Skip to main content

uhh.. I got hacked

Yesterday, In the morning my boss tell me to looking at the router. It blinks like it'll going to blow up. Something in our network use almost 60% of my bandwidth. I look around and see that network light on the acient small box on the floor blinks too. It's a secondhand computer from japan and I almost forget it.

On that box,I install dapper server,postfix,courier,mysql and use it as a mail server with no firewall. poor me. :(

This is first time I got hacked(as I know hah ha). I've no idea what to do first. I go to check /var/log/auth.log and found many ssh attack. 'who' give me two users online, me and test1[the hacker]. 'top' show that user test1 run tons of ssh-scan process. I can't remember that did I create that test1 user myself or the hacker do a dictionary attack, found my password then create test1 user. What I do at that time is restart computer, delete test1 user then create a firewall.

Then I go to ubuntuforums and found this thread. It look like my case and from his .bash_history look like the hacker going to /var/tmp, download a file.tgz that contain hiden directory 1.user 2.user ssh-scan... So I go back to check my box and here is what i found on my email server. 
pnix@xxx:~$ ls -a /var/tmp
.  ..  fast  .PA  PA.tgz
pnix@xxx:~$ ls -a /var/tmp/.PA
.   191.20.pscan.22  191.83.pscan.22  217.20.pscan.22  gen-pass.sh  pass_file  pscan2  ssh-scan  vuln.txt
..  191.21.pscan.22  217.10.pscan.22  common           go.sh        pico       ss      start
pnix@xxx:~$ ls -a /var/tmp/fast
.   1.user  3.user     checkmech  fast     go     LinkEvents  m.help   m.lev  m.ses  .m.set.swp  src
..  2.user  Andy.seen  configure  genuser  httpd  Makefile    mkindex  m.pid  m.set  r           Vipuletz.seen
pnix@xxx:~$

It's look almost the same files. On that thread many one said go to reinstall this box can't trust anymore. Yes, I agree but not now I will prepare the new one first with full secure as I can.

Since yesterday lunch until now there five or six attempts to attack my mail server. From many places include the test1 user[I know his ip address] but no success[my firewall's job not too bad]. :)
Labels:

Comments

Saurav Shrestha said…
Wow! interesting. What does your company do? Did the hacker get anything?
November 9, 2007 at 4:29 PM
Post a Comment

Popular posts from this blog

Fixing sendmail take a long time to start

I notice that my database box[FC6+Oracle10.2] take along time to startup. Sendmail and sm-client very very slow to start[ about 5 minutes ]. There's something wrong in /etc/hosts file. 'newalises' command take long time to update and finish with error below. [root@ora10g ~]# newaliases WARNING: local host name (ora10g) is not qualified; see cf/README: WHO AM I? /etc/aliases: 76 aliases, longest 10 bytes, 765 bytes total [root@ora10g ~]# cat /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost 192.168.1.55 ora10g [root@ora10g ~]# To fix this, custom hostname[ora10g] need to append to localhost line in /etc/hosts. [root@ora10g ~]# cat /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost ora10g 192.168.1.55 ora10g [root@ora10g ~]# newaliases /etc/alia
11 comments
Read more

Too many open files

Last week tomcat log file report many error about "Too many open files" when it has high traffic. Some in catalina_log say 2007-04-07 16:13:40 HttpProcessor[80][272] Starting background thread 2007-04-07 16:13:40 HttpConnector[80] accept: java.net.SocketException: Too many open files and here is from localhost_log 2007-04-07 16:13:40 StandardWrapperValve[myservlet]: Servlet.service() for servlet myservlet threw exception java.io.FileNotFoundException: /home/log/mylog_070407.log (Too many open files) This is because too many file descriptors're opened by tomcat. File descriptor can be limited in both system level and shell level. To check maximum number of fd in system type 'cat /proc/sys/fs/file-max'. In my case it is 65536(someone said it should set to 200000). Tomcat error when try to open socket number 272 so I think 65536 is ok for me for now. Anyway if u want to set it add 'fs.file-max = 200000' to /etc/sysctl.conf pnix@pnix-a7:~$ cat /proc/sys/fs/fil
15 comments
Read more

using Class.getResource() load resource file in Eclipse

There are many ways to load resource file in java app. What sun recommended is using Class.getResource(" resource_name ") or Class.getResourceAsStream(" resource_name ") then you will get URL and InputStream respectively. If resource_name is specified without "/", it will be prepend with Class package. So resource file must be in same place[folder structure] as the Class. What I love to do is call getResource() with "/" and put resource file at the root of package. This way i can have separate resource folder. below is in Eclipse, 1. From Package explorer right click src folder->click import 2. In import dialog, Choose General->File System ->next 3. from directory:->Browse to your resource folder. 4. to folder:-> I add "resource" as a folder name under src folder. then click "Finish". In the code, load resource with this.getClass().getResource("/resource/buttons1.png") or this.getClass().getResourceAs
37 comments
Read more