Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
but as for what to do, reinstall your system. only way to ever have full confidence that there is nothing else to worry about. You can use things like rkhunter to check over your files, but in general it's not water tight.
In addition to re-installing, try to learn from this and take steps so that it never happens again. For example, did you have passwords enabled on SSH? If so, turn it off and use keys. Do you have an application like fail2ban installed which will make it exponentially harder for someone to try to gain access? Is the system physically secure? Are you using VNC in an unsecured means, such as without an SSH tunnel?
Aside from what's been said already...did you actually look at the offending address? Is it internal to your company, or external? Is the Linux system behind firewalls, etc., and did you check with your other users to see if anyone had logged in on purpose??
Since it's **URGENT**, try supplying some decent information...things like version/distro of Linux, the environment the box is in, etc. Saying "someone logged in, help!!" doesn't give us much to go on.
Without investigating the (perceived) breach re-installation could expose the same infection vector (if any). So please don't give that advice but point them to the CERT link, isolate the machine if necessary and ask them to wait for more knowledgeable people or our LQ Security incident handlers (Unixfool, Hangdog42, win32sux, me) to take over, TIA.
booyeeka, you've got several LQ members here willing to help you out, but your cooperation is necessary in order for that to happen. What is your current status? We haven't heard from you in days! Ideally, this machine should have been isolated the moment a breach was suspected/detected, with a dedicated firewall configured to allow access only from your administrative IP(s). At that point, going through the CERT/CC Intruder Detection Checklist is usually a good idea. Did you take any such action? What other anomalies have you spotted on this server? Running your log files through something like Logwatch can prove quite useful in these cases. BTW, please obtain a snapshot of the general system state, which can be done by running these commands as root (thanks unSpawn):
Code:
ps axfwwwe -eo ppid,pid,uid,cmd --sort=ppid
Code:
lsof -Pwn
Code:
netstat -anpe
Code:
lastlog
Code:
last
I recommend sending the output of the commands via SSH to a secure location. FWIW, I agree that re-installation might be inevitable (especially given that you don't seem to have HIDS data to work with), but without doing at least basic investigation to find out what happened you risk re-creating the same vulnerability which was exploited. All that said, it's been quite a while since your last post so the suggestions here may not be applicable any more. Please let us know where you stand.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.