Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Checked the logs, noth major I had a visit from google bot over night, and a yahoo bot.
So you are running something potentially vulnerable, like a server.
It would be helpful to future readers if you posted a lot more information: Distro, services running (apache, ssh, telnet (the gods forbid!) etc.) See similar threads in this forum.
...PAnic what can I do.
0] Stay calm.
1] Unplug the network, before you are blacklisted, or distribute more spam and prOn.
2] Do NOT reboot or reinstall.
3] Wait for someone who knows more about this than I do to come here and help you. unSpawn, where are you?
Rebooting / reinstalling may destroy the evidence you need to find out how / when they got in (if they did at all).
But if you are worried, please take your site offline NOW.
Like the second poster, this sounds like the router/modem may need to be power-cycled, especially since that appears to be the only symptom. But, as anomie stated, a proper nestat should be run (on each machine) to determine what may be going on. I almost never factor the state of my router lights to suspicious activity, since they are always lit anyways (I keep my machines on all the time).
Note that skiddie scripts will probably keep hammering the network with ssh brute force attempts even after the router is recycled...they are that dumb.
What type of modem are you talking about? 56/128 modem? DSL modem? Is this a modem/router combo?
Don't reboot the machine(s). If both (if you've one of each) are showing lit up constantly, you DO have an issue, IMO. Just make sure you aren't streaming music or using some such network multimedia app. Check all machines' network connections (before getting genuinely alarmed). I'm betting its something you may have left running and aren't accounting for.
Modem and router have different scopes. A modem will be on a subnet to your ISPs head-end, DSLAM or whatever else equivalent. Basically (think OSI) the device doesn't concern itself with whatever traffic or traffic content goes up and down the line: it just establishes a connection between endpoints and that's about it (OK, except if somebody finds herself onto that ISP subnet and is fscking around with exposed services ;-p, very unlikely). Not telling which lights (power, upstream, downstream, link state,) go nuts doesn't help much. Modem trouble, as I've experienced it, usually points to ISP-side (common), link carrier (not that rare but depending) or physical cable (rare) or equipment (very rare and I'm no Cisco wiz) probs.
I agree that this, together with router probs, looks more like a black-out situation than anything else. If those devices are accessable (SNMP, telnet, logs over HTTP) then getting log data could help. If they don't then I agree you should move on to whichever sources you actually can get data from to establish a timeline of events before going bezerk.
Originally Posted by smeezekitty
Rebooting a device makes you lose all volatile data (otherwise loosely described as "evidence") like process, network and user data. You'll want to save those listings just in case.
Originally Posted by tredegar
where are you?
When I'm not around you may safely assert I'm busy elsewhere. Luckily I'm not the only one who can deal with incident response in a structured way.