Page 1 of 1

possible hack??

Posted: Tue Sep 21, 2010 1:36 pm
by yacahuma
I was doing some administration on my server and found this after a ps aux
root 454 0.0 0.0 1236 800 ?? Ss 11:45AM 0:00.00 popper: candy@60.52.154.185 [60.52.154.185]: PASS (popper)

candy is not a valid user in my machine. We blocked the ip, but , does this mean that the user was running as root?? or just that he was trying to log in?

Re: possible hack??

Posted: Tue Sep 21, 2010 2:29 pm
by alex.barylski
Yikes. ps lists processes as you know. I would be freakin out too. I would guess that means they managed to run a daemon, script or somethign but I am not a Linux guru by any means.

Do a locate auth.log

cat or read it in nano what do you see correlating to that IP?

Cheers,
Alex

Re: possible hack??

Posted: Tue Sep 21, 2010 5:38 pm
by yacahuma
but could it be just someone trying to login or that they ran a process??

Do you know what is that popper command

Re: possible hack??

Posted: Tue Sep 21, 2010 6:12 pm
by alex.barylski
No idea you should have posted this in security forum, maybe linux:

http://man-wiki.net/index.php/8:popper

May be of interest.
The server also enables clients to send mail using XTND XMIT, which is processed via sendmail(8).
That would leave to suspect someone hacked into your server and was probably sending SPAM, which is pretty common if you install software you don't configure completely.

Cheers,
Alex

Re: possible hack??

Posted: Tue Sep 21, 2010 6:29 pm
by yacahuma
thank you for the auth.log tip. I check and see a couple of tries to get in with common users like test and oracle.
But only my access are the ones getting in(from my own IP). I think the popper is someone trying to connect through pop3
popper is in my inet.d conf. Maybe I should disable it , since I dont send email in that machine.

Thank you all for your help. I feel a bit better now, I was very concern. The lession of the day, do not let your guard down.

All the attacks come from China

Re: possible hack??

Posted: Tue Sep 21, 2010 6:33 pm
by John Cartwright
yacahuma wrote:All the attacks come from China
Careful with that one. In reality, most black-hat proxies are located in China, which attacks from all over the world are routed (which doesn't necessarily mean the attacks are Chinese in origin).

Re: possible hack??

Posted: Tue Sep 21, 2010 7:50 pm
by alex.barylski
I wish someone else would chime in about what this is. LOL

auth.log at work had said similar things, such as oracle, test, etc. Failed llgin attempts. I'm wondering whether I should disable SSH right at the firewall and just use Windows RDC, then SSH. :p That way responsibilit falls on someone else's shoulders, the Windows network manager. :drunk:

Cheers,
Alex

Re: possible hack??

Posted: Wed Sep 22, 2010 4:51 am
by josh
If they ran a process as root, they were probably clever enough to edit the auth.log - also you don't necessarily need root access, to run a process as root. If you have daemons (like Apache) running as root, and those services are vulnerable.. they could be exploited into launching processes. Needless to say if apache is running as root, your PHP scripts become another possible exploit target as well.

The best thing to do is not react prematurely. Just set up a new server, clean all your files, get that up and running (don't use any of the same credentials), and get rid of the old server. If you try and kill a malicious process, lots of times the hacker will be tipped off.

Re: possible hack??

Posted: Wed Sep 22, 2010 8:00 am
by alex.barylski
The best thing to do is not react prematurely. Just set up a new server, clean all your files, get that up and running (don't use any of the same credentials), and get rid of the old server. If you try and kill a malicious process, lots of times the hacker will be tipped off.
Not sure if this is a best practice but it's what I would do too, similar to reformatting under Windows when you have a virus/spyware. Sure fire way to ensure everything is as it should be.

Cheers,
Alex

Re: possible hack??

Posted: Thu Sep 23, 2010 5:59 am
by yacahuma
apache runs as nobody, popper(or pop3) runs as root