Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
05-18-2007, 03:40 PM
|
#1
|
LQ Newbie
Registered: Jan 2007
Distribution: CentOS & Fedora Core
Posts: 25
Rep:
|
w shows 2 users while I'm alone on the system!
w command shows following, though I'm alone on the system:
Code:
root@cPanel [~]# w
00:30:11 up 62 days, 11:04, 2 users, load average: 2.65, 2.15, 1.77
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 host-xx-xx-xx- 00:23 0.00s 0.03s 0.01s w
root@cPanel [~]#
Then when I enter who command, the other defunct user shows up. yy.yy.yy.yy ip is our companys, however I killed this session two days ago.
Code:
root@cPanel [~]# who
root pts/0 May 19 00:23 (host-xx-xx-xx-xx.adsl.xxxxx.net)
root pts/2 May 17 23:32 (yy.yy.yy.yy)
How I can get rid of the defunct session? We were rootkited at that day. Maybe the attacker messed something in the system in such a way that there is something totally wrong down there and this defunct session is just a symptom?
|
|
|
05-18-2007, 06:08 PM
|
#2
|
Senior Member
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109
Rep:
|
Hi.
Code:
ps -ef | grep 'pts/2'
should show anything attached to that terminal.
I'm concerned that you've been rootkit'ed, and the host hasn't been brought down for maintenance / forensics. The machine can't be trusted in its current state.
Dave
|
|
|
05-19-2007, 03:39 AM
|
#3
|
LQ Newbie
Registered: Jan 2007
Distribution: CentOS & Fedora Core
Posts: 25
Original Poster
Rep:
|
Thank you for wour answer, though
Code:
ps -ef | grep 'pts/2'
doesn't show anything. However I've entered the system simultaneously on all terminals and now it is gone. I don't know what it was. We can't bring the system down yet, 'cause this is heavy loaded production server, without backup (terrible). I'm new here at the company and it is difficult to understand what's going on. As I have found so far, system was rootkited nearly a month ago! They just didn't use a backdoor until day before day before yesterday.
|
|
|
05-19-2007, 12:22 PM
|
#4
|
Member
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241
Rep:
|
"heavy loaded production server"
"without backup"
"system was rootkited nearly a month ago"
Paraphrasing slightly: They used a backdoor a couple of days ago.
You know what? If your company's server crashes and burns I'd have no sympathy whatsoever. That fact that you can't take it down because it's a production server is just fantastic... that's like saying "But if I turn the sprinklers on, the people in the burning building won't be able to work!".
How much is it going to cost your company to:
a) lose use of that machine for a few hours while you put in a replacement?
b) lose EVERYTHING on that machine, never to be recovered, INCLUDING the time to rebuild an equivalent machine (probably without proper testing because of the timescales), recover from the dissemination of the data on that machine to the general populous, while at the same time having that machine (potentially) be used for ANYTHING... spam, viruses, hacking, proxying of illegal websites..., getting banned from the ISP, etc.etc.etc. Yeah, it's all theoretical. But so's the fact that leaving my front door open while you're not at home is likely to encourage burglars. You *can* do it and get away with it. But would you really risk it?
I bet a) is a LOT cheaper than b) for your company.
Someone WAS in your system. They had access enough and time enough unnoticed to (potentially) gain root access. Root can do ANYTHING, even hide it's own presence in process lists if it so feels like it... some rootkits do this perfectly, some a little more clumsily. Meanwhile you are STILL running this machine and running critical data across it on a daily basis because "it's a production server".
Get it sorted. Or, if you're not responsible for it, give the person who is a kick up the bum from me. Companies like you keep me in work.
|
|
|
05-20-2007, 03:15 AM
|
#5
|
LQ Newbie
Registered: Jan 2007
Distribution: CentOS & Fedora Core
Posts: 25
Original Poster
Rep:
|
Thank you for your objection.
Quote:
Get it sorted. Or, if you're not responsible for it, give the person who is a kick up the bum from me. Companies like you keep me in work.
|
Where do you work?
|
|
|
All times are GMT -5. The time now is 09:05 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|