Home page logo
/

basics logo Security Basics mailing list archives

Re: Huge hidden process and port in Linux server
From: John Forristel <jforristel () auctiva com>
Date: Tue, 20 Aug 2013 07:36:27 -0700

You could try looking for the key and renaming it.  Once that's done,
the program/script will error, putting an entry in /var/log/syslog or
/var/log/messages.  If this is an Ubuntu distro, you can also look at
/var/log/auth.log and see what or who is logging in.  Any decent
hacker is going to cover their tracks, so you may want to write a
little script that emails you everyone's .bash_history when it is
written to.

To find the public key:  find / -name *.pub

Put this into the .bash_logout in everyones home directory.  Because
the history is not really written to the .bash_history till AFTER the
user is completely logged out, you will have to tell the OS to append
to the .bash_history, and not wait till the end of the session:

# ~/.bash_logout
echo "Here is $LOGNAME $SUDO_USER history for the currnet session." >>
/tmp/.$LOGNAME.$SUDO_USER
echo "======================================================" >>
/tmp/.$LOGNAME.$SUDO_USER
echo;echo >> /tmp/.$LOGNAME.$SUDO_USER
echo "Machine: "$HOSTNAME >> /tmp/.$LOGNAME.$SUDO_USER
cat ~/.bash_history >> /tmp/.$LOGNAME.$SUDO_USER
echo "======================================================" >>
/tmp/.$LOGNAME.$SUDO_USER
mail -s "$LOGNAME - $SUDO_USER bash_history" funkel () xxxxxxxxxxx <
/tmp/.$LOGNAME.$SUDO_USER
mail -s "$LOGNAME - $SUDO_USER bash_history" wagon () xxxxxxxxxx<
/tmp/.$LOGNAME.$SUDO_USER
rm /tmp/.$LOGNAME.$SUDO_USER
echo > ~/.bash_history




=================================
John Forristel
Chief Security Officer
Auctiva Corporation
(530) 892-9191 X219



________________________________

This electronic mail message and any file sent with it are intended
solely for the named recipients and may contain confidential and
proprietary business information of Auctiva Corporation and its
affiliates. If you are not a named recipient, please notify the sender
immediately and delete the original message and all files sent with
it. You may not disclose the contents to any other person, use this
electronic mail message or its contents for any purpose or further
store or copy its contents in any medium. KCCO!




On Tue, Aug 20, 2013 at 7:34 AM, John Forristel <jforristel () auctiva com> wrote:
You could try looking for the key and renaming it.  Once that's done, the
program/script will error, putting an entry in /var/log/syslog or
/var/log/messages.  If this is an Ubuntu distro, you can also look at
/var/log/auth.log and see what or who is logging in.  Any decent hacker is
going to cover their tracks, so you may want to write a little script that
emails you everyone's .bash_history when it is written to.

To find the public key:  find / -name *.pub

Put this into the .bash_logout in everyones home directory.  Because the
history is not really written to the .bash_history till AFTER the user is
completely logged out, you will have to tell the OS to append to the
.bash_history, and not wait till the end:

# ~/.bash_logout
echo "Here is $LOGNAME $SUDO_USER history for the currnet session." >>
/tmp/.$LOGNAME.$SUDO_USER
echo "======================================================" >>
/tmp/.$LOGNAME.$SUDO_USER
echo;echo >> /tmp/.$LOGNAME.$SUDO_USER
echo "Machine: "$HOSTNAME >> /tmp/.$LOGNAME.$SUDO_USER
cat ~/.bash_history >> /tmp/.$LOGNAME.$SUDO_USER
echo "======================================================" >>
/tmp/.$LOGNAME.$SUDO_USER
mail -s "$LOGNAME - $SUDO_USER bash_history" funkel () xxxxxxxxxxx <
/tmp/.$LOGNAME.$SUDO_USER
mail -s "$LOGNAME - $SUDO_USER bash_history" wagon () xxxxxxxxxx<
/tmp/.$LOGNAME.$SUDO_USER
rm /tmp/.$LOGNAME.$SUDO_USER
echo > ~/.bash_history







=================================
John Forristel
Chief Security Officer
Auctiva Corporation
(530) 892-9191 X219



________________________________

This electronic mail message and any file sent with it are intended solely
for the named recipients and may contain confidential and proprietary
business information of Auctiva Corporation and its affiliates. If you are
not a named recipient, please notify the sender immediately and delete the
original message and all files sent with it. You may not disclose the
contents to any other person, use this electronic mail message or its
contents for any purpose or further store or copy its contents in any
medium. KCCO!




On Tue, Aug 20, 2013 at 5:04 AM, J B <bakshi12 () gmail com> wrote:

Thanks a lot to all of you for your responses.
I have just rebooted my local box and 2 days after that,
it doesn't attempt any attempt to ssh the remote box.
After then it again has started to log into the remoet
box with the right users and with a pubkey. Actually I
loginto the remote box with pubkey and somehow the hidden
process learn that !!!

I really don't know how to stop this :-(



On Thu, 8 Aug 2013 09:46:41 +0800
"Tyler Chen (FairLine)" <tyler.chen () fairline com tw> wrote:

Maybe it's not a hidden process? Have you checked last logon records?
Any
unauthorized logon? See anything interesting with netstat -anop ?

Best regards,
Tyler
2013/8/7 下午6:56 於 "J B" <bakshi12 () gmail com> 寫道:

Hello list,

I have got a problem that my server is continuously doing ssh attack
on a
remote server (which I also work
time to time). My local linux server is attacking the remote linux box
with the same remote user name
with pubkey. I also investigate the remote box and find same.

I install rootkinhunter, chkrootkit and unhide in my local linux box.
Both rootkinhunter, chkrootkit provide a clean report but "unhide
brute"
has found a lots of Hidden process and unhide-tcp finds some hidden
port
time to time. Please suggest how can I investigate further to identify
the process causing the trouble and how to disinfect my box.

Thanks


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL
certificate.  We look at how SSL works, how it benefits your company
and
how your customers can tell if a site is secure. You will find out how
to
test, purchase, install and use a thawte Digital Certificate on your
Apache
web server. Throughout, best practices for set-up are highlighted to
help
you ensure efficient ongoing management of your encryption keys and
digital
certificates.



http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1

------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.


http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]