possible hack??

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
User avatar
yacahuma
Forum Regular
Posts: 870
Joined: Sun Jul 01, 2007 7:11 am

possible hack??

Post by yacahuma »

I was doing some administration on my server and found this after a ps aux
root 454 0.0 0.0 1236 800 ?? Ss 11:45AM 0:00.00 popper: candy@60.52.154.185 [60.52.154.185]: PASS (popper)

candy is not a valid user in my machine. We blocked the ip, but , does this mean that the user was running as root?? or just that he was trying to log in?
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: possible hack??

Post by alex.barylski »

Yikes. ps lists processes as you know. I would be freakin out too. I would guess that means they managed to run a daemon, script or somethign but I am not a Linux guru by any means.

Do a locate auth.log

cat or read it in nano what do you see correlating to that IP?

Cheers,
Alex
User avatar
yacahuma
Forum Regular
Posts: 870
Joined: Sun Jul 01, 2007 7:11 am

Re: possible hack??

Post by yacahuma »

but could it be just someone trying to login or that they ran a process??

Do you know what is that popper command
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: possible hack??

Post by alex.barylski »

No idea you should have posted this in security forum, maybe linux:

http://man-wiki.net/index.php/8:popper

May be of interest.
The server also enables clients to send mail using XTND XMIT, which is processed via sendmail(8).
That would leave to suspect someone hacked into your server and was probably sending SPAM, which is pretty common if you install software you don't configure completely.

Cheers,
Alex
User avatar
yacahuma
Forum Regular
Posts: 870
Joined: Sun Jul 01, 2007 7:11 am

Re: possible hack??

Post by yacahuma »

thank you for the auth.log tip. I check and see a couple of tries to get in with common users like test and oracle.
But only my access are the ones getting in(from my own IP). I think the popper is someone trying to connect through pop3
popper is in my inet.d conf. Maybe I should disable it , since I dont send email in that machine.

Thank you all for your help. I feel a bit better now, I was very concern. The lession of the day, do not let your guard down.

All the attacks come from China
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: possible hack??

Post by John Cartwright »

yacahuma wrote:All the attacks come from China
Careful with that one. In reality, most black-hat proxies are located in China, which attacks from all over the world are routed (which doesn't necessarily mean the attacks are Chinese in origin).
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: possible hack??

Post by alex.barylski »

I wish someone else would chime in about what this is. LOL

auth.log at work had said similar things, such as oracle, test, etc. Failed llgin attempts. I'm wondering whether I should disable SSH right at the firewall and just use Windows RDC, then SSH. :p That way responsibilit falls on someone else's shoulders, the Windows network manager. :drunk:

Cheers,
Alex
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: possible hack??

Post by josh »

If they ran a process as root, they were probably clever enough to edit the auth.log - also you don't necessarily need root access, to run a process as root. If you have daemons (like Apache) running as root, and those services are vulnerable.. they could be exploited into launching processes. Needless to say if apache is running as root, your PHP scripts become another possible exploit target as well.

The best thing to do is not react prematurely. Just set up a new server, clean all your files, get that up and running (don't use any of the same credentials), and get rid of the old server. If you try and kill a malicious process, lots of times the hacker will be tipped off.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: possible hack??

Post by alex.barylski »

The best thing to do is not react prematurely. Just set up a new server, clean all your files, get that up and running (don't use any of the same credentials), and get rid of the old server. If you try and kill a malicious process, lots of times the hacker will be tipped off.
Not sure if this is a best practice but it's what I would do too, similar to reformatting under Windows when you have a virus/spyware. Sure fire way to ensure everything is as it should be.

Cheers,
Alex
User avatar
yacahuma
Forum Regular
Posts: 870
Joined: Sun Jul 01, 2007 7:11 am

Re: possible hack??

Post by yacahuma »

apache runs as nobody, popper(or pop3) runs as root
Post Reply