Security :: How To Find The Trace Of The Attacks

Dec 30, 2008

I fear that an attack or an entry in my PC has occured, how to find the trace of the attacks.

View 3 Replies


ADVERTISEMENT

Security :: HOW TO Protect From VPN Attacks

Jun 1, 2011

I would like to know how to protect networks against VPN attacks? How does big industries do it? What does the government tend to use? Are any tools open source that I may get?

View 1 Replies View Related

Security :: Prevent Ddos Apache Attacks?

Jan 25, 2011

recently my Apache server crashes very often; by watching the error log,I've notice several signs of intrusion.So, I think the problem can be a denial of service attack against my machine.My distribution is Debian Lenny.

View 2 Replies View Related

Ubuntu Security :: Block PHP Injection Attacks With Fail2ban

Apr 12, 2010

I'm trying to implement this method to block php injection attack using fail2ban: here it is, however I'm not sure it applies to Ubuntu. You see, there's this filter that must be added to the fail2ban jail file:

HTML Code:
[php-url-fopen]
enabled = true
port = http,https
filter = php-url-fopen

[Code]....

View 7 Replies View Related

Ubuntu Security :: SSH Pubkey Authentication And MITM Attacks

Jan 6, 2011

Given that my public key is a pre-shared secret is sshd made in a way that this negates the possibility of a man in the middle attack? In other words, if the known_hosts file were to be deleted, would it be safe to ignore the fingerprint of a server that already has my public key in authorized_keys?

View 5 Replies View Related

Security :: Researchers Working Toward Processor-Specific Attacks?

Nov 10, 2010

With the disappearance of an OS monoculture, attackers would do well to find attacks that are neither OS or application specific. One way to do that, of course, is to target attacks at hardware, rather than software. Now research out of Frances Ecole Superiore d'Informatique, Electronique, Automatique (ESIEA) moves a step closer to that goal: identifying a method for isolating the processor used by anonymous systems for the purpose of subverting that hardware.

View 2 Replies View Related

Debian Configuration :: Root Attacks Due To Security Breach In Exim4?

Jan 21, 2011

My debian server has been attacked due to a security breach in exim4 4.69-9 (probably applies to loads of other versions too). The security breach allows the attacker to get root access by creating a buffer overflow in a header which then can be used to inject code.

[URL]

The securtiy breach is fixed with 4.69-9+lenny1 I want to share my actions with you on what I did to (hopefully) get rid of it. However at the time of writing this, the above website is down due to too much load (DDOS Attack?). How you can check if you've been attacked:

The attack creates a buffer overflow in exim4, which results in paniclog entries.

$ cat /var/log/exim4/paniclog
2010-12-17 07:34:11 string too large in xxxyyy()
2010-12-19 10:42:10 string too large in xxxyyy()

this would be an example of two attacks. One on 2010-12-17 and the other two days later 2010-12-19.with this information you can start find potentially infected files. There may be a better way, but I searched for them with this command:

$ find / -mtime 31 2>/dev/null # files,directories,links created 31 days ago (i.e. 2010-12-17)

My infected files:

/usr/bin/uptime
/usr/bin/pwdx
/usr/bin/slabtop

[code]....

View 4 Replies View Related

Security :: Advanced Firewall And Testing - Block Certain Kinds Of Attacks?

Dec 14, 2010

I launched my website. At the moment the site has an firewall (iptables) enabled with very simple rules. All incoming traffic is blocked, except for the ports http and ssh. Everything is working perfect, but I want also to be able to block certain kinds of attacks. There are some really good examples on the internet, but I don't now if they contain all kinds of attacks which are relevant to my situation. To be clear, I only server web content through port 80 and use ssh to remote login.

View 3 Replies View Related

Security :: How To Trace Hacker

Dec 2, 2010

I manage a dedicated webserver running OpenSuse 11 which is currently hosting about 30 sites. I have never had any big problems until these last 2-3 months. One site after the other was being hacked and the unwanted visitor installed all kind of php shell scripts followed by torrent servers, ... etc. All hacked sites were sites using Joomla, so what I did was to close down those sites one by one. Well, I guess we all know Joomla is not a great solution if you just install it out of the box like those users were doing.

When trying to trace the intruder only some african junk IPs and IPs from a company selling VPN connections thru paypal show up (yeah great, love those guys ... do they really think that serious VPN users will pay with paypal) I checked all apache and FTP logs (yes, he even managed to get some FTP login) but only those damn 'proxy' IPs come up. The weird thing is that the guy seems to know how the server was 'build' since he manages to copy stuff from one site to the other. That is why I am suspecting someone who worked for a clients company, but I need proof. One way would be to let him hack a site and try to feed him something that would make him traceable, but what?

View 9 Replies View Related

Security :: Trace Ip In Pidgin?

Jan 20, 2010

I am using pidgin for google chat. Is it possible to know the IP of the person i am chatting with?

View 4 Replies View Related

Ubuntu Security :: Pen Test IIS - Methods To Simulate Attacks To Check HIPS Detects?

Jan 27, 2011

I need to do a pentest on a Microsoft IIS webserver to test the efficiency of the HIPS i have installed on. methods to simulate attacks so that i can check if the HIPS will detect them?

View 4 Replies View Related

Security :: My Server - Deb5 And Plesk10 - Is Involved - Causing - In Brute Force Attacks

May 6, 2011

I am ashamed that I am causing other people troubles, but apparantly my server is involved in attacking the servers of other people.

I have to admit that I am not too familiar with using a CLI, or Linux for that matter, but I have a Debian server running under Plesk 10, which is colocated.

Now I have received messages from the datacenterm which state that my server is involved in brute force attacks.

The messages show a lot of lines like this:

Code:

The only I get from my hoster is to back up all domains and re-install the machine.

I want to resolve this asap, but do not agree with that action for two reasons: the machine just had a fresh re-install 2 months ago, so if it is a flaw in the OS, I will get the same flaw back, and if it is not OS related but due to a domain, I will get the problem back by putting back the backed-up domains.

But now I'm stuck: what steps should I follow to try and find the cause of this evil and make sure that my machine will not bother other machines anymore?

I realize that this probably will be a steep learning-curve, but please bare with me and help me to resolve this.

What have I done so far?

1) There are a number of live sites on this server, either running WordPress or Joomla, I have made sure they are all updated to the latest release.

2) I have manually looked at the source code of the index-files of those sites, haven't seen anything strange, like redirects.

3) I have used online scanners to check all sites for malware, all have been reported back to be clean.

4) I have run the Plesk-version of RKhunter, and that gives me certain warnings which I cannot (or do not) understand:

Code:

Code:

Code:

I received the first report of these attempts about a week ago and immediately changed the Plesk/SSH password to a 200bit password generated with KeePass, hoping that would keep out any evildoers.

View 14 Replies View Related

Security :: Trace Route From Home Showing Suspicious Hop Just Outside LAN?

Mar 15, 2011

I know this post isn't strictly linux based, but since the system in question appears to be using Linux and I am as well I decided to post this here. In doing other network playing with Ubuntu Sever 10.10 I noticed that on all traceroutes I did to any IP the second hop from my house jumped through a connection on IP 24.96.153.61 which I think should only be another dynamic IP Knology.net customer...

In scanning the IP I now know that its a Juniper Junos Router 9.2R1.10 (Probably running on some VMware based on googling?) Open ports show: 22 ssh openSSH 4.4 v. 1.99 23 telnet Openwall GNU/*/Linux telnetd

At first I thought this was just a legit Knology.net DNS server or something, but using such outdated versions and freeware... I feel suspiciously like this is something else. Also, why in the world would knology allow remote access to their mainframe equipment? Seems that if it were ever breached it would be beyond terrible for the ISP...

Finally, why can't people not SSH into my box from the outside if I have MAC address filtering on? Anyone know anything about this or am I just being paranoid? I'm a noob, so knowing too little about all this is probably more the problem?

View 5 Replies View Related

General :: Send Mails Status Says Its Sent But Can't Trace Or Find The Mail

Jan 13, 2010

I am trying to send a mail using sendmail, status says sent and quied for delivory but I am unable to find the message where it gone to or where it is.

I am using Redhat 5.4
My domain is -- mydomain
my host - redhat
Jan 13 23:41:05 redhat sendmail[4116]: o0DIB3bE004116: from=root, size=53, class=0, nrcpts=1, msgid=<201001131811.o0DIB3bE004116@mydomain.co.rw>, relay=root@localhost

[Code]....

I dont understand this last line (I think) it says the mail sent but and quied. Where is he quing, is it on the remort mail relay or in the local machine

I used mailq and mailq -AC both shows 0 entries

View 2 Replies View Related

Security :: Detect File Deletion On An Operating System And Trace The File History Or Activity?

Oct 19, 2010

i am investigating on solutions to trace a file deletion on a computer( Linux O/S).i also need to determine weither after a file deletion or download on a computer, the computer clock had not been modified. In case a file has been downloaded on a computer and then transferred to a removable device, i need to find out the file activity. i mean i should be able to tell that the file was downloaded and transferred to a device with possible specifications.

View 2 Replies View Related

General :: Vulnerable To PDF Attacks?

May 12, 2011

I've heard of attacks using PDF files on Windows with Adobe Acrobat and Foxit Reader. Is Linux vulnerable to these attacks when using the default PDF viewers in KDE or Gnome or even xpdf? What is a good PDF scanner to determine if a PDF file is evil?

View 2 Replies View Related

Debian :: Protection Against Incoming Attacks?

Mar 5, 2011

I'm using Debian 6 to host a website (with apache2) and a game server. But because of attacks to my server, my hosting company have now set it offline.

These are the two logs that they provided (I replaced all IPs):
Direction IN
Internal ***.***.***.***

[code]....

View 4 Replies View Related

Ubuntu :: Does 10.04 LTS Protect You From DDoS/Dos Attacks?

Oct 31, 2010

I was just wondering if you were to get DDoSed/Dosed would ubuntu block the packets or protect you in some way?

View 1 Replies View Related

Fedora Networking :: VPS - Blocking HTTPD DOS Attacks?

Apr 6, 2010

I have a VPS which is running HTTPD, and its getting blown to bits by a DOS Attack. Turns out mod_evasive is totally useless (due to not running a total - rather counting per child process) and the only way to stop the box from running at 100% on all cores is to term HTTPD. So, what rules can I implement on the iptables firewall to block multiple requests from an IP? I saw this: [URL] Where someone has posted some rules but these dont work ("unknown error 4294967295" on the 3rd line). This is what i'm after though - block multiple requests from a single IP for a certain period of time.

View 3 Replies View Related

General :: Detect DoS Attacks / Manually Block IP On Ubuntu?

Sep 14, 2011

I have a VPS with Ubuntu. I host a small website (~10 visitors at the same time). Sometimes the website starts lagging. It lags so bad that my SSH connection starts lagging too. Running top says that 2 instances of apache2 take up 50 %CPU each.

I assume this is a DoS attack. I've copy-paste installed a few iptables scripts that made sense, but this has not helped. I installed libapache2-mod-evasive -- I'm sure it blocks the attacker, but I'm still lagging.

What can I do? Can I at least find the IP of the attacker? I have strong experience with Linux, but almost zero experience with being a server admin.

View 2 Replies View Related

General :: How To Stop Pop3 Brute Force Attacks

Mar 31, 2011

I have a mail server running RHEL, with postfix, dovecot, etc. I installed Fail2ban and this works wonders against SSH brute force attacks. It'll ban an IP address for a period of time if it unsuccessfully attempts to log on 3 times within, say a minute. I was wondering if it can be as effective with pop3 attacks. If it is, how can I get it done?

View 1 Replies View Related

Server :: Lessen Impact Of Bandwidth Attacks With IPTables Or APF?

Apr 26, 2011

My server has been the repeated victim of bandwidth attacks: any large file on the server is downloaded repeatedly, with the goal of pushing the server over the provider's bandwidth limit. How can I lessen the effect of these kinds of attacks with IPTables or APF? For example, can I set the server to: Is this possible? Is there a more effective way, and can a firewall even do this? My web server is Lighttpd, perhaps I can place such a rule directly in its config?

View 1 Replies View Related

Networking :: Analyze Network Traffic For Attacks And While Finding The Attack?

Apr 9, 2010

I need to learn how to analyze network traffic for attacks and while finding the attack seems easy in my case I need to identify what hes doing. I will be happy right now if you guys can answer my question. How to identify if an attack has brought the server down? I have packet captures of an attack in progress and I noticed that every now and then the attacker would do something weird and the server would start sending packets with just the RST packet sent in response. Normally I had been seeing the RST ACK flags set or the FIN ACK bits set to terminate a connection. So once again my question is how do I tell if the traffic indicates a server crash?

View 1 Replies View Related

Ubuntu Servers :: Iptables To Rate-limit Brute Force Attacks On SSH Server?

Sep 30, 2010

I have a SSH server set up at home listening on port 22. I have hardened the server so it is pretty secure but I want to make it even safer by editing my iptables to rate-limit incoming connections and DROP false login attempts. I have tried these tutorials but I just cant get it to work:[URL]I want the debian-administration.org tutorial to work but when I try to add the first rule in terminal:sudo iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --setI get the following:Bad argument --set'I am new to iptables and I'm not sure if I'm doing something wrong when I try to set it up. I'm using Ubuntu 10.04.1 LTS with iptables v1.4.4.

View 6 Replies View Related

General :: Secure Box - Authentication Failure - Long Strong Password Can Stop To Prevent From Attacks?

Mar 17, 2010

we are using linux email server axigen past few years. we keep port open ssh and pop,smtp webmail etc. ssh use for remote trouble shooting. so through firewall it is globally accessable. we notice many attacks coming to our machine, also some people try to enter in our system but failure. as example see below a log come in messages file

Mar 17 09:19:50 sa1 sshd(pam_unix)[21231]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.51.13.120 user=root how we can secure more. as per my understanding only good long strong password can stop to prevent from attacks.

View 5 Replies View Related

Ubuntu :: How To Trace GUI Locking Up

Jan 1, 2010

I just did a fresh install of Kubuntu 9.10. The GUI regularly locks up. I can SSH to it from another machine everytime it locks up. Top shows Xorg consuming 99% cpu. I think downgrading the nvidia driver to 173 from 185 helped reduce the lockups. Before they seemed very random and very often. Now it seems to happen when copying a large amount of files over the network but I'm not entirely sure. It ran the electricsheep screensaver all day today with no problems and the RSS euphoria GL screensaver all day yesterday. If I copy 2GB of files from one local directory to another no problem, if I do it through cifs mounted samba shares it will lock up for sure. Small amounts seem ok. Apt-get install has had some lock ups too.

I don't really know how to trace what's going on beyond installing ssh and finding out that it's totally alive inside. I don't know what to look for in log files nor which ones to look at. I didn't recognize anything wrong in Xorg log. In the system log I look for the time gap between when it locked up and I shut down and when I rebooted but I didn't notice anything.

View 1 Replies View Related

Security :: How To Find USB Logs

Jun 16, 2010

how to find USB enteries/ logs in linux

View 5 Replies View Related

General :: Support For POSIX Trace?

Oct 14, 2010

Is it possible to add support for POSIX Trace to my Ubuntu?

# getconf _POSIX_VERSION
200809
# getconf _POSIX_TRACE
undefined

View 2 Replies View Related

Networking :: How To Trace Energy Metric In NS2

Jan 11, 2010

How to trace the energy information from the trace file. also how to change the energy drain in faster manner.

View 2 Replies View Related

General :: How To Trace And Remove Intruders

Jan 9, 2010

When I log into Mint8 ,for example, the bottom bar (task bar) shows activity I did not start eg, keyboard amongst others. System logs are suspicious:

an 9 22:23:24 patti-desktop dhclient: DHCPACK of 192.168.0.100 from 192.168.0.1
Jan 9 22:23:24 patti-desktop dhclient: bound to 192.168.0.100 -- renewal in 40777 seconds.
Jan 9 22:23:24 patti-desktop NetworkManager: <info> DHCP: device eth0 state changed preinit -> bound

[code]....

'patti-desktop' is not the user I'm trying to login to but its was and still exist a group (ops). Also having difficulty using sudo but that might be my error. Is there a program I can use see what is going wrong correct it.

View 12 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved