Security problem : My directory some one edit
 

Hi,

I have a problem please help.

I am using ubuntu 12.04 OS. In my system someone edit my directory file.

Is there any script for notify mail when my Directory/folder can access by any one.

Not a script as such but you can shut off write access to your directory(ies).

If you open a terminal window, you should be logged in to your home directory, say it's /home/your_name. If you
If the permissions don't look like drwxr-xr-x, change them so nobody else has write access to your home diectory:
and you should see the permission as above.

You may also wish to change your UMASK value; it should be
If it isn't (your system administrator may have set it to a different value), get back in your home directory (just type cd and hit the enter key) and edit your .profile or .bashrc file or whatever file name is used to set your environment when you log in and add a line to the bottom of that file like this:
That will, by default, set any new files your create to read-write for you, read for your group members and read for public (nobody but you can write to a file); it will set executable files you create to read-write-execute for you, read-execute for your group and read-execute for public but, again, nobody will be able to write to the executable file.

Other than that, consider how someone gained access to your stuff -- is your password known to others? If so, change it immediately.

Hope this helps some.

Thank you very much for this update.

Actually i have a different problem.

I was maintaining some servers. Last week it was hacked. Some one access my server and edit one directory and add some files into that directory.

So I don't want happen again like this.

So if any one access my files/directories immediatly notify through mail to me.

So can you please tell any way to solve this problem.

First, if your servers were hacked, you have MUCH bigger problems. You IMMEDIATELY need to do a VERY thorough audit of your server, check for rootkits/scripts/users, and change passwords AT A MINIMUM. After that, you need to put a decent firewall in place, and figure out how they got in.

After that, you can use inotify in a script to watch whatever you'd like, and take whatever action you'd like. This topic has been covered on this site MANY times in the past...please use the LQ Search feature to look for threads. Also, Google has many solutions as well...did you look in either place?

In addition to what @TBOne says above, check your system logs for remote log in with ssh (that's what the bad guys usually use).

Also, look at your /etc/passwd file -- it should look a lot like this one:
Note that every administrative account (except root) is /bin/false: that means there's no log in on any administrative account (and there should not be any log in on any administrative account).

Look at your /etc/shadow file; it should look like this:
Note that there should be no password for any of those administrative accounts (the * in the password field is impossible to decrypt). If there are passwords on any administrative account, replace them with an asterisk (*).

Change your root password immediately -- do not use a dictionary word, use upper- and lower case letters, numbers, punctuation, good password practice.

Change your own password immediately.

Force a password change for all users.

That's a good start.

Hope this helps some.

PS: wish you'd said that in the first place -- it sounded like a user account being fiddled with by another user rather than a system breech.

As you've gathered from responses this is not the "problem" to focus on. Focus on mitigating the effects of the attack and solving the breach of security first.



"Last week" is too long ago. Act now!

- Before you do anything else please first read the CERT Intruder Detection Checklist. While old it may still show you actions to perform in case you don't know what to do.
- notify users of systems under investigation they should change their keys / pass phrases and avoid using these system because they're suspected to be compromised,
- mitigate the situation by stopping non-vital services (you need SSH to get in, not Apache, MySQL, FTP or any R-services) or denying access to those services by raising the firewall,
- after stabilizing either prepare /etc, /tmp, /var/tmp, /home and /var backups for future reference and start providing new properly secured and hardened server(s) if continuity must be guaranteed or start your investigation.

We need to know a few things about the (perceived) compromised machines:
- Where are they located? (home, colocation, shared hosting, vps, cloud, etc)
- The date of the incident?
- What exact distro + release + kernel (*If you run Ubuntu 12.04 then you must be running Ubuntu 12.04.2 LTS as that's the current Long Term Support release),
- What is their purpose? (What services do they run / provide) *Note also take into account software running on top of the web server like CMSes, web logs, shopping carts, photo galleries, statistics packages and anything else including 3rd party plugins,
- What do system, daemon and firewall logs show?
- Was all software kept up to date?
- Were these machines hardened?
- What do audit (Samhain, Logwatch, etc, etc), auth (last, lastb, lastlog) and IDS data (Snort, Bro, Prelude, etc, etc if any) show?
- Exactly what files did you find, where did you find them and what was ownership / access rights and MAC times (see 'stat')?
- Have you checked user shell history files?

Please be verbose when you reply because the more nfo we have the better advice can be tailored.