Security Basics mailing list archives
Re: Huge hidden process and port in Linux server
From: Ali Kapucu <alikapucu () gmail com>
Date: Wed, 21 Aug 2013 07:47:28 -0400
Try to install ossec. Sent from my iPhone, but not while driving because that's illegal under ORC 4511.204! On Aug 20, 2013, at 10:36 AM, John Forristel <jforristel () auctiva com> wrote:
You could try looking for the key and renaming it. Once that's done, the program/script will error, putting an entry in /var/log/syslog or /var/log/messages. If this is an Ubuntu distro, you can also look at /var/log/auth.log and see what or who is logging in. Any decent hacker is going to cover their tracks, so you may want to write a little script that emails you everyone's .bash_history when it is written to. To find the public key: find / -name *.pub Put this into the .bash_logout in everyones home directory. Because the history is not really written to the .bash_history till AFTER the user is completely logged out, you will have to tell the OS to append to the .bash_history, and not wait till the end of the session: # ~/.bash_logout echo "Here is $LOGNAME $SUDO_USER history for the currnet session." >> /tmp/.$LOGNAME.$SUDO_USER echo "======================================================" >> /tmp/.$LOGNAME.$SUDO_USER echo;echo >> /tmp/.$LOGNAME.$SUDO_USER echo "Machine: "$HOSTNAME >> /tmp/.$LOGNAME.$SUDO_USER cat ~/.bash_history >> /tmp/.$LOGNAME.$SUDO_USER echo "======================================================" >> /tmp/.$LOGNAME.$SUDO_USER mail -s "$LOGNAME - $SUDO_USER bash_history" funkel@xxxxxxxxxxx < /tmp/.$LOGNAME.$SUDO_USER mail -s "$LOGNAME - $SUDO_USER bash_history" wagon@xxxxxxxxxx< /tmp/.$LOGNAME.$SUDO_USER rm /tmp/.$LOGNAME.$SUDO_USER echo > ~/.bash_history ================================= John Forristel Chief Security Officer Auctiva Corporation (530) 892-9191 X219 ________________________________ This electronic mail message and any file sent with it are intended solely for the named recipients and may contain confidential and proprietary business information of Auctiva Corporation and its affiliates. If you are not a named recipient, please notify the sender immediately and delete the original message and all files sent with it. You may not disclose the contents to any other person, use this electronic mail message or its contents for any purpose or further store or copy its contents in any medium. KCCO! On Tue, Aug 20, 2013 at 7:34 AM, John Forristel <jforristel () auctiva com> wrote:You could try looking for the key and renaming it. Once that's done, the program/script will error, putting an entry in /var/log/syslog or /var/log/messages. If this is an Ubuntu distro, you can also look at /var/log/auth.log and see what or who is logging in. Any decent hacker is going to cover their tracks, so you may want to write a little script that emails you everyone's .bash_history when it is written to. To find the public key: find / -name *.pub Put this into the .bash_logout in everyones home directory. Because the history is not really written to the .bash_history till AFTER the user is completely logged out, you will have to tell the OS to append to the .bash_history, and not wait till the end: # ~/.bash_logout echo "Here is $LOGNAME $SUDO_USER history for the currnet session." >> /tmp/.$LOGNAME.$SUDO_USER echo "======================================================" >> /tmp/.$LOGNAME.$SUDO_USER echo;echo >> /tmp/.$LOGNAME.$SUDO_USER echo "Machine: "$HOSTNAME >> /tmp/.$LOGNAME.$SUDO_USER cat ~/.bash_history >> /tmp/.$LOGNAME.$SUDO_USER echo "======================================================" >> /tmp/.$LOGNAME.$SUDO_USER mail -s "$LOGNAME - $SUDO_USER bash_history" funkel@xxxxxxxxxxx < /tmp/.$LOGNAME.$SUDO_USER mail -s "$LOGNAME - $SUDO_USER bash_history" wagon@xxxxxxxxxx< /tmp/.$LOGNAME.$SUDO_USER rm /tmp/.$LOGNAME.$SUDO_USER echo > ~/.bash_history ================================= John Forristel Chief Security Officer Auctiva Corporation (530) 892-9191 X219 ________________________________ This electronic mail message and any file sent with it are intended solely for the named recipients and may contain confidential and proprietary business information of Auctiva Corporation and its affiliates. If you are not a named recipient, please notify the sender immediately and delete the original message and all files sent with it. You may not disclose the contents to any other person, use this electronic mail message or its contents for any purpose or further store or copy its contents in any medium. KCCO! On Tue, Aug 20, 2013 at 5:04 AM, J B <bakshi12 () gmail com> wrote:Thanks a lot to all of you for your responses. I have just rebooted my local box and 2 days after that, it doesn't attempt any attempt to ssh the remote box. After then it again has started to log into the remoet box with the right users and with a pubkey. Actually I loginto the remote box with pubkey and somehow the hidden process learn that !!! I really don't know how to stop this :-( On Thu, 8 Aug 2013 09:46:41 +0800 "Tyler Chen (FairLine)" <tyler.chen () fairline com tw> wrote:Maybe it's not a hidden process? Have you checked last logon records? Any unauthorized logon? See anything interesting with netstat -anop ? Best regards, Tyler 2013/8/7 下午6:56 於 "J B" <bakshi12 () gmail com> 寫道:Hello list, I have got a problem that my server is continuously doing ssh attack on a remote server (which I also work time to time). My local linux server is attacking the remote linux box with the same remote user name with pubkey. I also investigate the remote box and find same. I install rootkinhunter, chkrootkit and unhide in my local linux box. Both rootkinhunter, chkrootkit provide a clean report but "unhide brute" has found a lots of Hidden process and unhide-tcp finds some hidden port time to time. Please suggest how can I investigate further to identify the process causing the trouble and how to disinfect my box. Thanks ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Huge hidden process and port in Linux server J B (Aug 07)
- Re: Huge hidden process and port in Linux server Raistlin Majere (Aug 07)
- Message not available
- Re: Huge hidden process and port in Linux server J B (Aug 20)
- Re: Huge hidden process and port in Linux server Ian McBeth (Aug 20)
- Message not available
- Re: Huge hidden process and port in Linux server John Forristel (Aug 20)
- Re: Huge hidden process and port in Linux server Ali Kapucu (Aug 21)
- Re: Huge hidden process and port in Linux server J B (Aug 20)