Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-25-2007, 12:42 AM
|
#1
|
Member
Registered: Aug 2004
Location: a small village faraway in the mountains
Distribution: Fedora Core 1, Slackware 10.0 | 2.4.26 | custom 2.6.14.2, Slackware 10.2 | 11.0, Slackware64-13
Posts: 345
Rep:
|
someone's hacked our college server
Hi all,
I'm a student at a University. Lately we've been experiencing certain problems. Sometimes someone changes the i.p. address of our proxy server, or sometimes the port on which it runs is changed.
The server machine runs Solaris 10.
The common ports open on the server machine are...
1) ftp
2) ssh
3) finger
4) rcpbind
4) http-proxy
and a few others...
I'm not a network administrator... so I do not have access to the server machine. We've contacted our server administrator and are now trying to nab the culprit.
One thing we know is that, he's someone from our internal network. If I do a finger on the server machine I get an internal i.p. from which a root user had logged into the server.
Now, I'm very new to these kind of things and our Network administrator is also not that advanced. Could anyone give any pointers as to how we can nab the culprit.
One more question: Our network administrator is not available frequently, so mostly the scenario is that, I'm on an internal i.p. trying to access the net through the proxy server... and the hacker (who is also on an internal i.p.) chnages the proxy port/i.p. so that he can have all the bandwidth to himself.
Can I find who's doing this without actually logging in to the server machine. I've tried using tcpdump...but I don't know much about using it. Once the hacker has changed the proxy's port/i.p. only his web browser will have active tcp connections with the server. Can i somehow find his machine by analyzing the network traffic.
Thanks for any help.
|
|
|
03-25-2007, 04:12 AM
|
#2
|
Senior Member
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109
Rep:
|
Hi.
(N.B. I'm assuming here that your proxy host is actually under attack, and that it's not just a weird config issue at play here, but I'm not sold either way.)
If you know the IP from where your attacker has logged in, then it shouldn't be a major problem to find out where the host is. Do a traceroute to the offending IP and find out which router she's connected to.
Some point of interest, though.
1) Your attacker has root on an outward facing server. This is a pretty serious issue, and implies that either the system is vulnerable to a remote exploit which can result in root access, or more likely, that someone has the root password for the system.
2) Why is this system running services like finger?
If you eventually get access to the system (you don't appear to be the admin, so I don't know how likely this is), run 'last' to find out where logins came from (if your attacker has root, though, then there's nothing stopping them from modifying the 'last' database). You might get some joy from running a snoop, to see where network traffic is going, but read the man page first to decide on a decent syntax to filter out legitimate traffic. netstat should show all the live connections to and from the box.
To be honest, though, if there's any doubt about the integrity of the system (especially as root access is involved), then get it off the network, and reinstall-and-patch after doing your forensics.
Dave
Last edited by ilikejam; 03-25-2007 at 04:25 AM.
|
|
|
All times are GMT -5. The time now is 05:16 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|