Find the answer to your Linux question:
Page 3 of 3 FirstFirst 1 2 3
Results 21 to 30 of 30
No need to contact an ISP for most of those: arin or whois will reveal a bunch. And if you have to logins that are both yours... no sweat. I ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #21
    Administrator jayd512's Avatar
    Join Date
    Feb 2008
    Location
    Kentucky
    Posts
    5,023

    No need to contact an ISP for most of those: arin or whois will reveal a bunch.

    And if you have to logins that are both yours... no sweat. I do too!!
    Jay

    New users, read this first.
    New Member FAQ
    Registered Linux User #463940
    I do not respond to private messages asking for Linux help. Please keep it on the public boards.

  2. #22
    Linux Guru jmadero's Avatar
    Join Date
    Jul 2007
    Location
    California
    Posts
    1,998
    Thanks to both of you.....this ruined my bloody day. Looks like I can't really track them down since I've formatted and reinstall. I'm still uploading at 50 bites a second but I think that's normal if I'm online. Changing passwords now....probably will forget them 100 times in the process
    Bodhi 1.3 & Bodhi 1.4 using E17
    Dell Studio 17, Intel Graphics card, 4 gigs of RAM, E17

    "The beauty in life can only be found by moving past the materialism which defines human nature and into the higher realm of thought and knowledge"

  3. #23
    Administrator jayd512's Avatar
    Join Date
    Feb 2008
    Location
    Kentucky
    Posts
    5,023
    Good luck with it, bro.
    If you haven't already, look into enabling router logs.
    You'll be able to see incoming as well as outgoing connections.

    Contacting an ISP simply won't help, though... You mention Linux and it's over... trust me
    Jay

    New users, read this first.
    New Member FAQ
    Registered Linux User #463940
    I do not respond to private messages asking for Linux help. Please keep it on the public boards.

  4. $spacer_open
    $spacer_close
  5. #24
    Administrator MikeTbob's Avatar
    Join Date
    Apr 2006
    Location
    Texas
    Posts
    7,864
    Quote Originally Posted by jayd512 View Post
    Good luck with it, bro.
    If you haven't already, look into enabling router logs.
    You'll be able to see incoming as well as outgoing connections.

    Contacting an ISP simply won't help, though... You mention Linux and it's over... trust me
    As sure as the Sun is bright! I think they actually want to hang up on you when you mention Linux to your ISP.
    Sorry about your troubles man,,, just keep a good eye on things for the next few days.
    I do not respond to private messages asking for Linux help, Please keep it on the forums only.
    All new users please read this.** Forum FAQS. ** Adopt an unanswered post.

    I'd rather be lost at the lake than found at home.

  6. #25
    Linux Guru jmadero's Avatar
    Join Date
    Jul 2007
    Location
    California
    Posts
    1,998
    Thanks again, so far it's been okay. I would assume I was probably just acting as a bot and that no one would be interested enough to try to clone my drive. I figure 98% of my drive is things I wouldn't even mind someone taking, so if they got 10% of my drive copied most likely it's nothing that would bother me. But, already I've forgotten my changed bank account password.....

    Maybe if I can trace it back I could put up a reward for someone in the forums.....just kidding, I know the rules
    Bodhi 1.3 & Bodhi 1.4 using E17
    Dell Studio 17, Intel Graphics card, 4 gigs of RAM, E17

    "The beauty in life can only be found by moving past the materialism which defines human nature and into the higher realm of thought and knowledge"

  7. #26
    Just Joined! apot's Avatar
    Join Date
    Sep 2010
    Posts
    6
    On Monday I was in the same situation as you. I was looking all over my server to find what was wrong.

    I could see all the activity happening because I had Munin installed and this allowed me to see on graphs all the eth connection activity and the CPU activity and many other things.

    I was about to give up and format everything when I found the file. I found it a 4am because i saw activity and did ran the command ps -aux and saw an apache process running a file start.py. I searched for that file and found it in a folder on the web. An hour later there was entries in apache2/access.log that someone had removed a .gz file from the same folder with Wget. I assumed that was the same person running the script. This led me to notice that for some reason this folder was had security 777 and the folders were folder created by Dreamweaver. I guess I had mistakenly done this to allow someone to upload something from Dreamweaver. Maybe they had gotten the files on there with Wput?????

    Now they are not 777 now!

    Just my story that might give you some suggestions for the next time this happens. Taught me some new things.

  8. #27
    Linux Guru jmadero's Avatar
    Join Date
    Jul 2007
    Location
    California
    Posts
    1,998
    Thanks for the info apot. I expect this never to happen again so hopefully I never have to actually use the info you provided. I've been using linux for nearly a decade and this is the first time I've had any issue at all.

    I am pretty sure I know the answer to this already but when browsing you always have a small upload speed right (<100 bytes), these are just normal pings and what not?
    Bodhi 1.3 & Bodhi 1.4 using E17
    Dell Studio 17, Intel Graphics card, 4 gigs of RAM, E17

    "The beauty in life can only be found by moving past the materialism which defines human nature and into the higher realm of thought and knowledge"

  9. #28
    Just Joined! apot's Avatar
    Join Date
    Sep 2010
    Posts
    6
    Ye
    There should be pings and ARP 'who has' requests from computers on your network.

  10. #29
    Just Joined!
    Join Date
    Aug 2009
    Posts
    83
    Quote Originally Posted by jmadero View Post
    I ended up downgrading from 11.04 to 10.10. I'm not seeing the issue any more. What would be the result of a rootkit issue?
    After re-installing an OS, and without "evidence" of saved utmp, wtmp, user shell history, system and daemon logs asking any such questions no longer make sense. Next time it is best to investigate the system before (what might be perceived as) overreacting.


    Quote Originally Posted by MikeTbob View Post
    I agree with Jayd, run RKHunter after installing and updating it.
    Installing SW after a breach makes less sense, and the same would go for any related tool like Chkrootkit or OSSEC HIDS or any integrity checker like Samhain, Aide or even tripwire, than it would *before*: pristine systems and all that. In case of a (perceived) breach of security a suggested way to run tools on a SOHO machine one has access to would be to boot a Live CD and run tools from there.


    Quote Originally Posted by MikeTbob View Post
    Check netstat output for anything foreign. (..) Use the who command to see if anyone is logged in (..) Check your logs in /var/log
    Doing that indeed would have made more sense.


    Quote Originally Posted by MikeTbob View Post
    Here is a good starting point.
    You realize the LASG is a document last updated 2002-ish, right?


    * To end with a positive and constructive note: maybe the OP should be given simple pointers on how to check he runs Linux in a secure way, stay abreast of problems by scanning the system and reading logs? I'm sure that apart from Bastille-Linux, GNU/Tiger, OpenVAS, Logwatch there is distribution-specific SW to mention...

  11. #30
    Linux Newbie hans51's Avatar
    Join Date
    May 2011
    Posts
    136
    While it is a long while ago, and you downgraded to avoid the problem without actually having solved the security breach,
    some day you upgrade just for the sake of progress
    then latest you need to know your original cause and fix it really on its very roots. Many years ago before having my own servers I had a few sec reaches without first knowing much about it. a notice by host resulted in deletion of suspicious files and I had peace for many months. the host never noticed the incidence at the beginning, but MUCH later as I finally found out when it happened the xth time and I wanted to digg to the root cause.
    It took me some 3 full weeks almost day and night work. until I found the 1 single precise point of entry and how to solve that permanently without reinstalling or reformatting. Just by fixing the problem and then securing the system. In my case it was a peace of commercial SW that had a admin backdoor built in!
    my research finally showed that 2 times the sec breach was discovered by host, but many more breaches have occurred and never discovered. my site was repeatedly and successfully abused as phishing site. other users of same SW (I searched online for other installs and contacted webmasters of those sites to help discover and solve their issues) found chat rooms and phishing sites etc installed and multiple times used ...

    many years back my knowledge was less than now, yet the system to find was simple.

    look in access_log, errors_log, messages and warn logs
    find the one file it all started with on your system, then search all logs for the first occurrence of that file in any of your logs, then look manually at the precise lines before and after
    isolate such cases
    add them up until it makes sense to you and you mentally understand what is going on

    in your particular case - your security breach may reoccur as soon as you upgrade to ANY higher version. may be some day you HAVE to for simple reason of needing a particular future release SW or HW support or feature.

    rkhunter should be installed on virgin install right at the very beginning of a clean fresh install from your trusted dist.

    since you mentioned it started when ever you connected wlan

    the network monitoring tool ntop
    allows for monitoring remote to local traffic or local to remote with IPs to show you who communicates with you or vv in a graphical way easier to recognize than looking at logs (the detail forensics then are made on logs)

    a verification of local folders at / level to see where bytes are added if you compare total volume every xx minutes or so may help if data are added to your drive

    life monitoring ALL your log files using
    tail -f /path/to_your_log/file

    top
    to verify what processes are active without making sense to you may help sometimes

    your root or user password may be secure
    the weakest point is SW packages installed, specially non-default packages that come from 3rd parties OR commercial packages purchased for your job specific tasks

    if you install any non-default packages (one NOT from your dist default)
    make a Google search for:

    your_software_or_package-name security

    to see if there are any security issues known for your particular software of software version or package version. best you do this before making a decision for or against a particular SW.

    you may also make a security Google search for particular HW such as wlan routers / to show firmware bugs, etc

    finally
    just plugging your hole with a strict permission setting is no real solution, it still leaves the security hole as such. best is to find, permanently fix or replace (and note) the faulty SW. then when all secure, you may continue with strict permission as well as IDS on your server such as snort and/or mod_security or other.

    if you just leave it as is after your downgrade, one day you may step into the very same trap again. if you search until you find, then you are one step smarter and stronger for all future.
    in my a.m. security breach case, it took some 300 hrs of work to find, fix and share result and solution with other victims.

Page 3 of 3 FirstFirst 1 2 3

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •