Re: hacked?
- From: Schraalhans Keukenmeester <firstnamedotlastname@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 15 Apr 2006 18:36:50 +0200
x wrote:
I was watching TV and could here my little linux server working away when I expected him to be idle.
So I ssh'd in and did a netstat and saw what looked like an unwanted SSH connection...
[root@myserver ~]# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:5038 localhost:1335 CLOSE_WAIT
tcp 0 0 localhost:1596 localhost:5038 ESTABLISHED
tcp 0 0 localhost:5038 localhost:1596 ESTABLISHED
tcp 0 23 ::ffff:10.10.10.200:ssh funredes.org:43519 ESTABLISHED
tcp 0 552 ::ffff:10.10.10.200:ssh ::ffff:10.10.10.50:1441 ESTABLISHED
Does this mean I have been hacked?
I then did a 'who' command but there was only 1 user logged in (root) and I guess that was me..
Thanks.
ps. What command would I issue to 'kick' that user off?
Does your firewall allow SSH from outside ? What else is allowed ? (iptables --list shows the current firewall setup, IF you use iptables of course)
First of all: physically killing network connection is worth considering
Don't trust your box even after the hostile client is disconnected. A rootkit may be planted on your box already, and/or other measures may have been taken to compromise your box. Even log and ps/top output and the likes are bound to be unreliable.
Programs like rkhunter and chkrootkit can be of help spotting such software being installed on your box. Check log files, maybe there is something useful there. nmap can be used to spot open/listening ports/apps on your box. On the local host type nmap -sV localhost -p 1-65535 to see what ports respond and which apps/services. Mine looks like this:
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-04-15 18:17 CEST
Interesting ports on localhost (127.0.0.1):
(The 65530 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
21/tcp open ftp vsFTPd 2.0.3
22/tcp open ssh OpenSSH 4.2 (protocol 2.0)
80/tcp open http Apache httpd 2.0.54 ((Fedora))
443/tcp open ssl/http Apache httpd 2.0.54 ((Fedora))
3306/tcp open mysql MySQL 4.1.16
Scanning another (client) host on my lan:
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-04-15 18:20 CEST
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 3.263 seconds
You could check your process list to see what progs are running. I once encountered maildrop in the list which I had definitely not started. I had made a crucial error in my firewall setup that time, inadvertedly letting everything through. I ended up wiping everything, as I could not pinpoint the cuplprit anymore.
Ehh why were you logged in as root ? Coincidence ? Or especially for this cause ? Be careful!
Anyway, as said, don't trust "everything's fine type output" from any program! If however the output is alarming, (as it is from netstat), don't take those indications for false positives!
(are there legit users who log in from the web to your box using SSh ? They may also be the leak's origin)
Good luck!
Sh.
.
- Follow-Ups:
- Re: hacked?
- From: Schraalhans Keukenmeester
- Re: hacked?
- References:
- hacked?
- From: x
- hacked?
- Prev by Date: Re: password-protection of directory
- Next by Date: Re: hacked?
- Previous by thread: Re: hacked?
- Next by thread: Re: hacked?
- Index(es):
Relevant Pages
|
|
