Security Basics
Re: Huge hidden process and port in Linux server Aug 20 2013 02:36PM
John Forristel (jforristel auctiva com) (1 replies)
Re: Huge hidden process and port in Linux server Aug 21 2013 11:47AM
Ali Kapucu (alikapucu gmail com)
Try to install ossec.

Sent from my iPhone, but not while driving because that's illegal under ORC 4511.204!

On Aug 20, 2013, at 10:36 AM, John Forristel <jforristel (at) auctiva (dot) com [email concealed]> wrote:

> You could try looking for the key and renaming it. Once that's done,
> the program/script will error, putting an entry in /var/log/syslog or
> /var/log/messages. If this is an Ubuntu distro, you can also look at
> /var/log/auth.log and see what or who is logging in. Any decent
> hacker is going to cover their tracks, so you may want to write a
> little script that emails you everyone's .bash_history when it is
> written to.
>
> To find the public key: find / -name *.pub
>
> Put this into the .bash_logout in everyones home directory. Because
> the history is not really written to the .bash_history till AFTER the
> user is completely logged out, you will have to tell the OS to append
> to the .bash_history, and not wait till the end of the session:
>
> # ~/.bash_logout
> echo "Here is $LOGNAME $SUDO_USER history for the currnet session." >>
> /tmp/.$LOGNAME.$SUDO_USER
> echo "======================================================" >>
> /tmp/.$LOGNAME.$SUDO_USER
> echo;echo >> /tmp/.$LOGNAME.$SUDO_USER
> echo "Machine: "$HOSTNAME >> /tmp/.$LOGNAME.$SUDO_USER
> cat ~/.bash_history >> /tmp/.$LOGNAME.$SUDO_USER
> echo "======================================================" >>
> /tmp/.$LOGNAME.$SUDO_USER
> mail -s "$LOGNAME - $SUDO_USER bash_history" funkel@xxxxxxxxxxx <
> /tmp/.$LOGNAME.$SUDO_USER
> mail -s "$LOGNAME - $SUDO_USER bash_history" wagon@xxxxxxxxxx<
> /tmp/.$LOGNAME.$SUDO_USER
> rm /tmp/.$LOGNAME.$SUDO_USER
> echo > ~/.bash_history
>
>
>
>
> =================================
> John Forristel
> Chief Security Officer
> Auctiva Corporation
> (530) 892-9191 X219
>
>
>
> ________________________________
>
> This electronic mail message and any file sent with it are intended
> solely for the named recipients and may contain confidential and
> proprietary business information of Auctiva Corporation and its
> affiliates. If you are not a named recipient, please notify the sender
> immediately and delete the original message and all files sent with
> it. You may not disclose the contents to any other person, use this
> electronic mail message or its contents for any purpose or further
> store or copy its contents in any medium. KCCO!
>
>
>
>
> On Tue, Aug 20, 2013 at 7:34 AM, John Forristel <jforristel (at) auctiva (dot) com [email concealed]> wrote:
>> You could try looking for the key and renaming it. Once that's done, the
>> program/script will error, putting an entry in /var/log/syslog or
>> /var/log/messages. If this is an Ubuntu distro, you can also look at
>> /var/log/auth.log and see what or who is logging in. Any decent hacker is
>> going to cover their tracks, so you may want to write a little script that
>> emails you everyone's .bash_history when it is written to.
>>
>> To find the public key: find / -name *.pub
>>
>> Put this into the .bash_logout in everyones home directory. Because the
>> history is not really written to the .bash_history till AFTER the user is
>> completely logged out, you will have to tell the OS to append to the
>> .bash_history, and not wait till the end:
>>
>> # ~/.bash_logout
>> echo "Here is $LOGNAME $SUDO_USER history for the currnet session." >>
>> /tmp/.$LOGNAME.$SUDO_USER
>> echo "======================================================" >>
>> /tmp/.$LOGNAME.$SUDO_USER
>> echo;echo >> /tmp/.$LOGNAME.$SUDO_USER
>> echo "Machine: "$HOSTNAME >> /tmp/.$LOGNAME.$SUDO_USER
>> cat ~/.bash_history >> /tmp/.$LOGNAME.$SUDO_USER
>> echo "======================================================" >>
>> /tmp/.$LOGNAME.$SUDO_USER
>> mail -s "$LOGNAME - $SUDO_USER bash_history" funkel@xxxxxxxxxxx <
>> /tmp/.$LOGNAME.$SUDO_USER
>> mail -s "$LOGNAME - $SUDO_USER bash_history" wagon@xxxxxxxxxx<
>> /tmp/.$LOGNAME.$SUDO_USER
>> rm /tmp/.$LOGNAME.$SUDO_USER
>> echo > ~/.bash_history
>>
>>
>>
>>
>>
>>
>>
>> =================================
>> John Forristel
>> Chief Security Officer
>> Auctiva Corporation
>> (530) 892-9191 X219
>>
>>
>>
>> ________________________________
>>
>> This electronic mail message and any file sent with it are intended solely
>> for the named recipients and may contain confidential and proprietary
>> business information of Auctiva Corporation and its affiliates. If you are
>> not a named recipient, please notify the sender immediately and delete the
>> original message and all files sent with it. You may not disclose the
>> contents to any other person, use this electronic mail message or its
>> contents for any purpose or further store or copy its contents in any
>> medium. KCCO!
>>
>>
>>
>>
>> On Tue, Aug 20, 2013 at 5:04 AM, J B <bakshi12 (at) gmail (dot) com [email concealed]> wrote:
>>>
>>> Thanks a lot to all of you for your responses.
>>> I have just rebooted my local box and 2 days after that,
>>> it doesn't attempt any attempt to ssh the remote box.
>>> After then it again has started to log into the remoet
>>> box with the right users and with a pubkey. Actually I
>>> loginto the remote box with pubkey and somehow the hidden
>>> process learn that !!!
>>>
>>> I really don't know how to stop this :-(
>>>
>>>
>>>
>>> On Thu, 8 Aug 2013 09:46:41 +0800
>>> "Tyler Chen (FairLine)" <tyler.chen (at) fairline.com (dot) tw [email concealed]> wrote:
>>>
>>>> Maybe it's not a hidden process? Have you checked last logon records?
>>>> Any
>>>> unauthorized logon? See anything interesting with netstat -anop ?
>>>>
>>>> Best regards,
>>>> Tyler
>>>> 2013/8/7 ��6:56 � "J B" <bakshi12 (at) gmail (dot) com [email concealed]> 寫��
>>>>
>>>>> Hello list,
>>>>>
>>>>> I have got a problem that my server is continuously doing ssh attack
>>>>> on a
>>>>> remote server (which I also work
>>>>> time to time). My local linux server is attacking the remote linux box
>>>>> with the same remote user name
>>>>> with pubkey. I also investigate the remote box and find same.
>>>>>
>>>>> I install rootkinhunter, chkrootkit and unhide in my local linux box.
>>>>> Both rootkinhunter, chkrootkit provide a clean report but "unhide
>>>>> brute"
>>>>> has found a lots of Hidden process and unhide-tcp finds some hidden
>>>>> port
>>>>> time to time. Please suggest how can I investigate further to identify
>>>>> the process causing the trouble and how to disinfect my box.
>>>>>
>>>>> Thanks
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------

>>>>> Securing Apache Web Server with thawte Digital Certificate
>>>>> In this guide we examine the importance of Apache-SSL and who needs an
>>>>> SSL
>>>>> certificate. We look at how SSL works, how it benefits your company
>>>>> and
>>>>> how your customers can tell if a site is secure. You will find out how
>>>>> to
>>>>> test, purchase, install and use a thawte Digital Certificate on your
>>>>> Apache
>>>>> web server. Throughout, best practices for set-up are highlighted to
>>>>> help
>>>>> you ensure efficient ongoing management of your encryption keys and
>>>>> digital
>>>>> certificates.
>>>>>
>>>>>
>>>>>
>>>>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
>>>>>
>>>>> ------------------------------------------------------------------------

>>>
>>> ------------------------------------------------------------------------

>>> Securing Apache Web Server with thawte Digital Certificate
>>> In this guide we examine the importance of Apache-SSL and who needs an SSL
>>> certificate. We look at how SSL works, how it benefits your company and how
>>> your customers can tell if a site is secure. You will find out how to test,
>>> purchase, install and use a thawte Digital Certificate on your Apache web
>>> server. Throughout, best practices for set-up are highlighted to help you
>>> ensure efficient ongoing management of your encryption keys and digital
>>> certificates.
>>>
>>>
>>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
>>> ------------------------------------------------------------------------

>
> ------------------------------------------------------------------------

> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------

>

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus