Find the answer to your Linux question:
Results 1 to 3 of 3
Somebody has managed to find out a password into my linux box on internet. Is there a way, how can I find out, what he did during his session? He ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2006
    Posts
    5

    Hacked linux box


    Somebody has managed to find out a password into my linux box on internet. Is there a way, how can I find out, what he did during his session? He was there almosut 1 hour, so I suppose, he did something there ;o( Most likely it was because my accounts had very simple passwords to guess ... So i have deleted user account. In the passwd file, there are following accounts. Can I simply delete them?

    bin
    daemon
    adm
    lp
    sync
    shutdown
    halt
    mail

    And others ...

  2. #2
    Linux Newbie
    Join Date
    Feb 2006
    Location
    KP22
    Posts
    106
    Oh, do not really delete them. They are important accounts for some daemons and services (and some files), and normally anyone can't login with them. They shouldn't be touched. From /etc/shadow you can see do they have a password set. If there is "!" or "*" anywhere in the password hash field, it's impossible to log in with these accounts.

    If you use bash as your shell, you can try to trace from user's ~/.bash_history if the cracker has been inconsiderate and forgot to clear this file out.

    And, if your box has been cracked, you should backup just the most important files and carefully reinstall the system. It's presumable that this cracker has hid something to your system (for example backdoor etc).
    Maybe you should read this:
    http://www.linuxforums.org/forum/lin...ecure-log.html
    I and Roxoff posted there some advices what to do when you think your box has been cracked and how to avoid such situations.

    And haven't you been told NOT to use easy passwords?

  3. #3
    Linux User Krendoshazin's Avatar
    Join Date
    Feb 2005
    Location
    London, England
    Posts
    471
    Providing that it was a regular user that got cracked, and your file permissions are correct, all they should of had access to was the users home directory (hopefully the user didn't have full access to sudo either). Never have services running that don't need to be running, if they need to be running, secure them, and make sure you use strong passwords.
    I use 16 character random generated alphanumeric passwords, the following is an example, S2iAtHoAt3oApHle (this is not my password, it's just an example I generated).

    Always get software from official sources, and get into the habit of md5 hash checking them, if you don't have a firewall get one set up, if you're not yet comfortable with iptables a firewall like firestarter is easy enough to set up.

    A root kit hunter like chkrootkit can help you to determine if the system has been tampered with.

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •