern.

I did have an html editor BLUE FISH installed in my system. And this .user60.db file also show up in the home directories of the user accounts.

Thanks again.

smallfish
linux fans
p.s. sorry for the late response due to difficulty in making the post reply page
to work because I didn't set up cookies correctly.
 
Old 08-02-2003, 11:59 PM   #6
smallfish
Member
 
Registered: Feb 2003
Location: Hong Kong, China
Distribution: redhat 8
Posts: 36

Original Poster
Rep: Reputation: 15
I used command cat /etc/passwd to view the passwd file and this is what comes up plus other non-suspicious login and nologin.

root : x : 0 : 0 : root : /root : /bin/bash

I don't really have an exact idea what it is telling me about system security
issues.

would appreciate further comments.

thank you very much

smallfish
linux fans
 
Old 08-03-2003, 12:15 AM   #7
smallfish
Member
 
Registered: Feb 2003
Location: Hong Kong, China
Distribution: redhat 8
Posts: 36

Original Poster
Rep: Reputation: 15
After downloading nmap, I used the command nmap localhost and it shows
the opened ports are all tcp services, including ssh, x11, smtp, etc.

What commands can I use to close the open ports.

Thank you very much.

smallfish
linux fans
 
Old 08-03-2003, 12:20 AM   #8
DrOzz
Senior Member
 
Registered: May 2003
Location: Sydney, Nova Scotia, Canada
Distribution: slackware
Posts: 4,185

Rep: Reputation: 59
i don't quite understand what you getting at?
lets just put it this way:
so, by convention UID's of 499 (depending on distro it may be 500) or less are special system UID's, and roots' UID is 0, Regular users get UID's starting at 500, (again, depending on distro it may start at 501)
 
Old 08-03-2003, 12:20 AM   #9
DrOzz
Senior Member
 
Registered: May 2003
Location: Sydney, Nova Scotia, Canada
Distribution: slackware
Posts: 4,185

Rep: Reputation: 59
weird, it double posted for some reason.
 
Old 08-03-2003, 12:23 AM   #10
DrOzz
Senior Member
 
Registered: May 2003
Location: Sydney, Nova Scotia, Canada
Distribution: slackware
Posts: 4,185

Rep: Reputation: 59
http://www.linuxquestions.org/questi...?threadid=1515
http://www.linuxquestions.org/questi...threadid=10221
 
Old 08-14-2003, 03:54 AM   #11
joseph
Member
 
Registered: Jul 2003
Location: Batam
Distribution: Ubuntu 10 And Linux Mint
Posts: 414

Rep: Reputation: 30
how about if you give all the service opened in your server?
 
Old 08-14-2003, 04:04 AM   #12
MasterC
LQ Guru
 
Registered: Mar 2002
Location: Salt Lake City, UT - USA
Distribution: Gentoo ; LFS ; Kubuntu
Posts: 12,612

Rep: Reputation: 68
Not sure I follow your question/reply joseph? You want to know if it's ok to open all your ports on a server? Not the greatest idea really... Can you clarify what you mean?

And DrOzz, nice use of 'colors' in your sig

Cool
 
Old 08-14-2003, 04:17 AM   #13
MasterC
LQ Guru
 
Registered: Mar 2002
Location: Salt Lake City, UT - USA
Distribution: Gentoo ; LFS ; Kubuntu
Posts: 12,612

Rep: Reputation: 68
Re: being hacked?

Quote:
Originally posted by smallfish
Hi, everyone,

I am quite new to linux and I have to ask for some help here.

Recently, I browse into my home directory and noticed there were some
suspicious hidden files there. One such file is .user60.db. I think I might
be hacked by an intruder.

I have removed the said file with bash command rm .user60.db since then.

Would like to receive some comments and perhaps some good news!

Thank you very much.

smallfish
linux fans
If ever you are in doubt of whether you are being hacked or not, take the machine off line immediately. That's the first thing to do, after that it's all details, but that's the single most important thing to do, cut the cord.

After that, follow unSpawns many threads on this, just do a search for "being hacked" or check out the main sticky thread in the Security section.

Cool
 
Old 08-14-2003, 04:33 AM   #14
joseph
Member
 
Registered: Jul 2003
Location: Batam
Distribution: Ubuntu 10 And Linux Mint
Posts: 414

Rep: Reputation: 30
i mean, i just wanna know about what service is opened, i do not have any other meaning, maybe i can giving him which port need to be opened and which service need more attention.

sorry for last reply.
 
Old 08-14-2003, 04:42 AM   #15
MasterC
LQ Guru
 
Registered: Mar 2002
Location: Salt Lake City, UT - USA
Distribution: Gentoo ; LFS ; Kubuntu
Posts: 12,612

Rep: Reputation: 68
Oh, I see! So he could post up something like:
ps aux
And give us a bit of info about what he's wanting to run/running so we can guide him on what to close up...



Sounds good

Cool
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Have I been hacked? Please help linuxboy69 Linux - Security 11 09-07-2005 08:20 AM
Hacked? mikeshn Linux - Security 2 03-12-2004 02:57 PM
Help! Have I been hacked? Tenover Linux - Security 1 11-19-2003 04:24 PM
Did we just get hacked? vous Linux - Security 4 11-17-2003 09:11 AM
am i being hacked? tearinox Linux - Security 5 11-13-2003 07:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 06:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration