-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tuesday 24 August 2004 09:51 am, Tevfik Yucek wrote:
> Hi all,
>
>
> Last night I realize there was someone in my computer, Slackware 10.
> I have a sshd running and he/she/it is connected to my computer and
> executed the following commands.
>
> I am usually not concerned with security and did not care about much
> until yesterday. I had a guest "user" account with password "guest"
> and he/she/it used it.
This is one of those things that if known and left running qualifies for the
most stupid things I've done lately list. Security by obscurity is, I'm
afraid, not very secure at all. As you can see.
> So, here are my questions:
> - how he/she/it knows about my IP and how did the know I was
> using linux and how did he/she/it got the password? Just guessing?
It's known as port scanning. All one does is write a little script which scans
all IP's in a range. When it finds a computer that responds, it checks for
it's reply signature. (This can identify most O/S's and is done by seing how
a it replies to requests.) Now knowing what O/S is running it tests for known
vulnerabilities, and tests to see if they are still vulnerable. If so it will
gain access to your computer.
This nice little thing will chew out vulnerable IP's to attack by the
thousands.
Of course you don't have to scan ranges. You can also listen on your network
for traffic and record those IP's.
> - how can I kick a user if I notice that I have and uninvited
> visitor. I had to stop the internet connection of my computer.
You need to 1) remove the guest login, 2) remove the .src dir in tmp. 3)
change your root password for sure. Remember, use minimum of 8 characters
which contains upper/lower case, numbers and symbols. This to make brute
force attack take longer. Any password can be hacked. You want it to take as
long as possible to give you time to notice.
Once you notice that you have a visitor you need to have decided on how you
handle attacks. Do you want to just stop them or find out who they are and
try to nail them?
If you disconnect you cannot pursue him. But you may not care. But to block
him you need to know how he got in. This guy is clearly a script kiddie
without full knowledge of what goes on. Based on the fact he left the history
file intact for someone to read later. Unless he did do more damage and just
left this information to act as a cover for a more thorough hack.
It also sounds like he did come in through you wide open door called guest.
You could hardly made it easier. Guest is on top of the list of statistically
most used (bad) passwords.
> - what does the command below do and should I do something about
> them ?
It set your computer up to attack others. I've not gotten the same files to
see what they do but it's addressing a Dutch and an Australian DNS server.
Though that may have been just a test. To really see it I'd want you to send
me the directory he created. (/tmp/.src). tar it up and contact me off list.
- ------------------
BTW, you may not want to go and pick up the same files he did as it's probably
monitored. You don't even know if it's part of an ongoing investigation by
some local autorities.
- ------------------
Based on the filenames it looks like a denial of service attack.
>
> Thanks,
> Tevfik
- --
Steve
"They that would give up essential liberty for temporary safety deserve
neither liberty nor safety."
Benjamin Franklin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBK164ljK16xgETzkRAnslAJ4hRBqh7mMG9DmVuy9A6l/pi9J4swCeONoC
QAFxgmdmzVyntwSw3h9et9E=
=ZqNQ
-----END PGP SIGNATURE-----
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:16:36 EDT