Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Some hacker attacked to my Fedora 14 behind the firewall. I recovered it with counter attack but could someone tell me what this is and how I can change it back to normal name? I google'd it but didnt find anything related to it yet. Please let me know if you know it.
Thanks
-------
When you run 'who' where I am not sure how to get rid of dabdall yet. It was a hacker and I was able to trace it. It was coming from greece.
you didnt provide any information about the attack type and if you made some backups/images of your hard disk.
I am trying to figure out the type of the attack. It was trying to get sudo / root on my server and apprently got that, i noticed too quickly and removed it. Traced IP that was from greece. Anyhow, how do I get rid of this 'dabdall' at pts/0?
I appreciate for the tips.
It seems no process is running, but name is still displayed there. I deleted that the stupid hacker created account right away. But it is still showing...I know this is no brainer but I am trying to figure it out...
I appreciate for the tips.
It seems no process is running, but name is still displayed there. I deleted that the stupid hacker created account right away. But it is still showing...I know this is no brainer but I am trying to figure it out...
Excuse me, but can we stop treating the symptoms and focus on the problem? If someone was able to create an account, your system was compromised and cannot be trusted. Simply killing the ssh connection doesn't change that. So lets look at this properly.
- Isolate this machine from the internet either by pulling the network cable or by putting up a firewall that denies all access except SSH from trusted IP addresses.
- Start gathering evidence. You need to look at log files to determine when this suspect account was created. Look at your root .bash_history as well
- Start looking for running processes. Commands to run are ps -afxwwwe, lsof -Pwn, netstat -pane. Those should give you an idea of what is running on the machine and you should be on the lookout for things that aren't expected.
-The CERT Checklist is a good thing to work through to try and figure out what happened.
Simply messing with the suspect account isn't going to get you where you need to be.
Distribution: Dabble, but latest used are Fedora 13 and Ubuntu 10.4.1
Posts: 425
Rep:
Quote:
Originally Posted by cmontr
I am trying to figure out the type of the attack. It was trying to get sudo / root on my server and apprently got that, i noticed too quickly and removed it. Traced IP that was from greece. Anyhow, how do I get rid of this 'dabdall' at pts/0?
thanks
1. Find out how he got in.
2. Wipe and re-install, paying special attention to fixing the flaw that allowed him to get in in the first place.
That's how you get rid of "dabdall," and more importantly, how you get rid of anything else he might have done.
-- Ah, Hangdog gave the how-to's, even better. I should have read the entire thread before posting.
Last edited by moxieman99; 09-22-2010 at 07:55 AM.
2. Wipe and re-install, paying special attention to fixing the flaw that allowed him to get in in the first place.
That's how you get rid of "dabdall," and more importantly, how you get rid of anything else he might have done.
-- Ah, Hangdog gave the how-to's, even better. I should have read the entire thread before posting.
Thanks for time anyway. Engineering point of view - I would like to figure out how he go after all this security. I know killing procs will not solve the issue. Anyone knows that. Let's just stop at this point. I will figure it out. Earlier I asked simple question but some did not geet the point. Oh well.
Thanks for time anyway. Engineering point of view - I would like to figure out how he go after all this security. I know killing procs will not solve the issue. Anyone knows that. Let's just stop at this point. I will figure it out. Earlier I asked simple question but some did not geet the point. Oh well.
Please have a read of what I posted, that will get you started on figuring out how the cracker got in. Feel free to post the results or any questions you have. We have people here willing to help, but it is your responsibility to gather the data needed to analyze the problem.
Please have a read of what I posted, that will get you started on figuring out how the cracker got in. Feel free to post the results or any questions you have. We have people here willing to help, but it is your responsibility to gather the data needed to analyze the problem.
Thank you. I know you guys helpful. This is a test machine and I run multiple OS's on it to get to know about them. There is of course securities all over. Let's see what I find out, will let you know.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.