Find the answer to your Linux question:
Results 1 to 8 of 8
I turn on my fedora 9 and I am browsing through files and I see that an account by the name of SirLnX, in my /home directory. My firewall is ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2008
    Posts
    27

    I think I have been hacked, root password has been changed


    I turn on my fedora 9 and I am browsing through files and I see that an account by the name of SirLnX, in my /home directory. My firewall is down, but it has been for a while. I also had torrent running so my IP could have been found. I can't change any system settings becuase the root password is different. Please help me, I have no about what to do.

  2. #2
    Administrator MikeTbob's Avatar
    Join Date
    Apr 2006
    Location
    Texas
    Posts
    7,864
    If you are sure the root account has been violated, you need to disconnect from the Internet immediately and you might consider re-installing Fedora from scratch.
    I do not respond to private messages asking for Linux help, Please keep it on the forums only.
    All new users please read this.** Forum FAQS. ** Adopt an unanswered post.

    I'd rather be lost at the lake than found at home.

  3. #3
    Just Joined!
    Join Date
    Nov 2008
    Posts
    27
    Are you sure? Is there anyway to fix this?

  4. #4
    Administrator MikeTbob's Avatar
    Join Date
    Apr 2006
    Location
    Texas
    Posts
    7,864
    No, I am not sure, that's why I said
    If you are sure the root account has been violated
    Sure you can probably fix it, but will you ever trust the machine again? Next time something acts up, will you still think you didn't fix it correctly? I would never trust this machine until I did a complete format/re-install.
    I do not respond to private messages asking for Linux help, Please keep it on the forums only.
    All new users please read this.** Forum FAQS. ** Adopt an unanswered post.

    I'd rather be lost at the lake than found at home.

  5. #5
    Just Joined!
    Join Date
    Nov 2008
    Posts
    27
    I guess you are right. I have a lot of things to backup

  6. #6
    Linux Engineer GNU-Fan's Avatar
    Join Date
    Mar 2008
    Posts
    935
    This is enough evidence that your machine has been compromised.

    You have no other reasonable choice than to reset-up the system from scratch.
    This should include the boot block, because the MBR was writeable to the offender too.

    You should not trust any of the binaries nor any configurations files from the old system.

    However, before you wipe it out, try to find out (offline!) how the intruder came in. So you can learn from it and wont repeat the same mistake. The logfiles and file dates will help you at that.
    Debian GNU/Linux -- You know you want it.

  7. #7
    Linux Enthusiast meton_magis's Avatar
    Join Date
    Oct 2006
    Location
    arizona
    Posts
    699
    also, unless you have a specific reason to have it running, disable ssh, as that is most likely how the intruder got in ( esspecialy if your root PW is not very strong, a brute force attack can do you in easily. )

    If you DO need open, then I would suggest you disable root login via ssh, and disable password authentication in favor of a keypair. This is not as convinient, as you need to have a copy of your private key any time you want to login, but it reduces the chance of an intrusion via ssh to a VERY minimal chance (unless they obtain your key somehow, it is pretty much imposible. )

    Changing the port it runs on will help to, but not nearly as much as the methods described below, it will just save you from the most useless of script kiddies.
    New to the internet, technical forums, or the hacker / open source community??
    Read this to learn good posting habits http://www.catb.org/~esr/faqs/smart-questions.html

    RHCE for RHEL version 5
    RHCT for RHEL version 4

  8. #8
    Linux Guru Lakshmipathi's Avatar
    Join Date
    Sep 2006
    Location
    3rd rock from sun - Often seen near moon
    Posts
    1,737
    My suggestions are , Disconnect from internet and Disable ssh services and change your root password. And then re-connect with net.
    First they ignore you,Then they laugh at you,Then they fight with you,Then you win. - M.K.Gandhi
    -----
    FOSS India Award winning ext3fs Undelete tool www.giis.co.in. Online Linux Terminal http://www.webminal.org

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •