Re: Huge hidden process and port in Linux server

[John Forristel <jforristel () auctiva com>]

You could try looking for the key and renaming it.  Once that's done,
the program/script will error, putting an entry in /var/log/syslog or
/var/log/messages.  If this is an Ubuntu distro, you can also look at
/var/log/auth.log and see what or who is logging in.  Any decent
hacker is going to cover their tracks, so you may want to write a
little script that emails you everyone's .bash_history when it is
written to.

To find the public key:  find / -name *.pub

Put this into the .bash_logout in everyones home directory.  Because
the history is not really written to the .bash_history till AFTER the
user is completely logged out, you will have to tell the OS to append
to the .bash_history, and not wait till the end of the session:

# ~/.bash_logout
echo "Here is $LOGNAME $SUDO_USER history for the currnet session." >>
/tmp/.$LOGNAME.$SUDO_USER
echo "======================================================" >>
/tmp/.$LOGNAME.$SUDO_USER
echo;echo >> /tmp/.$LOGNAME.$SUDO_USER
echo "Machine: "$HOSTNAME >> /tmp/.$LOGNAME.$SUDO_USER
cat ~/.bash_history >> /tmp/.$LOGNAME.$SUDO_USER
echo "======================================================" >>
/tmp/.$LOGNAME.$SUDO_USER
mail -s "$LOGNAME - $SUDO_USER bash_history" funkel@xxxxxxxxxxx <
/tmp/.$LOGNAME.$SUDO_USER
mail -s "$LOGNAME - $SUDO_USER bash_history" wagon@xxxxxxxxxx<
/tmp/.$LOGNAME.$SUDO_USER
rm /tmp/.$LOGNAME.$SUDO_USER
echo > ~/.bash_history




=================================
John Forristel
Chief Security Officer
Auctiva Corporation
(530) 892-9191 X219



________________________________

This electronic mail message and any file sent with it are intended
solely for the named recipients and may contain confidential and
proprietary business information of Auctiva Corporation and its
affiliates. If you are not a named recipient, please notify the sender
immediately and delete the original message and all files sent with
it. You may not disclose the contents to any other person, use this
electronic mail message or its contents for any purpose or further
store or copy its contents in any medium. KCCO!




On Tue, Aug 20, 2013 at 7:34 AM, John Forristel <jforristel () auctiva com> wrote:
> You could try looking for the key and renaming it.  Once that's done, the
> program/script will error, putting an entry in /var/log/syslog or
> /var/log/messages.  If this is an Ubuntu distro, you can also look at
> /var/log/auth.log and see what or who is logging in.  Any decent hacker is
> going to cover their tracks, so you may want to write a little script that
> emails you everyone's .bash_history when it is written to.
>
> To find the public key:  find / -name *.pub
>
> Put this into the .bash_logout in everyones home directory.  Because the
> history is not really written to the .bash_history till AFTER the user is
> completely logged out, you will have to tell the OS to append to the
> .bash_history, and not wait till the end:
>
> # ~/.bash_logout
> echo "Here is $LOGNAME $SUDO_USER history for the currnet session." >>
> /tmp/.$LOGNAME.$SUDO_USER
> echo "======================================================" >>
> /tmp/.$LOGNAME.$SUDO_USER
> echo;echo >> /tmp/.$LOGNAME.$SUDO_USER
> echo "Machine: "$HOSTNAME >> /tmp/.$LOGNAME.$SUDO_USER
> cat ~/.bash_history >> /tmp/.$LOGNAME.$SUDO_USER
> echo "======================================================" >>
> /tmp/.$LOGNAME.$SUDO_USER
> mail -s "$LOGNAME - $SUDO_USER bash_history" funkel@xxxxxxxxxxx <
> /tmp/.$LOGNAME.$SUDO_USER
> mail -s "$LOGNAME - $SUDO_USER bash_history" wagon@xxxxxxxxxx<
> /tmp/.$LOGNAME.$SUDO_USER
> rm /tmp/.$LOGNAME.$SUDO_USER
> echo > ~/.bash_history
>
>
>
>
>
>
>
> =================================
> John Forristel
> Chief Security Officer
> Auctiva Corporation
> (530) 892-9191 X219
>
>
>
> ________________________________
>
> This electronic mail message and any file sent with it are intended solely
> for the named recipients and may contain confidential and proprietary
> business information of Auctiva Corporation and its affiliates. If you are
> not a named recipient, please notify the sender immediately and delete the
> original message and all files sent with it. You may not disclose the
> contents to any other person, use this electronic mail message or its
> contents for any purpose or further store or copy its contents in any
> medium. KCCO!
>
>
>
>
> On Tue, Aug 20, 2013 at 5:04 AM, J B <bakshi12 () gmail com> wrote:
> > Thanks a lot to all of you for your responses.
> > I have just rebooted my local box and 2 days after that,
> > it doesn't attempt any attempt to ssh the remote box.
> > After then it again has started to log into the remoet
> > box with the right users and with a pubkey. Actually I
> > loginto the remote box with pubkey and somehow the hidden
> > process learn that !!!
> >
> > I really don't know how to stop this :-(
> >
> >
> >
> > On Thu, 8 Aug 2013 09:46:41 +0800
> > "Tyler Chen (FairLine)" <tyler.chen () fairline com tw> wrote:
> >
> > > Maybe it's not a hidden process? Have you checked last logon records?
> > > Any
> > > unauthorized logon? See anything interesting with netstat -anop ?
> > >
> > > Best regards,
> > > Tyler
> > > 2013/8/7 下午6:56 於 "J B" <bakshi12 () gmail com> 寫道：
> > >
> > > > Hello list,
> > > >
> > > > I have got a problem that my server is continuously doing ssh attack
> > > > on a
> > > > remote server (which I also work
> > > > time to time). My local linux server is attacking the remote linux box
> > > > with the same remote user name
> > > > with pubkey. I also investigate the remote box and find same.
> > > >
> > > > I install rootkinhunter, chkrootkit and unhide in my local linux box.
> > > > Both rootkinhunter, chkrootkit provide a clean report but "unhide
> > > > brute"
> > > > has found a lots of Hidden process and unhide-tcp finds some hidden
> > > > port
> > > > time to time. Please suggest how can I investigate further to identify
> > > > the process causing the trouble and how to disinfect my box.
> > > >
> > > > Thanks
> > > >
> > > >
> > > > ------------------------------------------------------------------------
> > > > Securing Apache Web Server with thawte Digital Certificate
> > > > In this guide we examine the importance of Apache-SSL and who needs an
> > > > SSL
> > > > certificate.  We look at how SSL works, how it benefits your company
> > > > and
> > > > how your customers can tell if a site is secure. You will find out how
> > > > to
> > > > test, purchase, install and use a thawte Digital Certificate on your
> > > > Apache
> > > > web server. Throughout, best practices for set-up are highlighted to
> > > > help
> > > > you ensure efficient ongoing management of your encryption keys and
> > > > digital
> > > > certificates.
> > > >
> > > >
> > > >
> > > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > > >
> > > > ------------------------------------------------------------------------
> >
> > ------------------------------------------------------------------------
> > Securing Apache Web Server with thawte Digital Certificate
> > In this guide we examine the importance of Apache-SSL and who needs an SSL
> > certificate.  We look at how SSL works, how it benefits your company and how
> > your customers can tell if a site is secure. You will find out how to test,
> > purchase, install and use a thawte Digital Certificate on your Apache web
> > server. Throughout, best practices for set-up are highlighted to help you
> > ensure efficient ongoing management of your encryption keys and digital
> > certificates.
> >
> >
> > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------