Fedora Security :: Server Seems To Attack The World Hacking?
Apr 10, 2009
I went away from home for a few days, ... Now I am back at home and noticed, that my server is going out with 100% available bandwidth. The server is mainly Http / Ftp / Mail server, so I stopped all services, to see which one it is. ervices stopped, still 100Mbps go out like ants in the flood.
I updated the system, made a backup, installed IPtraf. It seems that I have something 'installed' and my server is running something to attack User computers. It seems to try to find something on random IP's random ports. I am a little bit confused now. As long as my sites are running, I'm ~OK~ but sooner or later I would like to have my bandwidth back. How could I try to hunt down which service/app/process got hacked?
It seems that the monetary system of our society got now more enemy's than friends. Capitalism seems to reach it's end. But my server is serving also ART! Sooner or later we will need to pay copyright even for our thoughts. I was reading today, that the French president wants to punish file sharing as his wife made 3 albums, and wants to get some money ..
View 12 Replies
ADVERTISEMENT
Dec 21, 2010
I have just configured Centos 5.5 LocalMailServer with fetchmail and sendmail , Proxy with Squid and FileServer with samba. Now my concern is security.. How can i protect my server with outside attack. Will I need to block some ports or I need special tools or script so no one from outside can attack my machine. My machine is working on intranet with local ip only.. No web server or static ip exists. Machine is connected with ADSL router to access internet.
View 5 Replies
View Related
Jan 25, 2011
how can I track a Dos and DDoS attack on a server . Does linux have any goiod known command line utilities and log files to us e in this way?
View 1 Replies
View Related
Aug 5, 2010
I have a server and i think that my server is under Ddos attack. i see that server is not having much load and only few process runs but my site opens very slow. i executed the following command on my ssh:
[Code]....
View 7 Replies
View Related
May 7, 2009
Attack Sneaks Rootkits Into Linux Kernel Quote: A researcher at Black Hat Europe this week will demonstrate a more stealthy way to hack Linux
Apr 14, 2009 | 04:21 PM
By Kelly Jackson Higgins
DarkReading
Kernel rootkits are tough enough to detect, but a researcher this week has demonstrated an even sneakier method of hacking Linux. The attack attack exploits an oft-forgotten function in Linux versions 2.4 and above in order to quietly insert a rootkit into the operating system kernel as a way to hide malware processes, hijack system calls, and open remote backdoors into the machine, for instance. At Black Hat Europe this week in Amsterdam, Anthony Lineberry, senior software engineer for Flexilis, will demonstrate how to hack the Linux kernel by exploiting the driver interface to physically addressable memory in Linux, called /dev/mem.
"One of bonuses of this [approach] is that most kernel module rootkits make a lot noise when they are inserting [the code]. This one is directly manipulating" the memory, so it's less noticeable, he says. The /dev/mem "device" can be opened like a file, and you can read and write to it like a text file, Lineberry says. It's normally used for debugging the kernel, for instance.
Lineberry has developed a proof-of-concept attack that reads and writes to kernel memory as well as stores code inside the kernel, and he plans to release a framework at Black Hat that lets you use /dev/mem to "implement rootkit-like behaviors," he says. The idea of abusing /dev/mem to hack the Linux kernel is not really new, he says. "People have known what you can do with these /dev/mem devices, but I have never seen any rootkits with dev/mem before," he says.
Quote: "The problem with kernel-based rootkits is that the rootkit can mitigate [detection] because it has control," he says. "It's a race in the kernel to see who's going to see who first." [URL]
View 1 Replies
View Related
May 13, 2009
I have full hdd encryption with a rather long key. The thing is the FBI might just show up at my house one day and have a warrant for my PC, and who wants the government looken through there life? I have a few plans on geting my PC shut down before they can get there hands on it. This is all well and good, but if they can sniff my key from the ram It doesn't matter what my key is or weather they find the computer on or off. Anyhow, i was wondering if there was some way I could add a script to the shut-down process that would over-write the ram.
View 11 Replies
View Related
Oct 20, 2009
I have been receiving attack alerts. And I would like to root out the source of the problem. I'll give you the messages. If you could help me prevent this hacker from even being able to attempt these things please any advice is helpful. There have been memory stack attempts, failed sys_admin conversion attempts, password file write attempts etc.....
[Code]...
View 5 Replies
View Related
Oct 3, 2009
I've just had a log email sent from the server box and it seems Somebody's trying to gain access to the server via ssh
sshd:
Authentication Failures:
root (210.38.xxx.xx): 16 Time(s)
unknown (210.38.xxx.xx): 7 Time(s)
Invalid Users:
Unknown Account: 7 Time(s)
& it seems that it's somebody who's at Zhanjiang Ocean University in china I've got the firewall enabled, but how do u set up rules to stealth the server's IP address to make it invisible & disable ssh so only I can log into the server to fix any problems (eithernet cable) not over the net
[Code]...
View 1 Replies
View Related
Feb 15, 2011
Curruntly using Ubuntu 9.10!I am eager to know where the hacking begins in linux? The stuff like netstat, telnet, or mail-forging or even pinging...ho do we do that in linux?
View 3 Replies
View Related
Jan 4, 2010
I think it is very easy to hack passwords in Linux, but I did not try it yet. If you use sudo you get 3 attempts for the correct password. But if you get enough time it should be no problem to hack it by bruteforce. Imagine a script an attacker places on your machine which runs for a few hours or days. I think it is much more effective to delete the user out of the admin (or adm?) group so that user cannot be any danger anymore. You would have to login with root and readd the user then.
You now say: but if you login with root you got almost the same effect as with sudo. Of course it is the same. That is why I would use a system (not sure which yet) to create sub enviroments of your OS, which got the attribute that they can run without root, only got one account that can sudo and once sudo access is denied there is no other way to login as root. You just can repermit sudo access by the parent os layer.
View 9 Replies
View Related
Dec 14, 2010
After a week this 200 lines c code still working, it seems Ubuntu forget it, what happend?
http://marc.info/?l=full-disclosure&...5358621826&w=2
*solved: I build a new kernel (2.6.32.27)
View 5 Replies
View Related
Aug 9, 2010
My server (CentOS 5.4) is being bombarded 24x7 with IP addresses from China trying to exploit phpMyAdmin. For every one I block on the firewall, half a dozen come to the funeral! It's a pity these morons don't have something better to occupy their time. I'm getting page after page of this (see below) every day and it's been going on for weeks. I don't even have phpMyAdmin on the server. I don't use it and I deleted it.
I've read that you can use .htaccess and / or mod_rewrite to redirect / block them based on any query for phpMyAdmin (they try all letters in upper and lower case, leading to page after page). Unfortunately, I have no idea of how to do this. I already have an .htaccess file. Maybe someone can suggest what to add to stop these pests from wasting my bandwidth and suggest somewhere I could redirect them to to cause them maximum problems. I don't want to block the entire country, seems a bit like overkill, not all Chinese are morons. we aren't even in the USA, so why they are doing this is beyond me.
A TINY sample!
[Sun Aug 08 13:29:08 2010] [error] [client 61.191.41.53] File does not exist: /var/www/corp/phpMyAdmin-2.7.2
[code]...
View 6 Replies
View Related
Aug 25, 2009
My server and clients (NFS and NIS) are in continuous attack via ssh. Somebody is trying to guess password and login, and making port 22 busy.What are different ways to stop this attack?I am thinking to block this ip in iptable but I have no good idea because I have not done this before. Any special consideration do I have to take while doing this thing? How is it done and which file does it modify?
View 14 Replies
View Related
May 3, 2010
Quote:
The 605-page PDF document reads like a listing of the pros and cons for a huge array of defensive and counterintelligence approaches and technologies that an entity might adopt in defending its networks. Of particular interest to me was the section on deception technologies, which discusses the use of honeynet technology to learn more about attackers� methods, as well as the potential legal and privacy aspects of using honeynets. Another section delves into the challenges of attributing the true origin(s) of a computer network attack.
View 1 Replies
View Related
Nov 23, 2010
I have implemented two machines one for honeypot(192.168.100.10) and another(192.168.100.20) to remotely log the honeypot log file using syslog. Inside honeypot I emulated another 3 machines with services on virtual IPs of that same block.Now honeypot is working and I can see the logs generating as I did a portscan(nmap) on those virtual IPs from .20 machine.All of the machines are running ubuntu.
But does anyone know any s/w or tools which originally attackers use so that I can get a clear picture of what happens from the logs. Having problems creating these attack scenarios.
View 2 Replies
View Related
May 30, 2011
i have 1 question no more because i got many ddos attack and my load is 95++ what is the best program to stop DDOS Attack ?
View 14 Replies
View Related
May 24, 2010
I may not be a code worrior, yet I have been a Ubuntu convert from Apple for about 3yrs now. Since 1984-2006 now hackers or viruses. And Until now Ubuntu has been clean, well I have been good with repos, etc.
1. Recently I found "Odd" behavior with my Amarok 1.4 player, ffmpeg, winff.
2. During a Synaptic upgrade there were some "unauthorized changes". I have seen this before due to some of my software, so I ignored it. . .
To my bewilderment, "It" erased Amarok 1.4 player, ffmpeg, winff, all image kernels, claimed domain over my system permissions, and external HD. B4 I shutdown, downloaded LUCID 10.4. . . restarted, then copied over all info possible to minimize a complete delete of my system. Upon restart, indeed all kernel images were gone, Only live CD allowed me access to repartition my HD.
NOW. I have Lucid running, and have been denied access to my external HD and partitioned (internal HD). I used Nautilus to copy over files to my internal laptop HD, yet permissions continue to be an issue. The INFECTED FOLDERS are owned by "User 999-user#999. I must micro manage every folder and file to gain "partial permission". The dialog box stutters and never allows me to go down to "Root"
View 5 Replies
View Related
Sep 28, 2010
Using Opera 10.61 and 10.62, I find that any secure website I access, such as a bank, the lock icon in the address bar is replaced by a question mark. Clicking on it brings up a window, stating that the connection is not secure, that the server does not support TLS Renegotiation. Doing some internet searches for "opera tls renegotiation" brought me to a page at the Opera website, where they discuss this issue. The issue is generic, not limited to Opera, affecting the TLS protocol, and it potentially enables a man-in-the-middle to renegotiate a "secure" connection between a server and client, issuing own commands to the server. Opera has addressed the problem on the client end, but now servers need to be upgraded too. None of the HTTPS sites I have tried have upgraded their servers, if the information provided by the Opera browser is correct.
My questions: how feasible is such a MITM attack, what level of resources would such an attack require? What, if anything, would the attacker need to know about the client and/or server to mount the attack? Would I be better off using Firefox, or is Firefox simply oblivious of the problem and not issuing warnings for that reason?
View 4 Replies
View Related
Dec 28, 2010
mpg123 suddenly started playing a police siren occationly. I checked the process once I heard it, and root was the process owner. How could this happen? Have someone broke into my computer? If so - how could I verify an attack? I run Ubuntu 9.10.
View 2 Replies
View Related
Apr 22, 2010
This is an excerpt from the Linux man page for mktemp command: "mktemp is provided to allow shell scripts to safely use temporary files. Traditionally, many shell scripts take the name of the program with the PID as a suffix and use that as a temporary filename. This kind of naming scheme is predictable and the race condition. It creates is easy for an attacker to win. A safer, though still inferior approach is to make a temporary directory using the same naming scheme. While this does allow one to guarantee that a temporary file will not be subverted, it still allows a simple denial of service attack. For these reasons it is suggested that mktemp be used instead."
- How can a denial-of-service attack be carried out if a directory name is known?
- Why is it important to use mktemp to generate a sufficiently random file/directory name for temporary files?
View 1 Replies
View Related
Mar 17, 2010
I got alarm on Firestarter showing attack from samba service on port 139 . Is that ok for my host computer ? or a serious attack .
View 9 Replies
View Related
Dec 14, 2010
I'm not concerned about this since this traffic is generated from the loopback address, but would like to find out what it is.
[code]...
View 1 Replies
View Related
May 1, 2009
I want to find out if I can get someone to help me with this. Sectool-gui says that the home_directory of user "mysql" is world-readable and that it also is world accessible. How do I close that accessibility?
View 6 Replies
View Related
Oct 3, 2010
This morning I ran sectool (in terminal for the first time. Before that I used sectool-gui) and I got this (written to file)...
See attachment please..
I think... the user "Jetty" may be a part of (or has something to do with SQL?).. This machine I have is not a server (in fact I know pretty much nothing about web servers).. this machine is used purely for local app development (python PyQt4/ and C++/wx - making games, general utilities, specialized calculators...etc)
So... Can anyone please tell me who the user "Jetty" is ? (The others are safe, I compiled python/SIP/PyQt4/wx/aliens from source... so that;s probably why it doesn't belong to packages.
Plus, My screen started to flicker some time (could it be possible someone is messing w/ my xorg configs?)
View 1 Replies
View Related
Feb 19, 2010
In my Open-Suse server I have a script, where makepasswd output(by default it generates similar passwords: cGyTbqpr, tpJ1LA, 33EXdo) is redirected to mkpasswd(which uses DES by default) in order to generate salted hash of this previously generated password. I would like to test the strength of this system. I have a quad core CPU, and if I start John The Ripper like this(I want to use -incremental:all flag):
john -incremental:all passwd
..only one core is utilized at 100%. Is there a possibility to make all four cores to crack this password? Or is this possible only after reprogramming John The Ripper? Or what is the algorithm for generating passwords with with -incremental:all flag? I mean if John generates passwords randomly in brute-force mode, then it's smart to start four different John processes simultaneously because then one of those four will find the password firs
View 2 Replies
View Related
Jul 29, 2009
I am having trouble getting my FC10 with tomcat visible to the outside world. first off i am somewhat new to linux. I am running vmware workstation to host my linux web server. i have my VMWare setup to use my second NIC solely. it is bridged and the tcp/ip is disable from the host. i can ping the ip address but cant access tomcat on port 8080 from the outside. i can hit it fine from inside fedora. i have configured my router (wrt54gs with DD-WRT firmware) for port forwarding. so basically i think that the problem is somewhere in between the host and the vmware configuring allowing the port to be forwarded through.
View 2 Replies
View Related
May 3, 2010
As governments around the world amass armies of hackers to protect their countries' computer networks and possibly attack others, the idea of getting officials together to discuss shared threats such as cybercrime is challenging.
"You just don't pick up the phone and call your counterparts in these countries," said retired Lt. Gen. Harry Raduege Jr., former head of the federal agency responsible for securing the military's and the president's communications technologies. "They're always guarded in those areas, and they're always wondering if there's some other motive" behind the outreach.
So the idea behind an international security conference in Dallas this week is to get government officials, industry executives and others talking, informally, about where they might find common ground.
View 6 Replies
View Related
May 4, 2010
Context: I happened to read through an old presentation today on OpenBSD's cryptography page called "A Future-Adaptable Password Scheme". In spite of its age, it still seems relevant and useful. One of the topics it discusses is the problem of "offline" attacks, where an attacker is not slowed down by any system (or other external) security. It's attacker vs. the computational cost of guessing passwords in such a scenario.
Specific question: On several unix-like systems (including Linux), the salt helps make building rainbow tables computationally expensive. It's not enough to guess a password and hash it; the proper salt must be provided as well, or the password will not be discovered.
However, the salt (or the hashed salt) seems to be visible in /etc/shadow. For example:
Code:
foouser:$6$U9a6HdUY$U3qFDMen0wDmL0x5WHm2OWhOgzOZ4MCQxV/oY.i5RhfXCQrLifIVkBpWOd1CbCGimVCjmfxZAaud/sXDf1.mv0:14733:0:99999:7::: So in an offline attack, a rainbow table could be built using precisely that salt, correct? (Yes, I realize /etc/shadow is not readable by non-root users, but I am considering an offline attack.) Building the salt (or the hashed salt) into the hashed password seems to defeat the purpose of using a salt altogether.
View 2 Replies
View Related
Jan 31, 2011
[url]
I ran across the above article, which described a DoS attack in which requests are sent very slowly to the Web server. I'm running lighttpd 1.4.28 on a Gentoo Linux server, and I'm wondering if there is anything I could do in preparation to defend against such an attack.
A bug report [url] seems to indicate that there was a patch in place already against this sort of attack, but I wanted to be sure that was the same thing and if there was anything else I needed to do.
View 3 Replies
View Related
Jun 18, 2009
My data center informed me that my shared web hosting server is producing a massive attack. Attack against who? how? etc?... well.. other than "your server is generating an attack of over 150,000 UDP connections", they did not specify the target IP, nor the specific port. The attacks usually run for less than 5 minutes and pose a threat on the datacenter's firewall itself (from within).
I ran various searches on my server and came up with nothing. (over 300 websites with PHP in 25GB of data, database etc).
I do not allow any shell/bash other than myself, so no other logins are available. (I re-checked /etc/passwd for any bash).
I believe that there is probably some php fsckopen call or something to that degree that responds to a call from an external server. To make it easier to diagnose the problem and then stopping it, I need your assistance developing a simple tracing tool, methodology.
I have wireshark installed on the server.
My thoughts on how to capture this attack (which occurs at random) is as follow:
1. run a service that greps and count the UDP connections currently on the server and does this every 60 seconds. ( a simple one minute cron is enough).
netstat -a |grep UDP -cw
2. Currently the output shows: 0 (zero).
3. I do run a DNS server that can be queried, so I expect to see some UDP calls every so often. However, this is probably going to occur at < 50 entries.
4 . run this logic if no high loads on the server.
If servers load is < 3.00
{
If ( netstat -a |grep UDP -cw ) > 50
{
./tshark > wireshark.hacker.trace<timestamp>.txt;
email me an alert that "hey wireshark was triggered";
sleep (15)
killall -9 tshark
}
}
View 2 Replies
View Related
