Re: Got hacked?

Top Page
This message is part of the following thread:
M-+-++\the complete thread tree sorted by date
M.M.MMMJohn Schember at <-
M\M\MMJon M. Hanson at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Darrin Chandler
Date:  
To: Main PLUG discussion list
Subject: Re: Got hacked?
On Thu, Feb 22, 2007 at 09:15:27PM -0700, Jim wrote:
> Last night I came home from work and sat down at the computer. I
> noticed the lights on the DSL router were blinking very rapidly. I have
> an ftp server running on my linux box (Slackware 10.2). So I thought
> someone might have been uploading something.
>
> Ftpwho showed no users logged in. I checked the incoming directory and
> saw nothing there.
>
> Tcpdump showed me that they were sending something using ssh.
>
> I used find to look for anything they might have been uploading, but
> found nothing.
>
> /var/log/syslog contained the following over and over for about 4 hours
> before I got home
>
> Feb 22 20:43:56 ladmo smbd[6375]: [2007/02/22 20:43:56, 0]
> printing/print_cups.c:cups_cache_reload(85)
> Feb 22 20:43:56 ladmo smbd[6375]: Unable to connect to CUPS server
> localhost - Connection refused
>
> Then I found in /var/log/syslog this over and over
>
> Feb 21 22:11:14 ladmo sshd[26255]: error: Could not get shadow
> information for NOUSER
>
> I stopped sshd and edited /etc/sshd_config by adding the following:
> AllowUsers root jim
> AllowGroups root
>
> To test the change, I tried to log into the server via ssh and using
> another account. It wouldn't let me log in using that other account via
> ssh.
>
> I also tried
> find / -mmin 1200 -size +100k
> and without the size option, but found nothing from the time this was
> going on.
>
> After all this I tried to send an email, but sendmail wasn't working. I
> backed up my sendmail config files, uninstalled sendmail, reinstalled it
> and restored the config files. Sendmail worked after that.
>
> Is there anything else I should do?

Look for root kits. Reinstall?

Stop all services that you don't actively use. For the remainder,
consider restricting them to your local network (CUPS, etc).

If you have a home network, consider plugging your DSL modem directly
into one PC and using that as a firewall machine. Yes, you can also use
it as a desktop if you need.

Is there a compelling reason you need password authentication for ssh?
It's very easy to generate public keys and use those. You can even keep
one on a thumb drive to use if you have to. Then turn OFF password
authentication (PasswordAuthentication no) in your sshd_config. 

-- 
Darrin Chandler                   |  Phoenix BSD Users Group
          |  http://bsd.phoenix.az.us/
http://www.stilyagin.com/darrin/  |
---------------------------------------------------
PLUG-discuss mailing list - 
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: Got hacked?Re: Got hacked?->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)