possible hack??
Moderator: General Moderators
possible hack??
I was doing some administration on my server and found this after a ps aux
root 454 0.0 0.0 1236 800 ?? Ss 11:45AM 0:00.00 popper: candy@60.52.154.185 [60.52.154.185]: PASS (popper)
candy is not a valid user in my machine. We blocked the ip, but , does this mean that the user was running as root?? or just that he was trying to log in?
root 454 0.0 0.0 1236 800 ?? Ss 11:45AM 0:00.00 popper: candy@60.52.154.185 [60.52.154.185]: PASS (popper)
candy is not a valid user in my machine. We blocked the ip, but , does this mean that the user was running as root?? or just that he was trying to log in?
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: possible hack??
Yikes. ps lists processes as you know. I would be freakin out too. I would guess that means they managed to run a daemon, script or somethign but I am not a Linux guru by any means.
Do a locate auth.log
cat or read it in nano what do you see correlating to that IP?
Cheers,
Alex
Do a locate auth.log
cat or read it in nano what do you see correlating to that IP?
Cheers,
Alex
Re: possible hack??
but could it be just someone trying to login or that they ran a process??
Do you know what is that popper command
Do you know what is that popper command
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: possible hack??
No idea you should have posted this in security forum, maybe linux:
http://man-wiki.net/index.php/8:popper
May be of interest.
Cheers,
Alex
http://man-wiki.net/index.php/8:popper
May be of interest.
That would leave to suspect someone hacked into your server and was probably sending SPAM, which is pretty common if you install software you don't configure completely.The server also enables clients to send mail using XTND XMIT, which is processed via sendmail(8).
Cheers,
Alex
Re: possible hack??
thank you for the auth.log tip. I check and see a couple of tries to get in with common users like test and oracle.
But only my access are the ones getting in(from my own IP). I think the popper is someone trying to connect through pop3
popper is in my inet.d conf. Maybe I should disable it , since I dont send email in that machine.
Thank you all for your help. I feel a bit better now, I was very concern. The lession of the day, do not let your guard down.
All the attacks come from China
But only my access are the ones getting in(from my own IP). I think the popper is someone trying to connect through pop3
popper is in my inet.d conf. Maybe I should disable it , since I dont send email in that machine.
Thank you all for your help. I feel a bit better now, I was very concern. The lession of the day, do not let your guard down.
All the attacks come from China
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: possible hack??
Careful with that one. In reality, most black-hat proxies are located in China, which attacks from all over the world are routed (which doesn't necessarily mean the attacks are Chinese in origin).yacahuma wrote:All the attacks come from China
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: possible hack??
I wish someone else would chime in about what this is. LOL
auth.log at work had said similar things, such as oracle, test, etc. Failed llgin attempts. I'm wondering whether I should disable SSH right at the firewall and just use Windows RDC, then SSH. :p That way responsibilit falls on someone else's shoulders, the Windows network manager.
Cheers,
Alex
auth.log at work had said similar things, such as oracle, test, etc. Failed llgin attempts. I'm wondering whether I should disable SSH right at the firewall and just use Windows RDC, then SSH. :p That way responsibilit falls on someone else's shoulders, the Windows network manager.
Cheers,
Alex
Re: possible hack??
If they ran a process as root, they were probably clever enough to edit the auth.log - also you don't necessarily need root access, to run a process as root. If you have daemons (like Apache) running as root, and those services are vulnerable.. they could be exploited into launching processes. Needless to say if apache is running as root, your PHP scripts become another possible exploit target as well.
The best thing to do is not react prematurely. Just set up a new server, clean all your files, get that up and running (don't use any of the same credentials), and get rid of the old server. If you try and kill a malicious process, lots of times the hacker will be tipped off.
The best thing to do is not react prematurely. Just set up a new server, clean all your files, get that up and running (don't use any of the same credentials), and get rid of the old server. If you try and kill a malicious process, lots of times the hacker will be tipped off.
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: possible hack??
Not sure if this is a best practice but it's what I would do too, similar to reformatting under Windows when you have a virus/spyware. Sure fire way to ensure everything is as it should be.The best thing to do is not react prematurely. Just set up a new server, clean all your files, get that up and running (don't use any of the same credentials), and get rid of the old server. If you try and kill a malicious process, lots of times the hacker will be tipped off.
Cheers,
Alex
Re: possible hack??
apache runs as nobody, popper(or pop3) runs as root