Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.os.linux.security > #174
| Newsgroups | comp.os.linux.security |
|---|---|
| Subject | Re: Security breach? |
| From | Ohmster <root@dev.nul> |
| References | <XnsA145508078CBMyBigKitty@216.196.97.131> <slrnkevaie.4qm.BitTwister@wb.home.test> <i1OHs.32904$3S5.11697@newsfe18.iad> <XnsA14526347AB67MyBigKitty@216.196.97.131> <2R_Hs.22037$532.962@newsfe03.iad> |
| Organization | Ohm's Fish Market |
| Message-ID | <XnsA145A3E2AD554MyBigKitty@216.196.97.131> (permalink) |
| Date | 2013-01-11 15:06 -0600 |
unruh <unruh@invalid.ca> wrote in news:2R_Hs.22037$532.962@newsfe03.iad: Awesome help, unruh. You rock and thank goodness you do not start that "told ya so" stuff that is so prevalent in the newsgroups. > Fine. You now know that you were broken into. This extra evidence IS > sufficient. So, the first thing is to unplug your machine from the > net. I shut it down. Afraid to run it now. I can unplug from the network but a lot of things I do with samba and ssh. Is it possible to leave machine on local area network ONLY so that I can access it from Windows machine and block internet to this one machine only? Setup: Cable Modem plugged directly into Linksys WRT54GL router, Linux PC Ethernet to router, Windows PC Ethernet to router, wireless from router to 2 other laptops in home. Possible to leave Linux machine on LAN and block it from the Internet? > The second is to wipe the drive and reinstall the operating system, > making sure you give yourself and all users strong passwords, and you > change all ssh authorized hosts accounts. Then you restore all your > old user files (eg home directlry, or other programs you installed). > Then search through for any suid programs, especially suid root > programs. (eg I had one /tmp/bananas that sas a suid root shell) > find / -perm /6000 Way cool, this is the kind of help I need to hunt this stuff down. > and check that each of those files should be suid or sgid. Especially > files in /home, /tmp, /var almost certainly should not. If you find > some get rid of them. Make sure you do NOT have a guest account on the > system (many distros like to stuff one in just for fun. They think > this is helpful. It never is. If you want someone to use your machine, > give them their own account. Never use a joint acount) > > Erase everything in everyone's .ssh subdirectory, and have them > rebuild their ssh public keys, and their authorized_keys files. > Only after that reconnect to the web. > Ugh, yes, I figured it would be this bad. This really bites because I have clients websites on that machine, I use it with Dreamweaver through samba to produce and modify websites. The machine is a test server and uploads to godaddy when customer is satisfied. Must save the public_html directory. > Then when you have done all that finally reconnect to the web. I am not putting it on the web, although I really need to put it on the LAN to move some items to Windows machine. I do have two other hard drives in the machien for storage, a 400Gb and a 200Gb SATA drives. If nothing else, they can store important files and directories. >> Somebody got in and got temporary root access. That is enough to make >> anyone shut the bitch off. I posted here for help and while waiting >> for the reply, the box is running browsers by itself, hitting all >> sorts of account websites. > > There are many things which could get temporary root access. Some > legitimate. Yeah but this was an outsider, came from logwatch. I have never seen such a message in logwatch before. >> I shut it all down via ssh to do a sudo halt. This is way too much, I >> cannot put this online like this. I would like to investigate offline >> though > You MUST go offline. You cannot recover remotely. I do not doubt it, been offline since seeing my browser "work itself". >>. As bad as this is, it is quite interesting. How did they do it? >> Apache expliot? That has happened before with Fedora. What log files >> can > > As root they can erase the log files that would tell you how they did > it. That bites. > Do you actually run a web server? If not DO NOT RUN apache. > Otherwise be very careful of your php etc files. Yes, I use the machine with apache as a test server for websites. Then access it with Dreamweaver in a Windows PC. Will have to check all php files for what, SUID? find / -perm /6000 >> I look at to check? Thank goodness to logwatch to make me get into >> action and stop ignoring the hair on my arms sticking up. Oh man this >> really bits the big one! > > Agreed. For sure. Thank you unruh. -- ~Ohmster
Back to comp.os.linux.security | Previous | Next — Previous in thread | Next in thread | Find similar
Security breach? Ohmster <root@dev.nul> - 2013-01-10 23:29 -0600
Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-11 05:59 +0000
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 06:10 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:45 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 20:44 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:06 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 22:26 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:45 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 00:24 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 19:34 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 02:16 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 21:04 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 05:44 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-12 16:29 -0600
Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-13 03:01 +0000
Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 07:24 -0500
Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-13 14:51 +0000
Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 10:45 -0500
Re: Security breach? Jim Beard <jdbeard@patriot.net> - 2013-01-13 12:21 -0500
Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 12:59 -0500
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-13 20:40 +0000
Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 16:14 -0500
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-13 23:51 +0000
Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-14 09:59 -0500
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-14 17:39 +0000
Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-14 16:16 -0500
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-14 21:48 +0000
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-13 20:35 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 17:05 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 00:26 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 03:10 -0600
Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-11 11:31 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:53 -0600
Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 23:05 +0100
Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-11 22:14 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:47 -0600
Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-12 00:26 +0000
Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-12 09:23 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-12 16:31 -0600
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-12 16:36 -0600
Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-13 14:45 +0100
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:39 -0600
Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-12 00:08 +0000
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 20:50 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:19 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 22:30 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:49 -0600
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:36 -0600
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:52 -0600
Re: Security breach? "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2013-01-11 03:10 -0500
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:39 -0600
Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-11 10:53 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:12 -0600
Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 22:53 +0100
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:57 -0600
Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 23:29 +0100
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:55 -0600
Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 23:59 +0100
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 17:07 -0600
Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-12 00:24 +0100
Re: Security breach? `blindshell' ...INFECTED (PORTS: 465) Ohmster <root@dev.nul> - 2013-01-11 17:48 -0600
Re: Security breach? `blindshell' ...INFECTED (PORTS: 465) Ohmster <root@dev.nul> - 2013-01-11 18:07 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 00:16 +0000
Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-12 12:13 +0100
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 18:30 +0000
Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-11 22:07 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 17:22 -0600
csiph-web