Security problem : My directory some one edit
Hi,
I have a problem please help. I am using ubuntu 12.04 OS. In my system someone edit my directory file. Is there any script for notify mail when my Directory/folder can access by any one. |
Not a script as such but you can shut off write access to your directory(ies).
If you open a terminal window, you should be logged in to your home directory, say it's /home/your_name. If you Code:
cd .. <this puts you in the /home directory> Code:
chmod 755 your_name You may also wish to change your UMASK value; it should be Code:
umask Code:
umask 0022 Other than that, consider how someone gained access to your stuff -- is your password known to others? If so, change it immediately. Hope this helps some. |
Thank you very much for this update.
Actually i have a different problem. I was maintaining some servers. Last week it was hacked. Some one access my server and edit one directory and add some files into that directory. So I don't want happen again like this. So if any one access my files/directories immediatly notify through mail to me. So can you please tell any way to solve this problem. |
Quote:
After that, you can use inotify in a script to watch whatever you'd like, and take whatever action you'd like. This topic has been covered on this site MANY times in the past...please use the LQ Search feature to look for threads. Also, Google has many solutions as well...did you look in either place? |
In addition to what @TBOne says above, check your system logs for remote log in with ssh (that's what the bad guys usually use).
Also, look at your /etc/passwd file -- it should look a lot like this one: Code:
cat /etc/passwd Look at your /etc/shadow file; it should look like this: Code:
cat /etc/shadow Change your root password immediately -- do not use a dictionary word, use upper- and lower case letters, numbers, punctuation, good password practice. Change your own password immediately. Force a password change for all users. That's a good start. Hope this helps some. PS: wish you'd said that in the first place -- it sounded like a user account being fiddled with by another user rather than a system breech. |
Quote:
Quote:
- Before you do anything else please first read the CERT Intruder Detection Checklist. While old it may still show you actions to perform in case you don't know what to do. - notify users of systems under investigation they should change their keys / pass phrases and avoid using these system because they're suspected to be compromised, - mitigate the situation by stopping non-vital services (you need SSH to get in, not Apache, MySQL, FTP or any R-services) or denying access to those services by raising the firewall, - after stabilizing either prepare /etc, /tmp, /var/tmp, /home and /var backups for future reference and start providing new properly secured and hardened server(s) if continuity must be guaranteed or start your investigation. We need to know a few things about the (perceived) compromised machines: - Where are they located? (home, colocation, shared hosting, vps, cloud, etc) - The date of the incident? - What exact distro + release + kernel (*If you run Ubuntu 12.04 then you must be running Ubuntu 12.04.2 LTS as that's the current Long Term Support release), - What is their purpose? (What services do they run / provide) *Note also take into account software running on top of the web server like CMSes, web logs, shopping carts, photo galleries, statistics packages and anything else including 3rd party plugins, - What do system, daemon and firewall logs show? - Was all software kept up to date? - Were these machines hardened? - What do audit (Samhain, Logwatch, etc, etc), auth (last, lastb, lastlog) and IDS data (Snort, Bro, Prelude, etc, etc if any) show? - Exactly what files did you find, where did you find them and what was ownership / access rights and MAC times (see 'stat')? - Have you checked user shell history files? Please be verbose when you reply because the more nfo we have the better advice can be tailored. |
All times are GMT -5. The time now is 04:14 PM. |