Educause Security Discussion mailing list archives
Re: i think i'm hacked - is this the right place to ask ?
From: "Lentes, Bernd" <0000002c1fd0e2c2-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Thu, 17 Nov 2016 03:22:41 +0100
----- On Nov 17, 2016, at 2:55 AM, Adam Maynard AMaynard () CLARKU EDU wrote:
Not exactly. This is mostly Information sharing, collaboration, and advice for security professionals in Higher Education.
But any who... maybe I can assist anyway. Can you describe it some more? What are your symptoms? What have you done so far? Any clue of the cause?
…Now that I think about it, the better questions are:
Does your research institute not have anyone with information Security knowledge?
Does your research institute have an incident responses plan?
-Adam
Ok. I will try to describe a bit more detailed. It's an Ubuntu 16.06 system, kernel is 4.4.0-45-generic (most recent, including dirty-cow patch). We realized that sometimes access via ssh is possible, sometimes not. I tried with nmap, sometimes the port was closed, sometimes not (trying from different hosts) ! We managed to establish several ssh connections, but some of them broke down, some not. The host should not be accessible from the internet (i trust our firewall admin ...). What i found out until now: /etc/passwd and /etc/shadow were changed today, although no one created a user ! We have now a user guest-gid-nis: guest-gidnis:x:999:999:Guest:/tmp/guest-gidnis:/bin/bash Homedirectory in a tmp folder ? I googled guest-gidnis, no match. last says(ip addresses deleted for the root logins): root pts/8 Wed Nov 16 16:22 still logged in root pts/50 Wed Nov 16 15:20 still logged in root pts/49 Wed Nov 16 15:14 still logged in guest-ic tty9 :2 Wed Nov 16 15:13 - 15:13 (00:00) guest-gi tty8 :1 Wed Nov 16 14:17 gone - no logout root pts/25 Wed Nov 16 13:51 - 16:02 (02:11) root pts/23 Wed Nov 16 13:49 - 14:44 (00:55) root pts/21 Wed Nov 16 13:35 - 14:44 (01:09) Tty8 and tty9 ? Sounds strange to me. I will provide you with further information. To the others: my questions are not law related, and i try to avoid revealing sensitive information. Thanks. Bernd Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Dr. Alfons Enhsen Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 129521671
Current thread:
- i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Adam Maynard (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Valdis Kletnieks (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Adam Maynard (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - SOLVED Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - SOLVED Ken Connelly (Nov 17)
- DocuSign security concerns Penn, Blake (Nov 17)
- Re: DocuSign security concerns Campoe, Alex (Nov 17)
- Re: i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Adam Maynard (Nov 16)