Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am getting unusual series of requests on my server. It's a small web server that i use for my courses. Students come to get info/notes, and i only have 40 students this semester. The strange thing is that i keep getting GET requests on the home page (sometimes every 30 seconds) from adresses coming from a single ISP:
I replaced the last 5 digits of the adress by nnnnn. But the number changes every time. (i.e. different IP)
Sympatico.ca is a pppoe ISP. Getting that many of the same request from different persons is very unlikely for a small server such as mine.
I think someone is sending a GET to the server, disconnecting his pppoe connection, re-connecting, sending another GET, and so on... (getting a different IP from the ISP everytime)
Now that doesn't seems like much to worry about, as it's far from being enough to be a DOS attack, but i'm just curious to know from more experienced admins what kind of script the guy is running, and why?
(Just an opinion from you guys would make me happy)
It is most likely a simple pre-made script taken from a hacking site. Why? Simple. It could be script-kiddies just messing around and having fun with their "ultra-cool hacking whacking" script. If this was a serious attacker, a DDoS would have occured and you would have been scanned several times with different scanners for open ports and/or exploits.
Now with the changing ip address. Canadians are known for their 56k connections (please don't bash me =P) so it doesn't matter. You won't be able to track him down (but you probably can if you have a serious attack; sue; company hands over info, etc.) So, he is basically attacking for a period, re-connecting, trying again. He may even have a dedicated server with auto-shutdown-restart scripts for his inet. But I'm paranoid, that's just me =P.
Originally posted by securehack It is most likely a simple pre-made script taken from a hacking site. Why? Simple. It could be script-kiddies just messing around and having fun with their "ultra-cool hacking whacking" script. If this was a serious attacker, a DDoS would have occured and you would have been scanned several times with different scanners for open ports and/or exploits.
Probably a someone who got a bad grade
No doubt there, a serious attacker would have taken the server down pretty fast.. It was port scanned a month ago but not much to worry about either.
Quote:
Now with the changing ip address. Canadians are known for their 56k connections (please don't bash me =P) so it doesn't matter.
lol well i don't know anyone still on 56k modem..
Quote:
You won't be able to track him down (but you probably can if you have a serious attack; sue; company hands over info, etc.) So, he is basically attacking for a period, re-connecting, trying again. He may even have a dedicated server with auto-shutdown-restart scripts for his inet. But I'm paranoid, that's just me =P.
--Abid Kazmi
There's nothing on the server that's worth suing anyone for.. I have a backup of everything, although it would take some time to re-install and re-configure. I was just worried that it was part of a script that would become 'meaner' later. But since no one seems to think it's a problem (or care to answer), i guess i shouldn't worry either.
Well, never take computer security as an easy thing. There are literally millions of tool kits out their that can be used to compromise a system. So, maybe these kiddies might actually learn something and start using some more serious methods of hacking. So be careful and always check your firewall logs, etc.
shrug, file a civil lawsuit in your local county court against "John Doe". they should give you a blank subpoena, if not ask for it. go make copies. get a pen. fill out a subpoena requesting the identiy of the user who was logged into the ISP's system using <IP> and <time>. Send to ISP (does not matter that its in CA). When the ISP gives you the kids docs, file a montion to dismiss with the county court. then call up his ISP and cancle his service with the info they just gave you.
yawn.
oh and as an after thought: there is something useful on that server, UID0 - root - . you want to take part of the next massive DDoS attack? yeah, just because the data you have isn't important doesn't mean the server itself isn't as well. sites get taken down by DDoS not because a whole bunch of people had nifty cool files on their computers, but because since they didn't they couldn't be bothered to secure their systems, when infact their system was the target.
shrug, file a civil lawsuit in your local county court against "John Doe". they should give you a blank subpoena, if not ask for it. go make copies. get a pen. fill out a subpoena requesting the identiy of the user who was logged into the ISP's system using <IP> and <time>. Send to ISP (does not matter that its in CA). When the ISP gives you the kids docs, file a montion to dismiss with the county court. then call up his ISP and cancle his service with the info they just gave you.
A little too serious.... and considering life is short and people don't have time...
Originally posted by RijilV shrug, file a civil lawsuit in your local county court against "John Doe". they should give you a blank subpoena, if not ask for it. go make copies. get a pen. fill out a subpoena requesting the identiy of the user who was logged into the ISP's system using <IP> and <time>. Send to ISP (does not matter that its in CA). When the ISP gives you the kids docs, file a montion to dismiss with the county court. then call up his ISP and cancle his service with the info they just gave you.
That's a bit extreme.. i wouldn't go that far...
Quote:
oh and as an after thought: there is something useful on that server, UID0 - root -
That is true. And that's why i asked the question about the log entries.
What i meant is that if someone manages to hack the server, i'll just format&reinstall. And hopefully prevent him from getting in again
Actually, the server is on a dynamic IP (DynDns provides the domain name). So the IP changes every 3 days or so.
The problem is that it also means there's a script on the server that contains my username+password (unencrypted) for the ISP and DynDNS. That, i don't like but it seems there's no other way... (well no reasonable way...)
I tried to connect on several ports of some of the computers. It looks like they have port 21 open, but without runnung any FTP server. The connection closes after some time. A quick google search says that it could be the "t0rn" rootkit. Now, i'm looking for a way to make sure..
That means that it is not only one computer connecting and disconnecting, but many computers connecting at a time interval. This is becoming fun
I tried to connect on several ports of some of the computers. It looks like they have port 21 open, but without runnung any FTP server. The connection closes after some time. A quick google search says that it could be the "t0rn" rootkit.
Hold up. So you connected to some of the computers through :21.
Now what do you mean about the rootkit. You mean THEY have it or YOU have it. Explanation is a little weary.
And btw, I'm not sure, but computer hacking is against LQ policy so don't discuss it any further.
No They have a rootkit installed on their computers. The person who installed the rootkit is using it to 'attack' my server. I tried to connect on the computers who 'attacked' my server to see what was there. On these computers, port 21 is open, but there's no ftp server running; you just get a blank screen (no echo neither). You can type in anything though.
I'm looking on the internet to see what kind of rootkit or worm (if any) is on their computers. I'll advise their ISP if i can confirm their computers have been hacked.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.