Solved

Help i think someone is hacking into my redhat 9 firewall

Posted on 2004-08-25
8
388 Views
Last Modified: 2010-04-22
I was hoping someone could help me to determine how to find out how to prevent this bit of log file below from happing again,
 --------------------- SSHD Begin ------------------------


SSHD Started: 1 Time(s)

Failed logins from these:
   admin/password from 213.22.23.246: 1 Time(s)
   guest/password from 213.22.23.246: 1 Time(s)
   test/password from 213.22.23.246: 1 Time(s)

**Unmatched Entries**
Illegal user test from 213.22.23.246
Illegal user guest from 213.22.23.246
Illegal user admin from 213.22.23.246
 succeeded

 ---------------------- SSHD End -------------------------

The first thing i have done is add this unknown persons IP address to the hosts.deny file.
next could you please tell me the command to find out what new files have been created
and also how to prevent this from happening again.
This would be most apreciated.
0
Comment
Question by:jaxxman
8 Comments
 
LVL 4

Accepted Solution

by:
bobgunzel earned 500 total points
ID: 11896463
You might try chkrootkit from http://www.chkrootkit.org. Compile it on another computer though.

Bob Gunzel
0
 

Author Comment

by:jaxxman
ID: 11896553
i am sorry i am a newbie to linux and i don't have another linux box to compile it on i could probably compile it on same computer with a couple of steps if you tell me what the commands are.
Is there not a quick command i can type to find new created files.

 could i compile chkrootkit on a windows pc or get a rpm version
0
 
LVL 4

Expert Comment

by:marko020397
ID: 11896591
If someone breaks into your computer usualy wants to cover up his precense. Usualy programs like ps, top, w, last,... which show processes or users are altered to hide the intruder.

Use tha command "rpm -Va" to check which files installed on your computer were changed and how they were changed. This will not show you newly installed files but it will show you changed files. It is a pretty good indicator to see it someone uninvited is in your computer. Type "man rpm" for details about it.

Of course intruder can also replace your rpm program to hide changed filed but is usualy not done. And try "which [command]". For instance "which rpm" or "which ps" to see if the right one program is called.

Too see if some files were added you could generate a list of all files and check them periodically. You can also use find command with some of options amin, atime, anewer, cnewer,...

For instance "find / -atime 1" should find all the files accessed within last 24 hours. Again look at "man find" for details.
0
Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

 

Author Comment

by:jaxxman
ID: 11896667
thank for this, i am also going to use the chkrootkit do you use it too
0
 

Author Comment

by:jaxxman
ID: 11898096
i can't download chkrootkit where else can i download it
can you help me to get it and install it, i have read the install instructions and it looks pretty easy all i have to do is extract it using tar command and run the command:- make sense
then to run the program its.
./chkrootkit


Is this correct?
0
 
LVL 6

Expert Comment

by:admin0
ID: 12213449
apart from chkrootkit, another great tool is rootkithunter(rkhunter) from http://www.rootkit.nl/

Chkrootkit and rkhunter will give you a detailed security summary.

for chkrootkit,
download, extract, change into the directory
make sense ENTER
./chkrootkit   <- to run the app and see the output

for rkhunter,
download, extract, change into the directory
./installer.sh  ENTEr

rkhunter -c  <- to run the app and see the detail output.


rkhunter will provide you with many reports!.

If you continue to run SSH on port 22, there will always be someone trying to login and try his luck.
so best is to change the SSH port to something else.

to do that
login to the server as root
edit the file /etc/ssh/sshd_config

#Port 22
#Protocol 2,1

change that line to read

Port 5335  
Protocol 2

<- you can replace 5335 with anything that you wish.. probably a higher number .  5555

0
 
LVL 6

Expert Comment

by:admin0
ID: 12213456
I forgot to add, after you made changes to the file, you need to

/etc/rc.d/init.d/sshd restart  

to activate the changes.
Next time you want to login, use the port that u have specified above.


Cheers,
0
 

Author Comment

by:jaxxman
ID: 12232038
thanks
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CentOS 6.6 Port opening question 1 137
CPU#7 stuck for 22s! 4 315
How to use Rainbow Tables 6 112
E-mail settings for Fail2ban 7 140
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question