Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello.
For testing i have tried running an apache server on ubuntu 14.04.
This morning the machine was freezed. It didn't response on pings or keyboard inputs. After a reboot i found this in the apache access log:
How can I find out, what the pearl script has done and what do I have to do now? I have stopped the machine. Can I find out, what the attack has done and if it has influenced other machines on the lan?
Next time run any "tests" behind a firewall and properly hardened. Also rebooting removes volatile information. Always try to see if the screen shows information and if you can try to log in over SSH or any Out of Bounds method (if any). Questions:
0) Did you update your machine (see https://www.linuxquestions.org/quest...-a-4175519975/) before this or any other anomalous entry occurred?
1) The Perl IRC bot is similar to the one mentioned in https://www.linuxquestions.org/quest...gs-4175520443/.
2) If it ran you should find the file as "/tmp/ji". Tell us if it's there.
The machine was not reachable, no responses on pings, no way to connect over ssh, the screen was only showing the normal login text. No reaction on keyboard inputs.
I updated the machine a few days before this happened.
The /tmp folder is empty. cd /tmp + ls -la:
insgesamt 16
drwxrwxrwt 4 root root 4096 set 30 10:01 .
drwxr-xr-x 25 root root 4096 set 3 15:42 ..
drwxrwxrwt 2 root root 4096 set 30 10:01 .ICE-unix
drwxrwxrwt 2 root root 4096 set 30 10:01 .X11-unix
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.