View previous topic :: View next topic |
Author |
Message |
teapot Tux's lil' helper
Joined: 09 Nov 2006 Posts: 85 Location: Stockholm , Sweden
|
Posted: Sun Jan 11, 2009 7:39 pm Post subject: Unauthorized remote login |
|
|
Hello!
I made a whole series of silly things on a fresh installed machine , resulting in an unauthorized remote login on the computer (my fileserver). This included creating a user 'test' with the password 'test123'
Of course I know that it is a really stupid thing to do , but since the computer is behind a firewall so I never though it would be a serious problem , and I was going to delete the account anyway. But the computers IP (retrived by DHCP) was by coincidence written in the DMZ box in my router configuration utility
I began to become suspicious when it was impossible to login as 'test'. I thought there was a permission problem somewhere , but when my router was constantly blinking on the port attached to this computer I decided to pull the plug and check the logs.
In /home/test there was now a lot of files which I definitely didn't put there , and the log shows a succesful login from a remote machine (with ip-number).
This could have been nasty , but luckily my other disks weren't mounted , and the install is completly fresh.
As the user: 'test' , there is nothing dangerous you can do. The user doesn't have any read permissions in my real home directory , and the big partition with all my stuff wasn't mounted.
But out of pure curiosity I wonder what this person tried to do?
There is a .tar.gz file containing an eggdrop irc bot and some perl scripts.
In one of the .pl files there is a header describing it as the "Plesk universal bruteforcer"
another file has the name: udp.pl , which probably is responsible for making the router blink at a high rate.
What is this? Why the irc-bot ?
Any ideas? |
|
Back to top |
|
|
nixnut Bodhisattva
Joined: 09 Apr 2004 Posts: 10974 Location: the dutch mountains
|
Posted: Sun Jan 11, 2009 7:49 pm Post subject: |
|
|
Your machine is completely compromised. Wipe the filesystems and install from scratch. _________________ Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered
talk is cheap. supply exceeds demand |
|
Back to top |
|
|
teapot Tux's lil' helper
Joined: 09 Nov 2006 Posts: 85 Location: Stockholm , Sweden
|
Posted: Sun Jan 11, 2009 7:53 pm Post subject: |
|
|
nixnut wrote: | Your machine is completely compromised. Wipe the filesystems and install from scratch. |
No , it's not.
How could it be? The root password I is really secure, and it should take more than two days (current uptime) to crack it , right ?
But what were they trying to do with my machine? |
|
Back to top |
|
|
scan2006 n00b
Joined: 20 Jan 2008 Posts: 48
|
Posted: Sun Jan 11, 2009 8:01 pm Post subject: |
|
|
Maybe trying to run a botnet? They use irc to control them from what I have read. |
|
Back to top |
|
|
albright Advocate
Joined: 16 Nov 2003 Posts: 2588 Location: Near Toronto
|
Posted: Sun Jan 11, 2009 8:22 pm Post subject: |
|
|
well, at least I think you should *assume* your system
is compromised, but maybe you've studied all the (known)
local root exploits and are absolutely certain none could
work against you. _________________ .... there is nothing - absolutely nothing - half so much worth
doing as simply messing about with Linux ...
(apologies to Kenneth Graeme) |
|
Back to top |
|
|
teapot Tux's lil' helper
Joined: 09 Nov 2006 Posts: 85 Location: Stockholm , Sweden
|
Posted: Sun Jan 11, 2009 8:35 pm Post subject: |
|
|
OK. I could agree on that.
I will probably wipe it just to be sure, it is an Ubuntu install anyway , so no harm done
But in my world it is fairly unlikely that a recently patched install can be compromised that quickly, but on the other hand I don't know so much about root-exploits.
There is a reason why you should be careful with who is loggin in on your computer. |
|
Back to top |
|
|
|