Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.os.linux.security > #186
| Newsgroups | comp.os.linux.security |
|---|---|
| Subject | Re: Security breach? |
| From | Ohmster <root@dev.nul> |
| References | (2 earlier) <i1OHs.32904$3S5.11697@newsfe18.iad> <XnsA1452A741B196MyBigKitty@216.196.97.131> <slrnkevu1b.sfk.BitTwister@wb.home.test> <XnsA145ABD95DD64MyBigKitty@216.196.97.131> <kcq2bm$m9a$1@dont-email.me> |
| Organization | Ohm's Fish Market |
| Message-ID | <XnsA145B38C596CCMyBigKitty@216.196.97.131> (permalink) |
| Date | 2013-01-11 16:39 -0600 |
Aragorn <stryder@telenet.be.invalid> wrote in news:kcq2bm$m9a$1@dont- email.me: > On Friday 11 January 2013 22:53, Ohmster conveyed the following to > comp.os.linux.security... > >> Bit Twister <BitTwister@mouse-potato.com> wrote in >> news:slrnkevu1b.sfk.BitTwister@wb.home.test: >> >>> So your telling us you have been cracked for a few days. :-( >> >> Well yeah, although I did not know it for sure until now. I woke up a >> few days ago, found my Linux machine on, Firefox opened to craigslist, >> and an ad for an suv posted that was chock full of spam words was >> posted. Made no sense so I did nothing. Next day got an email from >> craigslist telling me "my ad" violated TOS and would be cancelled. > > Although I'm not saying that it's impossible, a remote break-in into > your machine typically will not fire up Firefox and have it bring up a > site and submit correct data to forms at that particular website. > > It would be technically hard to achieve and would yield them nothing, > since any purchases et al were supposed to be done by you, and thus > billed to you and shipped to you. Plus that they'd probably more likely > use a non-X11-specific web browser for automated web visits, such as > (e)lynx or links. > > From what it looks like to me, it is more likely that someone has broken > into your house and physically sat at your computer for a while, posting > that junk to that website. That, or you've got some nasty kids in your > household, or you were very, very drunk one night. ;-) > Agreed. This is exactly what I thought too. Why use an X browser when elinks is available to make a scam purcahse. I would not concoct such a wild story because I would not believe it myself. This type of root hack would require virtual desktop, how else could one operate a web browser on my own machine and desktop? Let me check this. Oh, I do have remote desktop enabled. It can be accessed by my outside IP address or my domain name. :( The Story: Woke up and found Firefox open to craigslist to which an ad was posted on my account for an suv vehicle, with over 100 spam words in the ad. Ordinarily, the Linux box would have the monitor shut off so finding it on was a mystery, expecially with the browser open and an onlne ad posted from this machine. Did not pay much attention to it since it made no sense and closed the browser. Next day, checked email and found an email from craigslist, advising me that "my ad" was deleted for violation of the TOS. ...strange. Next day, woke to find Firefox open on the CentOS machine, opened to ebay, where $279 of silver coins were purchased on my account. Very unsettling, still closed the browser and had other stuff to do. Next day got an email from ebay, confirming my purchase and advising me to pay for it. Sent email to seller advising to cancel the transaction as I did not make the purchase. Still did not put 2 and 2 together and thought that someone had stolen my password on ebay, changed password. All this is very unsettling so that night I stayed up and wrote to comp.os.linux.security. At 3 AM, I saw a light go on next to me, the CentOS machine woke the monitor and this time, Chrome browser was open and the dropdown box was being accessed on some sort of cash website. Shut it down immediately and wrote to security newsgroup for advice. Now that you mention this is so improbably, and it seems to be, I checked the gnome GUI for remote desktop, it is enabled. Anyone with the root or my password could now access and use my machine from anywhere on the globe since it is in the DMZ of the router. That is it, I think the hacker is using remote desktop, how else could one manipulate a desktop browser and do what they like? I wonder if there are logs for remote desktop. I have the machine running now, Ethernet unplugged, to investigate. Really would like to put this machine on the LAN only to use my Windows box to probe further. Nobody in my house could do this. I have one roommate, know him very well, and he is not computer literate. Known this for a very long time and this does not explain browser opening by itself and working while I sat beside it. Not drunk, but I can see how you would think so. This is a whopper for me, man. I am going to run the find command from unruh now to see what files were compromised. Thanks buddy. -- ~Ohmster
Back to comp.os.linux.security | Previous | Next — Previous in thread | Next in thread | Find similar
Security breach? Ohmster <root@dev.nul> - 2013-01-10 23:29 -0600
Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-11 05:59 +0000
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 06:10 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:45 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 20:44 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:06 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 22:26 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:45 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 00:24 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 19:34 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 02:16 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 21:04 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 05:44 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-12 16:29 -0600
Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-13 03:01 +0000
Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 07:24 -0500
Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-13 14:51 +0000
Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 10:45 -0500
Re: Security breach? Jim Beard <jdbeard@patriot.net> - 2013-01-13 12:21 -0500
Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 12:59 -0500
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-13 20:40 +0000
Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 16:14 -0500
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-13 23:51 +0000
Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-14 09:59 -0500
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-14 17:39 +0000
Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-14 16:16 -0500
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-14 21:48 +0000
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-13 20:35 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 17:05 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 00:26 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 03:10 -0600
Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-11 11:31 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:53 -0600
Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 23:05 +0100
Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-11 22:14 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:47 -0600
Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-12 00:26 +0000
Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-12 09:23 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-12 16:31 -0600
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-12 16:36 -0600
Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-13 14:45 +0100
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:39 -0600
Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-12 00:08 +0000
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 20:50 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:19 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 22:30 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:49 -0600
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:36 -0600
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:52 -0600
Re: Security breach? "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2013-01-11 03:10 -0500
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:39 -0600
Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-11 10:53 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:12 -0600
Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 22:53 +0100
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:57 -0600
Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 23:29 +0100
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:55 -0600
Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 23:59 +0100
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 17:07 -0600
Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-12 00:24 +0100
Re: Security breach? `blindshell' ...INFECTED (PORTS: 465) Ohmster <root@dev.nul> - 2013-01-11 17:48 -0600
Re: Security breach? `blindshell' ...INFECTED (PORTS: 465) Ohmster <root@dev.nul> - 2013-01-11 18:07 -0600
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 00:16 +0000
Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-12 12:13 +0100
Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 18:30 +0000
Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-11 22:07 +0000
Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 17:22 -0600
csiph-web