Mailinglist Archive: opensuse (3666 mails)

< Previous Next >
Re: [SLE] My server got hacked? Anyoen seem this?
  • From: Allen <gorebofh@xxxxxxxxxxx>
  • Date: Fri, 11 Mar 2005 20:12:38 -0500
  • Message-id: <20050312011238.GC2391@xxxxxxxxxxxxxxxxxxxxxx>
On Fri, Mar 11, 2005 at 12:57:14AM -0600, Henry Tang wrote:
> What i need to know now is what else can i do to find how this person
> hacked into my system. I checked message logs and mail logs and i found
> the date and time the email was sent out, but I dunno if the log files
> got cleaned or not. What other logs can i look into?



If you're rooted they can not only delete logs but forge them. Meaning the
holes where the log has been deleted can be forged so that it appears
nothing happened.

Again, were you updated with alls ecurity patches?


> henry
>
> Anders Johansson wrote:
>
> >On Friday 11 March 2005 05:39, Allen wrote:
> >
> >
> >>On Thu, Mar 10, 2005 at 08:31:54PM +0100, Anders Johansson wrote:
> >>
> >>
> >>>On Thursday 10 March 2005 20:18, Henry Tang wrote:
> >>>
> >>>
> >>>>The example i gave is bad. It is more like this
> >>>>
> >>>>http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2003-06/0473
> >>>>.htm l
> >>>>
> >>>>I didn't want to post the email my server was trying to send out
> >>>>because it includes the /etc/passwd file so I posted examples i found
> >>>>on the net. Apprently root tried to send out couple of emails to
> >>>>unknown users of yahoo and other email address as well. The email was
> >>>>bounced and that is how i found out. :( I am not in the competition.
> >>>>:(
> >>>>
> >>>>
> >>>And is your machine a red hat machine?
> >>>
> >>>
> >>How would this matter?
> >>
> >>
> >
> >All the links I could find on the net that referred to that email were
> >about red hat machines
> >
> >It would matter in that he should contact red hat people about security
> >fixes instead of suse. Not all bugs affect all distros. The Lion worm for
> >example was red hat only
> >
> >
> >
> >>>If your machine tries to send out that email, then it does indeed look
> >>>like you have been hacked. The information you give isn't nearly enough
> >>>to say how it was done though.
> >>>
> >>>
> >>My machine does this, I'm not rooted.
> >>
> >>
> >
> >er, what? Your machine does what? Did you actually read any of the links?
> >The mail in question was from a rootkit worm-ish thing. If your machine
> >sends that out then you've been hacked
> >
> >
> >
> >>>What OS is the machine running? Is it patched with all available security
> >>>updates? Which services are you running on it?
> >>>
> >>>Since the mail was never sent I suspect it hasn't been "owned", but just
> >>>caught by an automated script of some description. I would hazard a guess
> >>>that the log files haven't been cleaned, so you should still be able to
> >>>find traces of how they got in through them.
> >>>
> >>>
> >>What if he just hasn't set up sendmail or postfix properly and THAT was
> >>why
> >>the mail failed? All they have to do now is set up the mail server and
> >>they
> >>get the mail.
> >>
> >>
> >
> >huh? If they can get into the machine to set up the mail server, what
> >would be the point of sending the mail?
> >
> >
> >
> >>>If this machine is in production use, I would recommend that you let
> >>>someone look at it who knows about security.
> >>>
> >>>
> >>He pointed out he was only using it for home use and it not a big deal.
> >>
> >>
> >
> >Yes he did indeed. Except he pointed it out *after* I had sent the mail
> >you replied to.
> >
> >
> >
>
>
> --
> Check the headers for your unsubscription address
> For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
> Also check the archives at http://lists.suse.com
> Please read the FAQs: suse-linux-e-faq@xxxxxxxx
>
>

< Previous Next >
Follow Ups