Off-Topic > Off-Topic - Tiny Core Lounge

hacked - need advice

<< < (2/3) > >>

bmarkus:

--- Quote from: alu on December 30, 2009, 03:34:43 PM ---
the att-hack: a hacker has hacked a user account in ~ on the server, and he has installed a rtpd daemon; i have no damage on anything, but my connection was obviously very low. It tooks me a couple of hours in order to find the problem.


--- End quote ---

My first question is not how to prevent but to understand how it happened?

gerald_clark:
If he was any good, you will never know.

philip:
I got hacked once too, at work. It made our sysadmin's usual paranoia seem wise. He pointed out that everything on a system that has been compromised is tainted and cannot be trusted. It's imperative to verify that all your files and extensions are exact copies of the official versions in the repository, and to replace any that are not. jpeters provides a script that automates this process. Also mc's self-cleaning architecture is a real asset at times like this: just reboot! But then find a way to safeguard the integrity of your extensions: mine is to store them all on a USB key that I physically unplug from the machine soon after booting it. [This suggestions comes in addition to your own wise countermeasures and the good advice of others in this thread.]

alu:
thanks to all for your answers; frankly, i don't know how the attacker did it (i hadn't a syslog daemon on); i had disabled the ping detection on my router, and i had chrooted the users in vsftpd; what had happened is the following:

1. the attacker has found a possibility to log in as one of the users on my server; i assume that he had detected my public IP and found the password of this user in order to log in, and that he probably did it through the port 21;
2. he had copied files within the directory of this user in order to start a chat program (the rtpd daemon);
3. he had started a rtpd daemon as user, what i have seen with netstat -a; but it was impossible to stop or delete the daemon (i have tried to kill the PID of the rtpd daemon as root, without success).

you should be right saying that i should only use ssh and scp; also, i am using mc from a cf-card with only a few extensions (the wireless extensions, openssh), and i keep my files on a separate usb disk; i then mount only a few directories in the userland of each users; i was thinking about the possibility to encrypt the mountpoints or the users' accounts - do you think that this is possible and that it would reinforce the security on my server? 

curaga:
If you keep them mounted, it doesn't matter if they are encrypted or not.

Navigation

[0] Message Index

[#] Next page

[*] Previous page