Solved

Help i think someone is hacking into my redhat 9 firewall

Posted on 2004-08-25
8
386 Views
Last Modified: 2010-04-22
I was hoping someone could help me to determine how to find out how to prevent this bit of log file below from happing again,
 --------------------- SSHD Begin ------------------------


SSHD Started: 1 Time(s)

Failed logins from these:
   admin/password from 213.22.23.246: 1 Time(s)
   guest/password from 213.22.23.246: 1 Time(s)
   test/password from 213.22.23.246: 1 Time(s)

**Unmatched Entries**
Illegal user test from 213.22.23.246
Illegal user guest from 213.22.23.246
Illegal user admin from 213.22.23.246
 succeeded

 ---------------------- SSHD End -------------------------

The first thing i have done is add this unknown persons IP address to the hosts.deny file.
next could you please tell me the command to find out what new files have been created
and also how to prevent this from happening again.
This would be most apreciated.
0
Comment
Question by:jaxxman
8 Comments
 
LVL 4

Accepted Solution

by:
bobgunzel earned 500 total points
ID: 11896463
You might try chkrootkit from http://www.chkrootkit.org. Compile it on another computer though.

Bob Gunzel
0
 

Author Comment

by:jaxxman
ID: 11896553
i am sorry i am a newbie to linux and i don't have another linux box to compile it on i could probably compile it on same computer with a couple of steps if you tell me what the commands are.
Is there not a quick command i can type to find new created files.

 could i compile chkrootkit on a windows pc or get a rpm version
0
 
LVL 4

Expert Comment

by:marko020397
ID: 11896591
If someone breaks into your computer usualy wants to cover up his precense. Usualy programs like ps, top, w, last,... which show processes or users are altered to hide the intruder.

Use tha command "rpm -Va" to check which files installed on your computer were changed and how they were changed. This will not show you newly installed files but it will show you changed files. It is a pretty good indicator to see it someone uninvited is in your computer. Type "man rpm" for details about it.

Of course intruder can also replace your rpm program to hide changed filed but is usualy not done. And try "which [command]". For instance "which rpm" or "which ps" to see if the right one program is called.

Too see if some files were added you could generate a list of all files and check them periodically. You can also use find command with some of options amin, atime, anewer, cnewer,...

For instance "find / -atime 1" should find all the files accessed within last 24 hours. Again look at "man find" for details.
0
 

Author Comment

by:jaxxman
ID: 11896667
thank for this, i am also going to use the chkrootkit do you use it too
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:jaxxman
ID: 11898096
i can't download chkrootkit where else can i download it
can you help me to get it and install it, i have read the install instructions and it looks pretty easy all i have to do is extract it using tar command and run the command:- make sense
then to run the program its.
./chkrootkit


Is this correct?
0
 
LVL 6

Expert Comment

by:admin0
ID: 12213449
apart from chkrootkit, another great tool is rootkithunter(rkhunter) from http://www.rootkit.nl/

Chkrootkit and rkhunter will give you a detailed security summary.

for chkrootkit,
download, extract, change into the directory
make sense ENTER
./chkrootkit   <- to run the app and see the output

for rkhunter,
download, extract, change into the directory
./installer.sh  ENTEr

rkhunter -c  <- to run the app and see the detail output.


rkhunter will provide you with many reports!.

If you continue to run SSH on port 22, there will always be someone trying to login and try his luck.
so best is to change the SSH port to something else.

to do that
login to the server as root
edit the file /etc/ssh/sshd_config

#Port 22
#Protocol 2,1

change that line to read

Port 5335  
Protocol 2

<- you can replace 5335 with anything that you wish.. probably a higher number .  5555

0
 
LVL 6

Expert Comment

by:admin0
ID: 12213456
I forgot to add, after you made changes to the file, you need to

/etc/rc.d/init.d/sshd restart  

to activate the changes.
Next time you want to login, use the port that u have specified above.


Cheers,
0
 

Author Comment

by:jaxxman
ID: 12232038
thanks
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Redhat Linux 6.6 and LDAP 18 112
Port Scanner 5 106
SFTP restrict upload file only 2 31
Edit file on Ubuntu as root 23 105
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …
Delivering innovative fully-managed cloud services for mission-critical applications requires expertise in multiple areas plus vision and commitment. Meet a few of the people behind the quality services of Concerto.

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now