Solved

Help i think someone is hacking into my redhat 9 firewall

Posted on 2004-08-25
8
391 Views
Last Modified: 2010-04-22
I was hoping someone could help me to determine how to find out how to prevent this bit of log file below from happing again,
 --------------------- SSHD Begin ------------------------


SSHD Started: 1 Time(s)

Failed logins from these:
   admin/password from 213.22.23.246: 1 Time(s)
   guest/password from 213.22.23.246: 1 Time(s)
   test/password from 213.22.23.246: 1 Time(s)

**Unmatched Entries**
Illegal user test from 213.22.23.246
Illegal user guest from 213.22.23.246
Illegal user admin from 213.22.23.246
 succeeded

 ---------------------- SSHD End -------------------------

The first thing i have done is add this unknown persons IP address to the hosts.deny file.
next could you please tell me the command to find out what new files have been created
and also how to prevent this from happening again.
This would be most apreciated.
0
Comment
Question by:jaxxman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 4

Accepted Solution

by:
bobgunzel earned 500 total points
ID: 11896463
You might try chkrootkit from http://www.chkrootkit.org. Compile it on another computer though.

Bob Gunzel
0
 

Author Comment

by:jaxxman
ID: 11896553
i am sorry i am a newbie to linux and i don't have another linux box to compile it on i could probably compile it on same computer with a couple of steps if you tell me what the commands are.
Is there not a quick command i can type to find new created files.

 could i compile chkrootkit on a windows pc or get a rpm version
0
 
LVL 4

Expert Comment

by:marko020397
ID: 11896591
If someone breaks into your computer usualy wants to cover up his precense. Usualy programs like ps, top, w, last,... which show processes or users are altered to hide the intruder.

Use tha command "rpm -Va" to check which files installed on your computer were changed and how they were changed. This will not show you newly installed files but it will show you changed files. It is a pretty good indicator to see it someone uninvited is in your computer. Type "man rpm" for details about it.

Of course intruder can also replace your rpm program to hide changed filed but is usualy not done. And try "which [command]". For instance "which rpm" or "which ps" to see if the right one program is called.

Too see if some files were added you could generate a list of all files and check them periodically. You can also use find command with some of options amin, atime, anewer, cnewer,...

For instance "find / -atime 1" should find all the files accessed within last 24 hours. Again look at "man find" for details.
0
Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

 

Author Comment

by:jaxxman
ID: 11896667
thank for this, i am also going to use the chkrootkit do you use it too
0
 

Author Comment

by:jaxxman
ID: 11898096
i can't download chkrootkit where else can i download it
can you help me to get it and install it, i have read the install instructions and it looks pretty easy all i have to do is extract it using tar command and run the command:- make sense
then to run the program its.
./chkrootkit


Is this correct?
0
 
LVL 6

Expert Comment

by:admin0
ID: 12213449
apart from chkrootkit, another great tool is rootkithunter(rkhunter) from http://www.rootkit.nl/

Chkrootkit and rkhunter will give you a detailed security summary.

for chkrootkit,
download, extract, change into the directory
make sense ENTER
./chkrootkit   <- to run the app and see the output

for rkhunter,
download, extract, change into the directory
./installer.sh  ENTEr

rkhunter -c  <- to run the app and see the detail output.


rkhunter will provide you with many reports!.

If you continue to run SSH on port 22, there will always be someone trying to login and try his luck.
so best is to change the SSH port to something else.

to do that
login to the server as root
edit the file /etc/ssh/sshd_config

#Port 22
#Protocol 2,1

change that line to read

Port 5335  
Protocol 2

<- you can replace 5335 with anything that you wish.. probably a higher number .  5555

0
 
LVL 6

Expert Comment

by:admin0
ID: 12213456
I forgot to add, after you made changes to the file, you need to

/etc/rc.d/init.d/sshd restart  

to activate the changes.
Next time you want to login, use the port that u have specified above.


Cheers,
0
 

Author Comment

by:jaxxman
ID: 12232038
thanks
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question