Security :: Fix A Source File That Had Definately Not Changed?
Jul 9, 2010
I am running a Fedora 10 Virtual Server and get have a feeling I have been hacked. I needed to fix a source file that I had definately not changed myself. It was a PHP file concerned with usernames and passwords so that made me even more suspicious. I have been investigating and found the following. If you need other information give me the command I should run and I will update, I am no expert in this area and use the server to host my website and SVN. I am the only person that has access to the server.
Code:
# lsof -u nobody
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
I always use VNC to check my server for updates, and this morning I started the xvnc4viewer to vnc into my server and it keep asking for a password. I never setup a password because I do this local from my laptop, and I am the only one who uses my laptop. I had to go to my server and check the setting in System > Preferences > Remote Desktop and found them all changed. There was a password setup and there was a check mark in the you must confirm each access to this machine there some security update that changed all these setting? Sometimes when I do updates I don't know what is being changed on my server
Protect against root password change[Log in to get rid of this advertisement]I have recently had to force a change of the root password on a linux box I was running. It was a test system which I had not used in a while, so I forgot the root password (not so smart).Anyway, I found that it was amazingly easy to reset the root password. Here is a straight forward article on how to do it.URL...
My question is: how can you protect against this? I see this as a security hole.I understand that the user must have physical access to the computer, but if I want to lock the system down so you cannot easily enter single user mode or the root password cannot be changed.
I'm running 64-bit Ubuntu Karmic, Encrypted HDD.I changed my login passwordwhen i try to boot i click on my name and type in my new password i have 'authentication fail' when i type in my old password this happens"could not update ICEauthority file /home/chris/ICEauthority""Their is a problem with the configuration server. (/usr/lib/libconf2-4/gconf-sanity-check-2) exited with status 256""Nautilus could not create the following required folders/Home/chris/Desktop,/home/chris/.nautilusBefore running nautilus, please create these folders, or set permissions such that nautilus can create them."
I have asked this over on Launchpad and have found bugs filed on the eclipse bug tracker but it seems to be going nowhere so I guess ill ask here.
I am using Eclipse for some development work and having saved a file, defocus the eclipse window (to test changes in a browser) when I refocus the eclipse window I get the following error...
The file 'path omyfile' has been changed on the file system.Do you want to replace the editor contents with these changes?
I have searched and searched and this seems to be a CIFS/SAMBA problem. I even found one solution suggesting that changing his mounts from cifs to smbfs fixed his problem however that would appear not to be an option for me since using smbfs in the fstab causes cifs mounts. This problem would seem to occur in Bluefish as well as some other IDE's so it is not an Eclipse issue.
---------- LINKS TO RELATED ---------- Launchpad Question Eclipse Bug --------------------------------------
So for ive changed the dns on my home router to Opendns and ive added this What does a dns attack look like? how would i know is my dns was poisoned or if i was under a kaminsky style attack?
Just want to stealth ports on my laptop. Had problems with firestarter when I installed in on 10.10. Set Firestater back to defaults and then dumped it with:
Code: sudo apt-get purge firestarter Set up Gufw to defaults and now am not sure what I am seeing with iptables. iptables -L shows .....
Do these settings look correct for default settings for Gufw? or do I still have some problems with the old firestarter settings not being removed. All I want is all ports stealthed. I know that ping is enabled but I believe that is a default setting in ufw. Could I restore iptables to default with:
Code: sudo iptables -F and then enable Gufw and set default?
I just changed my password now every time I start my computer the keyring wants my old password and it keeps doing weird things even after I type it in. Like Ubuntu will say No keyring found or something to that effect anyway.
When I set up an ID in Ubuntu, I encrypted it. I did a print screen of the passphrase and put it on the desktop. I'm just learning how to use the encryption so don't fault me for putting it right on the desktop. There is no important data in this ID. Now, I went and changed my password to the account. On the next boot, I got a few error message:
Could not update ICEauthority file /home/mickymouse/.ICEauthority
There is a problem with the configuration server /usr/lib/libconf2-4/gconf-sanity-check-2 exited with status 256 In researching these, it looks like the problem is that I changed the password but didn't update (or something) my passphrase.
I can't boot into the GUI but I have figured out how to boot to a command prompt. I don't have access to my home directory because I don't have my passphrase. Am I toast or is there a way to recover / update the passphrase?
For the second time in a week, I have set up an unmanaged CentOS 5.5 Storm Server at StormOnDemand, only to discover a ton of unauthorized changes to binaries (updated file checksums and sizes) on the server shortly thereafter.The time stamps do NOT change.If the time stamps did change, I would be hunting down ahat was doing some auto-updates. But the time stamps are not changing.This leads me to believe that either these servers are suffering from:1. A virus or hacker is compromising the box.2. system corruption.3. Something else? To eliminate the possibility of number 1, I toasted the first server and started over with a new server and enabled their firewall from the start to only allow access for two IPs via SSH... my IP and my biz partner's.
Then, one of the first things we installed was a system we created that maintains a snapshot of most directories on the system so that it can be used to watch the live directories for changes. At 4:07am (server time) this morning, we received notice from this system that a massive number of files had changed in these directories. Again, no file time stamps changed.So, my question is this... is there any legitimate reason in a fairly standard CentOS 5.5 install that would cause so many files to change?
how efficient and effective are these snort, argus, ossec etc etc for an organization having 3500 PC Network, connected through 700+ Cisco Devices (Layer 2 and Layer 3), and scattered on 130 different sites (geographically)? what should be the combination of products and what should be the architecture for an efficient forensics activity?
I am using a backup system with cron + tar. Since the server is very busy, I get often the cron-email: "The file XYZ has changed while reading". This message is a bit annoying and I see it as critical point in my backup system. I believe that this file is then not in my backup. (Is that correct?) Let's imagine the hard disk dies and I have to recover the system and my personal data, and in the night the mysql-table XYZ was not in the backup, because it was in read-usage. I would then have lost this table forever. Is there any way to tell TAR, that it should force the file to be included (if in read-usage, then wait 2 seconds and try again)?
I've made a really critical and simple mistake and now I am trying to recover my computer. I accidentally logged into root and was trying to change permissions for the current directory with "." but instead used a "/" which started changing permissions of everything from / recursively. I quickly realized the mistake I made after it started and aborted the process by pressing ctrl+C. However I know many things are still not right because, even though I tried to reboot and change the permissions back to 0755 from the recovery mode root console. I still get errors when gnome tries to start..Here is the exact error I am getting. "There is a problem with the configuration server (/usr/lib/libgconf2-4/gconf-sanity-check-2 exited with status 256". I'm pretty sure because of the way I aborted or because of the time the filesystem was running with 644 permissions, some amount of damage was done. Any way to recover it to normal? Or is there a way to recover it from the Ubuntu CD?
How do I monitor which files have been changed after, say, I run the passwd command? (I know, depending on the options used, it changes /etc/shadow and/or /etc/passwd). But I would like to if there is any clever ways of monitoring this. This is how I do it which is a bit crude, and I have to know which directory to monitor. Before running the command, I run
Code:
for i in $(ls -A) do; md5sum $i >> /tmp/before; done
And after running the command, I run
Code:
for i in $(ls -A) do; md5sum $i >> /tmp/after; done
Then I do a diff to see if any file has been changed
Now I managed to get iptables to work with my OpenVZ configurations and everything seems to work as it should. However when I run iptables -L I can only see source for the second SSH rule, why isn't the first ones source/IP shown? Also if you have any comments about the setup feel free. I'm running SSH, Apache and local MySQL
The xxx.xxx is simply to hide my IP's Code: iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP
i heared that in fedora 11 with new kernel version comes ext4 as default file system. when i was upgrading fedora 9 --> 10, i just changed repos in /etc/yum.repos.d. now the question, if i upgrade my system, will my file system got changed, and if it does, will my data got damaged?
Does anybody know of tool for Linux that can watch a custom subtree of the filesystem for changes, and executes a custom command when a change occurs ? Such a tool would be very useful to quickly setup automatic building or uploading of source files.
I have a recently setup my first linux server (hardy) and am having problems with the permissions for a log file being changed. I believe this is caused by syslogd, but am not sure how to correct it. Bacula will report it is unable to start a backup because it is unable to open the log file (/var/lib/bacula/log) "permission denied". After changing the owner from syslog to bacula, the backup will resume. However, the following day I encounter the same problem because the owner of the log has been changed back to syslog.I see where the permissions for logs are altered in sysklogd, but I am not certain how to make bacula exempt or if this is the right approach.
I have a site that I login to to check updates. It does not have RSS because users need to authenticate themselves before getting access to the page. Is there a way to write a script that can login to the page and check whether the HTML has changed and then send me an email?
I had a situation in which the the path of the file to be copied is written in other file and I had to copy it using shell script..I can use cp $(cat /home/robert/location.txt) /media/sda1 on normal linux shell...But I am using buildroot script where $(cat /home/robert/location.txt) evaluate to nothing..is just blank..
I noticed a very very high cpu usage on my webserver. All four CPUs were running on 100%.
Top shows several perl processes from apache that run for a long time, with a high %CPU.
Since the server was fc10, I did a fresh installation to fc13, and the fresh installation didn't have this issue. Then I loaded back all the user-data, and it started again.
Several, 4, 6, 8, ... 100 perl processes from apache.
lsof -p with the pid of such a process
Code:
The estabilished connection is sometimes "proud2pirate.com" wich is a non-existing domain.
I want to restrict SSH so that its only accessible via the machines I own on this network. Obviously need to secure user authentication/host authentication, that aside though is the following sufficient at a network level given technical users also use this network? IP addresses are static, though I know they could be spoofed.
Code: Chain INPUT (policy DROP) target prot opt source destination existing-connections all -- anywhere anywhere allowed all -- anywhere anywhere
I've a server, and I want to drop all the traffic going out with other source port than 80 (apache) and 22(ssh). The reason is I want to prevent my machine sending packets I don't know (i.e. my server scanning networks or making DDOS attacks without my knowledge). The problem are the updates. If I do what I've said, the updates will not work. I want to allow updates, so I need to let DNS traffic (port 53) and the traffic of the updates to go out.
The problem is the source port. This traffic uses a dynamic port (I think like HTTP). Is there any way to specify a source port to do this? If a have a static port to do this, I would drop all the traffic going out with other port than 22,53,80 and this port.
I got some binaries from internet (amule), but am afraid of using them, exposing my system. Since some run long simulations, it is not desirable to run in slow VM.
What do you gurus say if I run it as a new user? So the binaries would just be able to read and execute my binutils... Is that harmfull?
I am trying to compile C source file to generate .trb file (turbo file) which will then burn on trubo sim using TP2. When I comiple the code following error is occuring. before going through belwo error I was getting error 'Unknown MCU atmega128', known MCU are: (list appread), then I change the configuration and set the MCU to supported list then following error is occuring.
It seems I had some kind of intrusion and I found 6 files changed its ownership to user 1035 and group 1035, I don't know how but I need to change them back to its original owner (root) because one of them is the ls command and the other is the ifconfig how can I revert them to its original state? I cant do it with chown.
