Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 05-04-2005, 10:04 PM   #1
Senior Member
Registered: Mar 2002
Location: Los Angeles, CA
Distribution: Debian, Ubuntu
Posts: 1,334

Rep: Reputation: 51
Someone hacked my machine - any recourse?

Someone hacked one of my machines. It all started when some people were partying in my office after hours, the next morning one of the windows machines had more viruses and spyware on it than I could even count... took days to get it to a useable state.

In any event, the user I created on my network for that machine's samba connection has logged into into my ssh machine (no one ever uses that username because I created it solely for Samba) & setup a mail relay. I noticed it when my internet connection was getting really slow, so I checked the ssh machine & saw hundreds of thousands(?) of mails had been sent over the last couple days (last week). I stopped sendmail, changed the password for that user on my NIS machine, changed the shell for that user to /sbin/nologin, removed sendmail from the startup services and everything appeared to be better.

well, in my logs on the ssh machine, I see that the user I created for samba has successfully logged in through ssh again! The ip appears to come from Japan. Furthermore, a second ip tried (unsuccessfully) to log into every generic username they could think of: cgi, www-data, guest, webmaster, etc.

I have the ips of both people. Is there anything I can do? I don't neccessarily mean malicious things, I just mean can I report this to someone?
Old 05-04-2005, 10:17 PM   #2
LQ Guru
Registered: Feb 2003
Location: Blue Ridge Mountain
Distribution: Linux Mint 17, Debian 8
Posts: 7,863

Rep: Reputation: 311Reputation: 311Reputation: 311Reputation: 311
"can I report this to someone?"

You can report it to the FBI.

Steve Stites
Old 05-04-2005, 10:43 PM   #3
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
And it's safe to assume that you've been rooted.

Grab a liveCD with rootkit-hunter and chkrootkit,
boot the box off that and pray that clean removal
is possible. Whatever distro you're using, you need
to make sure that the MD5 sums of all executables
are the same as on the installation media. ...

That aside, this thread belongs in security, not general.

Old 05-04-2005, 10:47 PM   #4
Senior Member
Registered: Mar 2002
Location: Los Angeles, CA
Distribution: Debian, Ubuntu
Posts: 1,334

Original Poster
Rep: Reputation: 51
Originally posted by Tinkster
That aside, this thread belongs in security, not general.
oops. never noticed there was a security forum.

mods, feel free to move at will.

Thanks for the suggestions.
Old 05-04-2005, 10:48 PM   #5
Senior Member
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,284

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
If there was no major financial damage, the FBI may not want to devote a lot of resources to it (at least that's what I heard, but don't take my word for it--ask some of the experts in the security forum). But hopefully you learned that if an account is meant for SAMBA access only, don't give it a real login shell!

First step is to figure out if just that one account was compromised, or if the attacker got root. If you have any doubt at all, particularly since the attacker had physical access, assume the worst. The multiple failed logins sounds like one of the brute force attacks going around (see the stickied thread in the security forum) and is probably unrelated.

If the compromise was only in the local account, you may be OK just getting rid of the account and removing all its files (check /tmp, cronjobs, etc.). However, if it were me, I'd nuke the machine and reinstall from trusted media. A pain, but it's the only way to be 100% certain you've rid yourself of the attacker.
Old 05-04-2005, 11:20 PM   #6
Senior Member
Registered: Mar 2003
Location: Following the white rabbit
Distribution: Slackware64 14.2 Solus
Posts: 2,264

Rep: Reputation: 51
I agree with btmiller, if there's any doubt at all about having been rooted, wipe it and start fresh just to be safe.

As far as those IPs, unless they're total morons they're likely of no use anyway.
Old 05-05-2005, 01:50 AM   #7
Registered: Nov 2002
Location: Kent, England
Distribution: Debian Testing
Posts: 19,192
Blog Entries: 4

Rep: Reputation: 472Reputation: 472Reputation: 472Reputation: 472Reputation: 472
Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.
Old 05-05-2005, 01:46 PM   #8
Senior Member
Registered: Mar 2002
Location: Los Angeles, CA
Distribution: Debian, Ubuntu
Posts: 1,334

Original Poster
Rep: Reputation: 51
Thanks for the thread move.

I compiled and ran a chkrootkit & it claimed everything ok,

that said, now that I've double checked that the account uses /sbin/nologin as a shell, erased the account's home dir and mail account, I still see that it logged in last night, so I'm going to wipe the machine.

As luck would have it, I made an image of an identical machine a few days before this all happened, so I'll just pull it over. Unfortunately, they appear to have found some of the real accounts on the machine (that are NIS accounts & don't live in /etc/passwd) & attempted to log in through those as well.

What a headache.

.. starting my security research now.

Last edited by BrianK; 05-05-2005 at 01:52 PM.
Old 05-05-2005, 06:57 PM   #9
Registered: Oct 2004
Location: USA
Distribution: Vector Linux 5.1 Std., Vector Linux 5.8 Std., Win2k, XP, OS X (10.4 & 10.5)
Posts: 344

Rep: Reputation: 42
If these crackers are that persistant...I would deploy a honeypot or tarpit to slow them down and log their attacks on your organization.

Go to:

For more information on honeynet technology.


Old 05-09-2005, 10:43 AM   #10
LQ Newbie
Registered: May 2004
Location: Gatineau, QC
Distribution: Ubuntu 6.10
Posts: 25

Rep: Reputation: 15
I would suggest, never delete anything done by someone who has comprimised your system... instead save them elsewhere only accessible by root. Then at least you can refer to what had taken place, in the event it happens again in the future. :-\


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
sharing internet from a windows 98 machine to a Red Hat Linux machine ritwiksolutions Linux - Newbie 7 03-14-2006 11:20 AM
how to know if a machine is hacked rockwell_001 Linux - Security 6 05-04-2005 05:51 AM
help! machine was hacked and cannot reboot or shutdown. parv Linux - Security 16 04-03-2005 02:11 PM
How to know if a linux machine been hacked ? juanb Linux - Security 6 07-17-2004 05:44 AM
Linux Server Hacked, Bandwidth Eating Machine... zerofocus Linux - Security 2 02-07-2004 10:22 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:51 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration