Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hello everybody,
I am using Redhat Linux,
I have accoured one serios problem. when saw keyboards all lights are blinking i restart my linux server. but while rebooting it shows long problem giving messege regarding the memory location problem..
After i booted, it booted properly but passwd of root was automatically changed so i tried to recover it with single user mode but it doesnt go in single user mode. so i finally recover it with rescue mode.
After login i found in log files someone was logged before 3-4 days from internet on my system similarly not from one ip but from 4 diffrent places. I think they all logged through ssh. so what should i do for that....
similarly if i want to do my system shutdowm or reboot using init 0 or init 6 command it shows following error................
1. Check your server with a rootkitchecker
2. You probably have to reinstall your server.
3. Change all login names and passwords.
If it literally said "FUCK" then you can skip step 1: your box has been cracked: the RK_Init* messages are a dead giveaway the SuckIT rootkit was installed. It is mandatory you have the box repartitioned, reformatted, and installed from scratch to make a clean start. This must be done as quick as possible and there should be no argueing over it's necessity.
- If you don't have a clue of how they got in make a backup of your auth, config and logfile directories, save a process and network connections listing and the contents of the temp directories and partitions where daemons and users are able to write to.
- If you want to make backups, don't backup the kernel, lkm's, libraries or binaries as they might hide other "surprises". Changing all passwords is mandatory as well, as is informing your authorised users the box was cracked. If this box was on a network you don't own, then informing the network admins would be good too.
- When the box comes up after reinstall, raise the firewall so only you have public access, then start hardening the box. Please see the LQ FAQ: Security references for more.
I was also suspicious about SucktIT on one of my servers. It was a false positive. I've heard others too, which said about SuckIT false positive on RHEL.
just to be sure about SuckIT:
Quote:
- The SucKIT rootkit allows an attacker to hide malicious files by giving them a particular ending. The current attacker is hiding code that ends in xrk or mem. To test for the presence of the rootkit, create a file whose name ends in xrk or mem, then execute an "ls -l". If the files you just created are not shown in the output of ls, it means that the rootkit is hiding them, ie. your system is compromised and needs to be rebuilt.
- Change directories to /sbin and execute an "ls -l init" -- the link count should be 1. Create a hard link to init using ln, and then execute the "ls -l init" again. If the link count is still 1, the SK rootkit is installed.
- Rooted systems send usernames and passwords to other compromised machines using TCP port 55, so if you keep records of network connections, traffic to destination port TCP/55 merits further investigation.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.