Solved

Help i think someone is hacking into my redhat 9 firewall

Posted on 2004-08-25
8
385 Views
Last Modified: 2010-04-22
I was hoping someone could help me to determine how to find out how to prevent this bit of log file below from happing again,
 --------------------- SSHD Begin ------------------------


SSHD Started: 1 Time(s)

Failed logins from these:
   admin/password from 213.22.23.246: 1 Time(s)
   guest/password from 213.22.23.246: 1 Time(s)
   test/password from 213.22.23.246: 1 Time(s)

**Unmatched Entries**
Illegal user test from 213.22.23.246
Illegal user guest from 213.22.23.246
Illegal user admin from 213.22.23.246
 succeeded

 ---------------------- SSHD End -------------------------

The first thing i have done is add this unknown persons IP address to the hosts.deny file.
next could you please tell me the command to find out what new files have been created
and also how to prevent this from happening again.
This would be most apreciated.
0
Comment
Question by:jaxxman
8 Comments
 
LVL 4

Accepted Solution

by:
bobgunzel earned 500 total points
Comment Utility
You might try chkrootkit from http://www.chkrootkit.org. Compile it on another computer though.

Bob Gunzel
0
 

Author Comment

by:jaxxman
Comment Utility
i am sorry i am a newbie to linux and i don't have another linux box to compile it on i could probably compile it on same computer with a couple of steps if you tell me what the commands are.
Is there not a quick command i can type to find new created files.

 could i compile chkrootkit on a windows pc or get a rpm version
0
 
LVL 4

Expert Comment

by:marko020397
Comment Utility
If someone breaks into your computer usualy wants to cover up his precense. Usualy programs like ps, top, w, last,... which show processes or users are altered to hide the intruder.

Use tha command "rpm -Va" to check which files installed on your computer were changed and how they were changed. This will not show you newly installed files but it will show you changed files. It is a pretty good indicator to see it someone uninvited is in your computer. Type "man rpm" for details about it.

Of course intruder can also replace your rpm program to hide changed filed but is usualy not done. And try "which [command]". For instance "which rpm" or "which ps" to see if the right one program is called.

Too see if some files were added you could generate a list of all files and check them periodically. You can also use find command with some of options amin, atime, anewer, cnewer,...

For instance "find / -atime 1" should find all the files accessed within last 24 hours. Again look at "man find" for details.
0
 

Author Comment

by:jaxxman
Comment Utility
thank for this, i am also going to use the chkrootkit do you use it too
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:jaxxman
Comment Utility
i can't download chkrootkit where else can i download it
can you help me to get it and install it, i have read the install instructions and it looks pretty easy all i have to do is extract it using tar command and run the command:- make sense
then to run the program its.
./chkrootkit


Is this correct?
0
 
LVL 6

Expert Comment

by:admin0
Comment Utility
apart from chkrootkit, another great tool is rootkithunter(rkhunter) from http://www.rootkit.nl/

Chkrootkit and rkhunter will give you a detailed security summary.

for chkrootkit,
download, extract, change into the directory
make sense ENTER
./chkrootkit   <- to run the app and see the output

for rkhunter,
download, extract, change into the directory
./installer.sh  ENTEr

rkhunter -c  <- to run the app and see the detail output.


rkhunter will provide you with many reports!.

If you continue to run SSH on port 22, there will always be someone trying to login and try his luck.
so best is to change the SSH port to something else.

to do that
login to the server as root
edit the file /etc/ssh/sshd_config

#Port 22
#Protocol 2,1

change that line to read

Port 5335  
Protocol 2

<- you can replace 5335 with anything that you wish.. probably a higher number .  5555

0
 
LVL 6

Expert Comment

by:admin0
Comment Utility
I forgot to add, after you made changes to the file, you need to

/etc/rc.d/init.d/sshd restart  

to activate the changes.
Next time you want to login, use the port that u have specified above.


Cheers,
0
 

Author Comment

by:jaxxman
Comment Utility
thanks
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now