 |  |  |  |  |  |  |  |
Hacker on my gateway?
 |
I'm running fully update Ubuntu 8.04 (as of today).
I did a "users" out of the blue and saw "root shwick shwick" and I only had two ssh sessions open to my gateway.
I checked if there was an additional ssh client running, as that is the only thing that I have exposed on the internet side:
Looks like just my two shwick clients.
I get an email whenever someone logs on via ssh, so I checked all those, no suspicious ips. Also grepped auth.* and saw only logins from my ip on the lan.
I installed rkhunter, did a scan and got 0 rootkits found, but got a warning on hidden folders:
Is there a way to check exactly how the root user is logged in right now, and what it is doing?
I recently installed x11vnc and made a failed startup script for it, could that be doing something?
Thanks.
I did a "users" out of the blue and saw "root shwick shwick" and I only had two ssh sessions open to my gateway.
I checked if there was an additional ssh client running, as that is the only thing that I have exposed on the internet side:
root 6069 1 0 Dec09 ? 00:00:00 sshd: shwick [priv] shwick 6071 6069 0 Dec09 ? 00:00:01 sshd: shwick@pts/0 root 13731 1 0 Dec09 ? 00:00:00 sshd: shwick [priv] shwick 13734 13731 0 Dec09 ? 00:00:00 sshd: shwick@pts/2 root 14653 1 0 Dec09 ? 00:00:00 /usr/sbin/sshd
Looks like just my two shwick clients.
I get an email whenever someone logs on via ssh, so I checked all those, no suspicious ips. Also grepped auth.* and saw only logins from my ip on the lan.
I installed rkhunter, did a scan and got 0 rootkits found, but got a warning on hidden folders:
Checking for hidden files and directories [ Warning ] [19:57:09] Warning: Hidden directory found: /dev/.static [19:57:09] Warning: Hidden directory found: /dev/.udev [19:57:09] Warning: Hidden directory found: /dev/.initramfs
Is there a way to check exactly how the root user is logged in right now, and what it is doing?
I recently installed x11vnc and made a failed startup script for it, could that be doing something?
Thanks.
From my debian VM:
root 2114 1 0 Nov28 ? 00:00:00 /usr/sbin/sshd root 32519 2114 0 08:52 ? 00:00:00 sshd: xxxx [priv] xxxx 32521 32519 0 08:52 ? 00:00:00 sshd: xxxx@pts/0
I NEED AN ADULT!
It means the process itself is running as root, which is required for sshd to function properly.
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke
root 14653 1 0 Dec09 ? 00:00:00 /usr/sbin/sshd That's the sshd process itself, running as root, not root being logged in to an SSH session (notice it's sshd, not ssh@)
man sshd
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke
|
Similar Threads
- Help locking down access to client data from "outside" hacking. (Network Security)
- Domain Security??? (Linux Servers and Apache)
- Router Security Question... (Networking Hardware Configuration)
- how to transfer data with my friend on a LAN (Networking Hardware Configuration)
- Errors in My XP Error Log. (Windows NT / 2000 / XP)
Other Threads in the *nix Software Forum
- Previous Thread: VNC listen specific interface
- Next Thread: how to clean up iptables?
| Thread Tools | Search this Thread |
Latest *nix Software Posts
- Today's Posts
- Unanswered Threads
Related Forum Features
Tag cloud for *nix Software
2005 apache bashscripting busybox cert codeplex debian dotnetnuke emacs forwarding free fsf gaming gnu government gpl lawsuits license linux ls mail make makefile mandriva microsoft mkisofsiso obama open opensource port postfix ps3 samba security server sflc sharing software source stallman subdirectory ubuntu unix vmware xbox
