I have been receiving attack alerts. And I would like to root out the source of the problem. I'll give you the messages. If you could help me prevent this hacker from even being able to attempt these things please any advice is helpful. There have been memory stack attempts, failed sys_admin conversion attempts, password file write attempts etc.....
[Code]...
this is the allert i got:Code:Summary:Your system may be seriously compromised! /usr/sbin/NetworkManager tried to loada kernel module.Detailed Description:SELinux has prevented NetworkManager from loading a kernel module. All confinedprograms that need to load kernel modules should have already had policy writtenfor them. If a compromised application tries to modify the kernel this AVC willbe generated. This is a serious issue.Your system may very well be compromised.Allowing Access:Contact your security administrator and report this issue.Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:system_r:NetworkManager_t:s0
Target Objects None [ capability ]
[code]....
I went away from home for a few days, ... Now I am back at home and noticed, that my server is going out with 100% available bandwidth. The server is mainly Http / Ftp / Mail server, so I stopped all services, to see which one it is. ervices stopped, still 100Mbps go out like ants in the flood.
I updated the system, made a backup, installed IPtraf. It seems that I have something 'installed' and my server is running something to attack User computers. It seems to try to find something on random IP's random ports. I am a little bit confused now. As long as my sites are running, I'm ~OK~ but sooner or later I would like to have my bandwidth back. How could I try to hunt down which service/app/process got hacked?
It seems that the monetary system of our society got now more enemy's than friends. Capitalism seems to reach it's end. But my server is serving also ART! Sooner or later we will need to pay copyright even for our thoughts. I was reading today, that the French president wants to punish file sharing as his wife made 3 albums, and wants to get some money ..
Attack Sneaks Rootkits Into Linux Kernel Quote: A researcher at Black Hat Europe this week will demonstrate a more stealthy way to hack Linux
Apr 14, 2009 | 04:21 PM
By Kelly Jackson Higgins
DarkReading
Kernel rootkits are tough enough to detect, but a researcher this week has demonstrated an even sneakier method of hacking Linux. The attack attack exploits an oft-forgotten function in Linux versions 2.4 and above in order to quietly insert a rootkit into the operating system kernel as a way to hide malware processes, hijack system calls, and open remote backdoors into the machine, for instance. At Black Hat Europe this week in Amsterdam, Anthony Lineberry, senior software engineer for Flexilis, will demonstrate how to hack the Linux kernel by exploiting the driver interface to physically addressable memory in Linux, called /dev/mem.
"One of bonuses of this [approach] is that most kernel module rootkits make a lot noise when they are inserting [the code]. This one is directly manipulating" the memory, so it's less noticeable, he says. The /dev/mem "device" can be opened like a file, and you can read and write to it like a text file, Lineberry says. It's normally used for debugging the kernel, for instance.
Lineberry has developed a proof-of-concept attack that reads and writes to kernel memory as well as stores code inside the kernel, and he plans to release a framework at Black Hat that lets you use /dev/mem to "implement rootkit-like behaviors," he says. The idea of abusing /dev/mem to hack the Linux kernel is not really new, he says. "People have known what you can do with these /dev/mem devices, but I have never seen any rootkits with dev/mem before," he says.
Quote: "The problem with kernel-based rootkits is that the rootkit can mitigate [detection] because it has control," he says. "It's a race in the kernel to see who's going to see who first." [URL]
I have full hdd encryption with a rather long key. The thing is the FBI might just show up at my house one day and have a warrant for my PC, and who wants the government looken through there life? I have a few plans on geting my PC shut down before they can get there hands on it. This is all well and good, but if they can sniff my key from the ram It doesn't matter what my key is or weather they find the computer on or off. Anyhow, i was wondering if there was some way I could add a script to the shut-down process that would over-write the ram.
View 11 Replies View RelatedI receive messages such as the below:
SELinux is preventing /usr/sbin/httpd from using potentially mislabeled filesjk-runtime-status. SELinux has denied the httpd access to potentially mislabeled filesjk-runtime-status. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, httpd_tmp_t,
I know how to change the owner of a file and the permissions but what does it mean to change the file context?
I'm seeing a problem on RHEL5, whereby all users can receive mail (/var/spool/mail/<user>), but only root gets a new mail alert when logging in.
The relevant bash variables ($MAIL, $MAILCHECK) seem to be set for all users.
I have just configured Centos 5.5 LocalMailServer with fetchmail and sendmail , Proxy with Squid and FileServer with samba. Now my concern is security.. How can i protect my server with outside attack. Will I need to block some ports or I need special tools or script so no one from outside can attack my machine. My machine is working on intranet with local ip only.. No web server or static ip exists. Machine is connected with ADSL router to access internet.
View 5 Replies View Relatedhow can I track a Dos and DDoS attack on a server . Does linux have any goiod known command line utilities and log files to us e in this way?
View 1 Replies View RelatedQuote:
The 605-page PDF document reads like a listing of the pros and cons for a huge array of defensive and counterintelligence approaches and technologies that an entity might adopt in defending its networks. Of particular interest to me was the section on deception technologies, which discusses the use of honeynet technology to learn more about attackers� methods, as well as the potential legal and privacy aspects of using honeynets. Another section delves into the challenges of attributing the true origin(s) of a computer network attack.
I have implemented two machines one for honeypot(192.168.100.10) and another(192.168.100.20) to remotely log the honeypot log file using syslog. Inside honeypot I emulated another 3 machines with services on virtual IPs of that same block.Now honeypot is working and I can see the logs generating as I did a portscan(nmap) on those virtual IPs from .20 machine.All of the machines are running ubuntu.
But does anyone know any s/w or tools which originally attackers use so that I can get a clear picture of what happens from the logs. Having problems creating these attack scenarios.
i have 1 question no more because i got many ddos attack and my load is 95++ what is the best program to stop DDOS Attack ?
View 14 Replies View RelatedI may not be a code worrior, yet I have been a Ubuntu convert from Apple for about 3yrs now. Since 1984-2006 now hackers or viruses. And Until now Ubuntu has been clean, well I have been good with repos, etc.
1. Recently I found "Odd" behavior with my Amarok 1.4 player, ffmpeg, winff.
2. During a Synaptic upgrade there were some "unauthorized changes". I have seen this before due to some of my software, so I ignored it. . .
To my bewilderment, "It" erased Amarok 1.4 player, ffmpeg, winff, all image kernels, claimed domain over my system permissions, and external HD. B4 I shutdown, downloaded LUCID 10.4. . . restarted, then copied over all info possible to minimize a complete delete of my system. Upon restart, indeed all kernel images were gone, Only live CD allowed me access to repartition my HD.
NOW. I have Lucid running, and have been denied access to my external HD and partitioned (internal HD). I used Nautilus to copy over files to my internal laptop HD, yet permissions continue to be an issue. The INFECTED FOLDERS are owned by "User 999-user#999. I must micro manage every folder and file to gain "partial permission". The dialog box stutters and never allows me to go down to "Root"
Does anyone know of any software that can monitor the Apache logs for certain phrases or keywords then send an alert when found? For example I know an attempt to hack has been made when I see log entries like this....
/admin/
/admin/phpadmin/
/phpadmin/
But by the time I see it, the attempt has long since failed or succeeded. What I need is a way for my server to alert me WHILE someone is entering these phrases. I realize there may be a "hit" to performance but my server is not that busy anyway (except for hackers).
Using Opera 10.61 and 10.62, I find that any secure website I access, such as a bank, the lock icon in the address bar is replaced by a question mark. Clicking on it brings up a window, stating that the connection is not secure, that the server does not support TLS Renegotiation. Doing some internet searches for "opera tls renegotiation" brought me to a page at the Opera website, where they discuss this issue. The issue is generic, not limited to Opera, affecting the TLS protocol, and it potentially enables a man-in-the-middle to renegotiate a "secure" connection between a server and client, issuing own commands to the server. Opera has addressed the problem on the client end, but now servers need to be upgraded too. None of the HTTPS sites I have tried have upgraded their servers, if the information provided by the Opera browser is correct.
My questions: how feasible is such a MITM attack, what level of resources would such an attack require? What, if anything, would the attacker need to know about the client and/or server to mount the attack? Would I be better off using Firefox, or is Firefox simply oblivious of the problem and not issuing warnings for that reason?
mpg123 suddenly started playing a police siren occationly. I checked the process once I heard it, and root was the process owner. How could this happen? Have someone broke into my computer? If so - how could I verify an attack? I run Ubuntu 9.10.
View 2 Replies View RelatedThis is an excerpt from the Linux man page for mktemp command: "mktemp is provided to allow shell scripts to safely use temporary files. Traditionally, many shell scripts take the name of the program with the PID as a suffix and use that as a temporary filename. This kind of naming scheme is predictable and the race condition. It creates is easy for an attacker to win. A safer, though still inferior approach is to make a temporary directory using the same naming scheme. While this does allow one to guarantee that a temporary file will not be subverted, it still allows a simple denial of service attack. For these reasons it is suggested that mktemp be used instead."
- How can a denial-of-service attack be carried out if a directory name is known?
- Why is it important to use mktemp to generate a sufficiently random file/directory name for temporary files?
I got alarm on Firestarter showing attack from samba service on port 139 . Is that ok for my host computer ? or a serious attack .
View 9 Replies View RelatedI'm not concerned about this since this traffic is generated from the loopback address, but would like to find out what it is.
[code]...
In my Open-Suse server I have a script, where makepasswd output(by default it generates similar passwords: cGyTbqpr, tpJ1LA, 33EXdo) is redirected to mkpasswd(which uses DES by default) in order to generate salted hash of this previously generated password. I would like to test the strength of this system. I have a quad core CPU, and if I start John The Ripper like this(I want to use -incremental:all flag):
john -incremental:all passwd
..only one core is utilized at 100%. Is there a possibility to make all four cores to crack this password? Or is this possible only after reprogramming John The Ripper? Or what is the algorithm for generating passwords with with -incremental:all flag? I mean if John generates passwords randomly in brute-force mode, then it's smart to start four different John processes simultaneously because then one of those four will find the password firs
I have a server and i think that my server is under Ddos attack. i see that server is not having much load and only few process runs but my site opens very slow. i executed the following command on my ssh:
[Code]....
I found this on Bee's website. For more info on this exploit there are links there:[URl]..All you have to do in Fedora 13 is enter the following lines in a shell as normal user:
[Code]...
I don't think this can be considered solely an "upstream" problem, because I first tried it in Arch using the same version of glibc, and the final command causes both gnome-terminal and xterm windows to disappear.
I noticed a very very high cpu usage on my webserver. All four CPUs were running on 100%.
Top shows several perl processes from apache that run for a long time, with a high %CPU.
Since the server was fc10, I did a fresh installation to fc13, and the fresh installation didn't have this issue. Then I loaded back all the user-data, and it started again.
Several, 4, 6, 8, ... 100 perl processes from apache.
lsof -p with the pid of such a process
Code:
The estabilished connection is sometimes "proud2pirate.com" wich is a non-existing domain.
Context: I happened to read through an old presentation today on OpenBSD's cryptography page called "A Future-Adaptable Password Scheme". In spite of its age, it still seems relevant and useful. One of the topics it discusses is the problem of "offline" attacks, where an attacker is not slowed down by any system (or other external) security. It's attacker vs. the computational cost of guessing passwords in such a scenario.
Specific question: On several unix-like systems (including Linux), the salt helps make building rainbow tables computationally expensive. It's not enough to guess a password and hash it; the proper salt must be provided as well, or the password will not be discovered.
However, the salt (or the hashed salt) seems to be visible in /etc/shadow. For example:
Code:
foouser:$6$U9a6HdUY$U3qFDMen0wDmL0x5WHm2OWhOgzOZ4MCQxV/oY.i5RhfXCQrLifIVkBpWOd1CbCGimVCjmfxZAaud/sXDf1.mv0:14733:0:99999:7::: So in an offline attack, a rainbow table could be built using precisely that salt, correct? (Yes, I realize /etc/shadow is not readable by non-root users, but I am considering an offline attack.) Building the salt (or the hashed salt) into the hashed password seems to defeat the purpose of using a salt altogether.
I have a fedora 10 server to which I can ssh as the root user using RSA.
However for any user other than root a password is always requested.
I have made changes to PAM and check the rights to all the files and read pages upon pages. I can mess it up completely so no one can login but cant get it so that anyone other than root can use a public key.
Another interesting and may be related item is that when any user logs in, with a password, via ssh then they get the error:
Could not chdir to home directory /home/xxxx: Permission denied
But they can cd to their home directory and have no problems.
I am thinking that this may be to do with the mount. The home directory is on a HDD but the system dive is an SSD.
I have gone over everything so many times I am now lost, I must be overlooking something so simple and obvious its just not coming to mind.
i still can't see quite well the security reason for not allowing one logging in as root on Fedora, but anyway...how to become the root on my system, Fedora 10, please?i did open a terminal and typed s - root then my password, now im the root, but only on the terminal, as CLI, but what if i want to change the munu.lst inside grub i.e.? and some other files or settings that there's no option to just type in the root password, how to overcome that please?
View 9 Replies View RelatedI have a problem, I have installed Fedora 11. And i need to login as root user.
How to do so?
what does one do when he forgets the root password ? i still have a terminal logged in as root how can i change the password in terminall
View 2 Replies View RelatedI am using Fedora 10 .Generally to update I open a virtual console by pressing Ctrl-Alt-F2,login as root and give the "yum update" command.Then I continue using my graphical terminal for other tasks from the 'non-root' account..Now my room-mate comes uses my 'non-root' account to browse web for few minutes and then opens a terminal types "halt", ENTER and viola...! My root account seems to be insulted by a 'non-root' user!.When I am doing updates or other important work as root any silly user can just 'halt' my computer. Can somebody tell me how to set up my computer so that when root is logged in no other user can simply halt the computer.
View 3 Replies View RelatedCan the audit daemon (auditd) be run by a non-root user? I'd like to create a special user who only run the audit daemon. Is that possible?
View 1 Replies View Related