Hacker attack

quanta · 09-22-2010, 11:49 PM

Quote:

Originally Posted by cmontr

I fixed the issue. hacker was blocked with no harm.

Let's share with us.

vinaytp · 09-23-2010, 06:12 AM

Quote:

Originally Posted by cmontr

I fixed the issue. hacker was blocked with no harm.

How did you fix the issue? Please share with us. We can take some preventive measures on such attacks.

Hangdog42 · 09-23-2010, 07:24 AM

Quote:

Originally Posted by cmontr

I fixed the issue. hacker was blocked with no harm.

I hope you understand that we view such claims somewhat skeptically unless backed up by an explaination/evidence. The sad truth is that most of these kinds of threads end up with the OP sticking their head in the sand and pretending that everything is OK. I know you've said that this box isn't particularly important, but if you've treated the symptoms instead of solving the problem, your machine and network could still be at risk.

unixfool · 09-23-2010, 08:27 AM

Quote:

Originally Posted by Hangdog42

I hope you understand that we view such claims somewhat skeptically unless backed up by an explaination/evidence. The sad truth is that most of these kinds of threads end up with the OP sticking their head in the sand and pretending that everything is OK. I know you've said that this box isn't particularly important, but if you've treated the symptoms instead of solving the problem, your machine and network could still be at risk.

I agree with Hangdog42.

If you're sick and you take something that keeps you from sneezing, you're STILL sick...you're still contagious. Your focus should be aimed at getting rid of the sickness instead of trying to get rid of the symptoms.

fotoguy · 09-24-2010, 11:23 PM

It is nice that is is all fixed, what security measures have you now taken to stop this from happening again, a few things I know from your post, someone was able to login as root through ssh, which means root logins through ssh was not disabled. Your root account on the machine was not disabled and had a weak password, otherwise they wouldn't have bee able to log in as root in the first place. You should add a user to the sudoers file to give them root privileges and then disable the root account. I suspect the firewall wasn't configured properly, allowing a user from anywhere to have access to the ssh port, unless you really need users to have access, and they don't have a static ipaddress, otherwise best to configure iptables to allow only from specific address to have access to ssh port

Hangdog42 · 09-25-2010, 08:22 PM

Quote:

a few things I know from your post, someone was able to login as root through ssh, which means root logins through ssh was not disabled.

You know this how? The OP posted a few who listings that did indeed show root logged in, but no evidence that it was the cracker. The only evidence I see that the cracker attained root is that they were able to create a new account.

Quote:

Your root account on the machine was not disabled and had a weak password, otherwise they wouldn't have bee able to log in as root in the first place.

I'm not trying to be confrontational, but there is zero evidence for this. When dealing with intrusions, we prefer to deal in facts please.

Quote:

You should add a user to the sudoers file to give them root privileges and then disable the root account

Personally I see no advantage to this approach over a properly run root account. Security by obscurity never really accomplishes much.

Quote:

I suspect the firewall wasn't configured properly, allowing a user from anywhere to have access to the ssh port, unless you really need users to have access, and they don't have a static ipaddress, otherwise best to configure iptables to allow only from specific address to have access to ssh port

While I agree on the utility of limiting ssh access, again, there is absolutely zero evidence that ssh was the vector of attack.