I manage a dedicated webserver running OpenSuse 11 which is currently hosting about 30 sites. I have never had any big problems until these last 2-3 months. One site after the other was being hacked and the unwanted visitor installed all kind of php shell scripts followed by torrent servers, ... etc. All hacked sites were sites using Joomla, so what I did was to close down those sites one by one. Well, I guess we all know Joomla is not a great solution if you just install it out of the box like those users were doing.
When trying to trace the intruder only some african junk IPs and IPs from a company selling VPN connections thru paypal show up (yeah great, love those guys ... do they really think that serious VPN users will pay with paypal) I checked all apache and FTP logs (yes, he even managed to get some FTP login) but only those damn 'proxy' IPs come up. The weird thing is that the guy seems to know how the server was 'build' since he manages to copy stuff from one site to the other. That is why I am suspecting someone who worked for a clients company, but I need proof. One way would be to let him hack a site and try to feed him something that would make him traceable, but what?
Well, I was randomly taking a look at my vsftpd log today, and came across something unusual to myself. About a week ago a computer tried to connect to my computer repeatedly with bogus default usernames. There were many attempted connections with usernames such as 'user', 'root', 'linux', and 'login'. Probably about 1000 attempts, within about 2 seconds of each other.
I had remote desk running on a machine and I went downstairs the other day, turned it on, and someone was controlling the machine. Of course that's partially my fault since there was -zero- rd password set. However, my question is how did this person figure out my IP and get past the router to the machine? I don't have any forwarding setup. My router admin password is (has always been) strong. I guess my question now is: Is there anyway to restrict rd access to the local network?
I have a server connected to the internet placed in a DMZ that was running ProFTPD. A couple of weeks ago there was a security threat uncovered that would grant access to external users through a buffer overflow. Of course I patched my ProFTPD quite often after that to secure my server. Now my problem is that the servers of ProFTPD were compromised and that source code with a back-door was released. To make matters worse compromised systems notify the hacker they are infected. is there any way to ensure I don't have a root-kit installed short of reinstalling the system?
I know this post isn't strictly linux based, but since the system in question appears to be using Linux and I am as well I decided to post this here. In doing other network playing with Ubuntu Sever 10.10 I noticed that on all traceroutes I did to any IP the second hop from my house jumped through a connection on IP 24.96.153.61 which I think should only be another dynamic IP Knology.net customer...
In scanning the IP I now know that its a Juniper Junos Router 9.2R1.10 (Probably running on some VMware based on googling?) Open ports show: 22 ssh openSSH 4.4 v. 1.99 23 telnet Openwall GNU/*/Linux telnetd
At first I thought this was just a legit Knology.net DNS server or something, but using such outdated versions and freeware... I feel suspiciously like this is something else. Also, why in the world would knology allow remote access to their mainframe equipment? Seems that if it were ever breached it would be beyond terrible for the ISP...
Finally, why can't people not SSH into my box from the outside if I have MAC address filtering on? Anyone know anything about this or am I just being paranoid? I'm a noob, so knowing too little about all this is probably more the problem?
i am investigating on solutions to trace a file deletion on a computer( Linux O/S).i also need to determine weither after a file deletion or download on a computer, the computer clock had not been modified. In case a file has been downloaded on a computer and then transferred to a removable device, i need to find out the file activity. i mean i should be able to tell that the file was downloaded and transferred to a device with possible specifications.
I'm thinking of experimenting abit with my desktop and I want to create a hacker looking desktop and thought I'd do this by having lots of terminal apps, I'd like to hear some of your suggestions on the following stuff.
1. What WM should I use (I'm thinking something in a style of awesome wm,that is a tiling one)
2. What terminal client should I use (the gnome terminal doesn't look very good with the menubar, I guess I could remove it but still any alternative would be cool.
3. Some generic apps that are ran in the terminal (A nice media player, IM client (must have ICQ and MSN support), file manager, IRC client, mail client, generic gadgets like a clock for instance etc.)
I just did a fresh install of Kubuntu 9.10. The GUI regularly locks up. I can SSH to it from another machine everytime it locks up. Top shows Xorg consuming 99% cpu. I think downgrading the nvidia driver to 173 from 185 helped reduce the lockups. Before they seemed very random and very often. Now it seems to happen when copying a large amount of files over the network but I'm not entirely sure. It ran the electricsheep screensaver all day today with no problems and the RSS euphoria GL screensaver all day yesterday. If I copy 2GB of files from one local directory to another no problem, if I do it through cifs mounted samba shares it will lock up for sure. Small amounts seem ok. Apt-get install has had some lock ups too.
I don't really know how to trace what's going on beyond installing ssh and finding out that it's totally alive inside. I don't know what to look for in log files nor which ones to look at. I didn't recognize anything wrong in Xorg log. In the system log I look for the time gap between when it locked up and I shut down and when I rebooted but I didn't notice anything.
When I log into Mint8 ,for example, the bottom bar (task bar) shows activity I did not start eg, keyboard amongst others. System logs are suspicious:
an 9 22:23:24 patti-desktop dhclient: DHCPACK of 192.168.0.100 from 192.168.0.1 Jan 9 22:23:24 patti-desktop dhclient: bound to 192.168.0.100 -- renewal in 40777 seconds. Jan 9 22:23:24 patti-desktop NetworkManager: <info> DHCP: device eth0 state changed preinit -> bound
[code]....
'patti-desktop' is not the user I'm trying to login to but its was and still exist a group (ops). Also having difficulty using sudo but that might be my error. Is there a program I can use see what is going wrong correct it.
I am trying to turn Trace off on Apache/2.0.52. From one of the previous postings on this site it was stated that TraceEnable should be used for newer version of Apache (1.3.34+ or 2.0.22+). However, when I tried to use the man pages to get some information on how to use the command I got "No manual entry for TraceEnable". Can you tell me what version(s) of Apache supports this command?
it is possible to trace ipaddress manually.Wondering whether a bash script could do the same without manual intervention. Kindly enlighten on this topic.
Slackware 12.2.0, 2.6.27.7,ibm thinkpad a21m, current patches, xfce 4.6 laptop runs continuously uptime 261 days once till power outage it was running, opened the lid, couldnt get any response from xfce, tried to ssh but couldnt, checked logs after reboot, couldnt see anything weird, message log set a mark a few minutes before i powered down and rebooted is there anything else i can check for possible lock up?
The usual answer is debian's ldd(1) and I found broken things due to past lib abuses I previously hadn't understood I'd did - or rather hadn't realized because by looking it "looked ok and worked" - but i had problems. many i fixed.
After I ran a new script: it showed some i'd STILL missed after carefully re-doing /lib by hand (and using /var/lib/dpkg/info/libs.list)
I just made something that might be nice. seems to be the only thing that does it. but its' small and quick and has (tty/stdout) output still.
the had part isn't finding info, objdump(1) does that wonderfully : it's using it..
I'm trying to install Fedora as part of a tri-boot system on my desktop machine. This machine has been running Windows 7 since launch and now I've decided to free up some space on my primary HDD to test out both Gnome 3 (I've used Gnome 2.32 and earlier before and it wasn't for me) and KDE to see which of these desktops suit me better and whether they can effectively replace my Windows install. With Ubuntu going the way of Unity, I decided that Fedora was the choice for me.I proceeded to setup a Fedora live USB using UNetBootin and booted it up, and followed the install instructions, ensuring to set Windows as the default boot option as it is to remain my primary install. I set up my primary Fedora partition with 100000MB, my swap partition with 2410MB and a 1GB boot partition (leaving me with around another 100GB of unpartitioned space for a future KDE install). This, I hoped, would allow me to see the lovely GRUB splashscreen defaulted to Windows, and if I wanted to try out Fedora I could simply change the option by scrolling down, similar (but reversed) from my dual boot debian/vista laptop.
However, upon booting up the system I was greeted with only the standard boot I had previously had before the Fedora install, with no hint that any change had occurred. I have confirmed that the Fedora install does exist however via the Disk Management tool on Windows. Can someone please help me in getting a GRUB boot/splash screen so that I can boot the Linux partition if I want?
I installed NoScript and Allowed some pages. I clicked RESET and then uninstalled NoScript via the Firefox AdOns window. But when I "reinstall" it it still has sites from my previous browsing Allowed plus settings from my old install. How do I completely erase all its settings so that when I reinstall it it is like it is a fresh/brand new install? I used to be able to do this with CCleaner for Windows.
I am using kernel 2.6.29 on my embedded device, and enabled config option Support for tracing block io actions after compiling kernel making its zImage (for porting to device) the folder block compiled all files of blktrace and created .o files.... After porting zImage to my embedded device when i try to run blktrace on it, it give me response "blktrace : not found" Any body have an idea? how to trace any embedded device using blktrace?
I'm using Firefox on 10.10. I haven't installed crazy stuff on my machine as far i can recall (i used the repositories, except for gtk+3) and i didn't go to any weird website either, same traffic as usual. The only weird thing was that my internet connection was abnormally slow this morning.
Today though some "http://www.browsersearch.org/" imposes itself on my browser even though my homepage is set to www.google.com. I can't figure how this happens nor how i can get rid of it.
In a kde terminal, apt-get was installing gem when it asked me to restart the kmn daemon (i'm not sure about the "kmn"...) and i hit "yes" when the gui dissapeared and fell back to tty1. I waited a while and then restarted the system but kde didn't start automatically (it used to be so). I tried "startx" and "startkde" but they are unknown. I don't know linux this deep so i don't know what to check or how to trace down this problem.
i have a usb pen (kingstone 8 gb) the sistem does not recognize it, maybe due to the fact i have not safely removed it the last time. i do fdisk -l but it does not appear in the list in /dev no trace of it.
I want to create VBR traffic,I created file which contain two 32 bit fields.But When I execute tcl program with this.No pkt transfer is shown.When same program I tried with example-trace ,i saw pkt transfer.Containt of my traffic trace file is as follows :
For some reason my DNS servers aren't able to resolve certain names. Most names resolve fine there are just a few that don't work. Nslookup doesn't work either of course, and curiously neither does "whois".
I've got a few systems which forward ports to one another all over the place, and somewhere along the line a port forward fails. I want to trace the route of a connection on a specific port to see where the connection hits a wall, to see what system is causing the problem. I've tried `tracetoure -T -p <port>` but it doesn't output anything about the ports it hits, stops when it hits the address I supplied even though it is forwarded elsewhere, and there doesn't seem to be a verbose mode. interstingly, if I specify a different source port via the '-s' option, the trace keeps hopping to * * * * and never get anywhere (at least to 27 hops then I CTRL+C)
