Skip to Content.
Sympa Menu

perfsonar-user - [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user)

Subject: perfSONAR User Q&A and Other Discussion

List archive

[perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user)


Chronological Thread 
  • From: Aaron Brown <>
  • To: Amit <>
  • Cc: "<>" <>, "<>" <>
  • Subject: [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user)
  • Date: Thu, 10 Oct 2013 14:52:27 +0000
  • Accept-language: en-US

Hey Amit,

So this user broke into your 'admin' account, and not root, bwctl, perfsonar, other user accounts? Did this account have sudo ability?

Cheers,
Aaron

On Oct 10, 2013, at 10:47 AM, Amit <> wrote:

Hi,
 
Today I could not ssh to my perfsonar servers (two) using a user account. When I login to server I identified that my linux user got compromised somehow from internet.
 
I could see the ssh connection from an internet IP to my server. Also crontab entry for that user got changed. Please find below detail
 
4344 ?        Ss     0:10 ps HOSTNAME=Perf-Delhi TERM=xterm SHELL=/bin/bash HISTSIZE=1000 SSH_CLIENT=201.231.245.195 4158 22 SSH_TTY=/dev/pts/0 USER=admin LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36: MAIL=/var/spool/mail/admin PATH=. PWD=/home/admin/.?/.? LANG=en_US.UTF-8 HISTCONTROL=ignoredups SHLVL=3 HOME=/home/admin LOGNAME=admin SSH_CONNECTION=201.231.245.195 4158 14.139.5.202 22 LESSOPEN=|/usr/bin/lesspipe.sh %s G_BROKEN_FILENAMES=1 _=./ps
 
Also the hacker installed some script in my user home directly and was trying to connect to IRC port 6667 and was also listening some tcp and udp port.
 
Iptables is already running on my server, I could not identify the root cause for this. I have deleted all the data from home directly and also crontab entry.
 
Please help me out.
 
--
Thanks & Regards
 
Amit Kumar
Scientific Officer
Operation and Routing Group
M/O Communication and IT, NIC, A- Block, CGO Complex, New Delhi
Ph. +911122900332, NKN VoIP:5032
 




Archive powered by MHonArc 2.6.16.

Top of Page