perfSONAR User Q&A and Other Discussion

[Aaron Brown <>]

Hey Amit,

So this user broke into your 'admin' account, and not root, bwctl, perfsonar, other user accounts? Did this account have sudo ability?

Cheers,

Aaron

On Oct 10, 2013, at 10:47 AM, Amit <> wrote:

Hi,

 

Today I could not ssh to my perfsonar servers (two) using a user account. When I login to server I identified that my linux user got compromised somehow from internet.

 

I could see the ssh connection from an internet IP to my server. Also crontab entry for that user got changed. Please find below detail

 

4344 ?        Ss     0:10 ps HOSTNAME=Perf-Delhi TERM=xterm SHELL=/bin/bash HISTSIZE=1000 SSH_CLIENT=201.231.245.195 4158 22 SSH_TTY=/dev/pts/0 USER=admin LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36: MAIL=/var/spool/mail/admin PATH=. PWD=/home/admin/.?/.? LANG=en_US.UTF-8 HISTCONTROL=ignoredups SHLVL=3 HOME=/home/admin LOGNAME=admin SSH_CONNECTION=201.231.245.195 4158 14.139.5.202 22 LESSOPEN=|/usr/bin/lesspipe.sh %s G_BROKEN_FILENAMES=1 _=./ps

 

Also the hacker installed some script in my user home directly and was trying to connect to IRC port 6667 and was also listening some tcp and udp port.

 

Iptables is already running on my server, I could not identify the root cause for this. I have deleted all the data from home directly and also crontab entry.

 

Please help me out.

 

--

Thanks & Regards

 

Amit Kumar

Scientific Officer

Operation and Routing Group

M/O Communication and IT, NIC, A- Block, CGO Complex, New Delhi

Ph. +911122900332, NKN VoIP:5032