Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
ok i had an unknown person ssh'ed onto my server, anyways he was logged on as root, most likely a pc somewhere in the office i didnt log off since im the only one witht the root passwd. I did a pkill root and it kicked me out also and i cant ssh back in, what can i do at this point, this is serious btw so no laughing. thanks a million.
No, I'd rather you POWER OFF the box and don't disturb it until you can boot a Live or rescue CD.
BTW, is the box local or remote? If it appears to be a box on the LAN is compromised you'll have to take care of that first by alerting someone to take care of it or denying inbound access on the router to that segment and killing that box.
No, I'd rather you POWER OFF the box and don't disturb it until you can boot a Live or rescue CD.
BTW, is the box local or remote? If it appears to be a box on the LAN is compromised you'll have to take care of that first by alerting someone to take care of it or denying inbound access on the router to that segment and killing that box.
Ok, i found out it was a pc i thought it was off and it had the same file open, in other words there is no security breach. The box is at a nap, ill have to pass by tonight to reset it, i just scared that once i have phisically rebooted the machine,that it will let me back in and bring all the processes up again.
First off, don't entitle a topic "Heeeeeeeeeeeelp!!!" - Instead, describe the problem with an intelligent phrase.
Can you log in locally? If not, then bashrc, bash_profile, .login, or another startup script is probably malconfigured. Boot to single user mode or from a live CD and check the files. Also, check /etc/passwd to make sure that the login shell for root is configured as bash or something else reasonable, and that the MD5 signture of that instance of bash matches what you actually installed.
Actually, the ideal solution? If you are not absolutely, positively 100% certain you can find the exploit, back up your data, key configuration files (e.g., /etc/httpd, /etc/X11, etc/), your data, and anything else that is important then wipe the system and either restore from a backup or reinstall and copy your data (and config files) back to the new installation. You may actually save yourself a LOT of time that way.
If you don't want to R&R, then do the following:
Now, for the first step, can you log in locally? If so, the first thing you should do is install and run clamav, chkrootkit(http://www.chkrootkit.org/), and rkhunter (http://www.rootkit.nl/) on the entire filesystem to help ID compromised executables, and also known-bad executables. Check the usual suspects (/etc/ssh/, etc/passwd, etc.) for back doors. Check your /etc/init.d/ (runlevel) configuration to make sure that nothing unusual is being launched. I'd say to check timestamps on the init files to see if anything has been touched, but a good cracker would have touched the files to backdate mtime, ctime, and atime to evade suspicion, so your only recourse will be to either:
- diff the files against a KNOWN-clean system
or
- Examine each and every startup script to ID any potential back doors s/he added to the system
Eh, you know what? It's SO much work that you're best off restoring your most recent backup. I've cleaned systems before but unless you have a good basis for comparing the current config to the past (MD5 signatures or other method) or unless you've run rkhunter and/or chkrootkit from the very beginning and kept a history of changes, don't trust the system, unless it's just a toy in which case what's the big deal?
Im 100% sure there is no security breach whatsoever, Ill be going phisically to reset the machine. We do have an APC that can be remote managed but no one has the passwd, so ill have to phisically reset the pass on that one while im in there.
//Not that it's not appreciated, but using "preview post" before posting may save typing. Apparently a lot of people don't use the feature.
Not that it's not appreciated, but if I'd clicked "preview post" and saw that the original poster had posted an update in the meantime, it'd not have saved me a single keystroke. Thanks, though!
Today i walked to the actual server on the POP and it was completely frozen.I turned it off and on again, and it booted up just fine, all the processes run just fine. And i didnt get fired for bringing it down, So whats to learn fromall of this, perhaps.. tontt input a command before thoroughlydoing your research, and second, this forum pwns!!
So whats to learn fromall of this, perhaps.. tontt input a command before thoroughlydoing your research
And maybe use more than one means of access for critical servers, like adding an (out of band) console server, monitoring and making sure services stay up and run Xinetd's backupssh on a different port ACL'ed to your management IP (range)?
BTW I'll change the thread title to "Possible ssh breach".
"Heeeeeeeeeeeelp!!!" just isn't descriptive enough...
just by chance i'm reading a book all about this kind of stuff. it called "Hardening Linux" and has everything to help make your server (neraly)bullet-proof.
i cant scan it for you :P , but i will leave you with the deatils so you can get it. it only cost $40 (sounds like a lot for a book, but well worth it to keep hackers out):
title: Hardening Linux
publisher: McGraw-Hill / Osborne
ISBN: 0-07-225497-1
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.