Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I just re-booted my machine after leaving it online for about 24 hrs to find that there is a new user listed on the Mandy log in screen... "geogeek".
Has someone hacked me and set up their own user?
I'm not convinced that my root user has a password, you know. I used to type in a password to get to root, but it hasn't asked me for one since I upgraded Mandy 9.0 to 9.1. Just lets me into root no questions asked.
open a term and type su
passwd or not
and when logged in as root type passwd
and type new pass
edit /etc/passwd and delete the line that has geogeek in it and
you should consider to get a firewall
Thanks
I su'd to root, (no password required)
typed passwd, set a new passwd
That feels safer. Though when I look at /etc/passwd it is about 28 lines long with a line about geogeek at the end. The other lines mention things like postgres, named, postfix etc. I've deleted geogeeks line.
What's a good free firewall for mandrake 9.1 then? I use pccillin for my windows machine.
Very strange. No firewall yet but I have passworded root. - I then stepped away from the machine for about 2 hours and when I return an app calle KWrited is open with a document in it called
"Listening on Device /dev/pts/0"
and a few pages of
Message from syslogd@localhost at Fri Aug 8 07:53:59 2003 ...
localhost
Message from syslogd@localhost at Fri Aug 8 07:55:00 2003 ...
localhost
Message from syslogd@localhost at Fri Aug 8 07:56:01 2003 ...
localhost last message repeated 2 times
Message from syslogd@localhost at Fri Aug 8 07:58:00 2003 ...
localhost last message repeated 3 times
Message from syslogd@localhost at Fri Aug 8 07:59:49 2003 ...
localhost last message repeated 2 times
Message from syslogd@localhost at Fri Aug 8 08:01:00 2003 ...
localhost last message repeated 3 times
Message from syslogd@localhost at Fri Aug 8 08:02:01 2003 ...
localhost last message repeated 2 times
Message from syslogd@localhost at Fri Aug 8 08:04:00 2003 ...
localhost last message repeated 2 times
Message from syslogd@localhost at Fri Aug 8 08:06:00 2003 ...
localhost last message repeated 3 times
Message from syslogd@localhost at Fri Aug 8 08:07:59 2003 ...
localhost last message repeated 2 times
Message from syslogd@localhost at Fri Aug 8 08:09:00 2003 ...
localhost last message repeated 4 times
Message from syslogd@localhost at Fri Aug 8 08:10:59 2003 ...
localhost last message repeated 3 times
Message from syslogd@localhost at Fri Aug 8 08:12:00 2003 ...
localhost
Message from syslogd@localhost at Fri Aug 8 08:13:04 2003 ...
localhost last message repeated 4 times
Message from syslogd@localhost at Fri Aug 8 08:14:59 2003 ...
localhost last message repeated 2 times
Message from syslogd@localhost at Fri Aug 8 08:16:00 2003 ...
localhost last message repeated 3 times
Message from syslogd@localhost at Fri Aug 8 08:18:01 2003 ...
localhost last message repeated 2 times
Message from syslogd@localhost at Fri Aug 8 08:20:01 2003 ...
localhost last message repeated 2 times
Message from syslogd@localhost at Fri Aug 8 08:22:01 2003 ...
localhost last message repeated 3 times
Message from syslogd@localhost at Fri Aug 8 08:24:01 2003 ...
localhost last message repeated 2 times
Message from syslogd@localhost at Fri Aug 8 08:26:00 2003 ...
localhost last message repeated 3 times
Message from syslogd@localhost at Fri Aug 8 08:28:01 2003 ...
localhost last message repeated 2 times
The intruder has probably included more that just the geogeek password. You should go on an extermination campaign against geogeek. First try: find / -iname "*geogeek*" and see what turns up.
Similarly, you should learn as much about Kwrited as you can.
After you learn as much as you can about what has been inserted into your system then delete everything suspicious starting with the command:
userdel -r geogeek
If Kwrited is something that you do not use then exterminate it. If you do use it then reinstall it.
Also it is quite possible that someone has sent all of your passwords to a remote location. You should change all of your user names and all passwords and make all of the changes in as short a time interval as possible. If practical you should do the extermination and name changes while not connected to any network.
The only piece of real advice is to reformat and reinstall.
Back up any HUMAN READABLE files you want to. No binaries. then reformat and reinstall. Make sure this time you put in the proper security measures and react on changes. If you think you're not up to securing/hardening your box, post in the Linux - Security forum after you reinstalled.
Check your logs for info on "geogeeks" IP, you can always report em as well. Backup the /var if you have questions about that later, it'll likely be where your logs were located. This shouldn't be backed up to be re-inserted, but only for forensics at a later date.
It seems rather pointless doing anything until you have set up your firewall/iptables... otherwise your intruder will just come back in. You need to do this in the right order. The first sensible thing would be to unplug your network cable.
personally I'd back up what you need wipe that sucker clean. I'd write all zero's to your HD then reinstall (offline) and after you have it all setup with a firewall inplace then put it back online.
Originally posted by unSpawn The only piece of real advice is to reformat and reinstall.
Back up any HUMAN READABLE files you want to. No binaries. then reformat and reinstall. Make sure this time you put in the proper security measures and react on changes. If you think you're not up to securing/hardening your box, post in the Linux - Security forum after you reinstalled.
Just thought I'd quote this again so it appeared again This is the best approach.
I agree. I would strongly advise you to do a backup of non-binary files [only if you need then], and /var for later examination, and then reinstall. get all security updates. Don't use the old username password that you used to. then connect to the internet ;-0. absolutely the best advice fron unspawn
How's this for a plan of action then:
=========================
1-Log in as root. Type:
dd if=/dev/zero of=/dev/hda
(If I understand correctly, this will format my HD and write zeros across it.)
2-Boot machine with the Mandy9.1 CD inserted - install Mandy, choose "paranoid" when asked about security. (Will this stop p2p apps like gtk-gnutella, and other apps like aMSN working? Should I choose a lower security level?)
3-Choose a new root username/password.
4-Once Mandy is up and running, immediately run MandrakeUpdate and get all the patches.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.