LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-26-2008, 11:14 AM   #1
Thund0r
LQ Newbie
 
Registered: Feb 2008
Distribution: Debian Etch
Posts: 2

Rep: Reputation: 0
Linux Debian machine's test account got hacked! how much damage could their be done?


Is it safe to not completely reinstall your' system after an test account got hacked?

Since I have installed linux/Debian Etch on my server, I've had a lot of brute force attempts on SSH according to my logs. Stupid as I was.. I had created acoount test/test on my system, and didn't thought of making it impossible to access it via SSH.

The reason I was looking in my logs was that my ISP mailed a letter with a warning that I've used brute force attempts against on of the ISP's machine. I started looking in the logs and I found out that my test account's password was hacked using brute force and that unknown IP's gained access to my server, wich I think explains my ISP's letter. Once I found out I immediatly removed the test account using Webmin and closed down SSH from the internet.

Should I completely reinstall my system due to possible infection? Can somebody in possession of an normal user account infect my system at all? What could somebody with an normal user account do to harm my system (Trojan Horses etc.)? In what logs should I look to see all the actions that he performed?

Im asking this because it took me days to setup my system accordingly, and I don't want to to that again if it is not needed ;-)

Thanks in advance!
 
Old 02-26-2008, 11:17 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975
Always always reinstall. you'll never quite know if things are ok or not. Could be all sorts tucked away in horrible places. you can run rkhunter or chkrootkit to look for common things but (hopefully) you'll always feel a bit dirty and invaded until you rebuild it from scratch. in future if you do need to permit ssh access of some sort, try a tool like fail2ban which should drastically reduce the chance of a brute force attack getting into your box on ssh in the first place.
 
Old 02-26-2008, 01:35 PM   #3
Thund0r
LQ Newbie
 
Registered: Feb 2008
Distribution: Debian Etch
Posts: 2

Original Poster
Rep: Reputation: 0
Reply :)

Thanks for the reply^^.

I did run rkhunter and chkrootkit, but the tests came out clean. Also, I rechecked my logs and there was no sign of user test using su. Does that mean test could never had installed anything?

ALhough your' right about the invaded feeling:S
I'll propably go reinstall my system..

Geetings
 
Old 02-26-2008, 01:49 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975
it's more unlikely, but never say never and all that. whilst it's not windows, there are definitely exploits that target linux boxes, especially with local access.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
No flash video on second user's account in Debian Linux bophster Linux - Newbie 2 02-10-2008 10:06 PM
can aborting debian installation damage Bios or HDD? (seams like it happend to me ) peterw Linux - General 18 11-19-2006 04:28 PM
How do you: change a linux machine's name to appear on a network? (Suse10) LordFett Linux - Networking 2 02-03-2006 11:42 AM
is it legitimate and allowed and can be done to make another user account set uid and gid to null 0 to make another root account with different name and possibly not damage the debian system creating and using that new account BenJoBoy Linux - Newbie 12 01-29-2006 10:02 AM
A hacked account or normal 000000 Linux - Security 6 11-07-2004 06:09 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 05:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration