perfsonar-user - [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user)
Subject: perfSONAR User Q&A and Other Discussion
List archive
[perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user)
Chronological Thread
- From: Jim Warner <>
- To: Brian Tierney <>
- Cc: Amit <>, Aaron Brown <>, "<>" <>, "<>" <>
- Subject: [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user)
- Date: Thu, 10 Oct 2013 15:51:24 -0700
It seems to me that encouraging addition of an /etc/hosts.allow file to perfsonar installations would be a good idea. Even if you don't leave ssh enabled most of the time, it's nice to have the restriction there if you turn it on. And, for CD-ROM users, it appears that the file is remembered are restored across reboots.
-jim
On Thu, Oct 10, 2013 at 9:58 AM, Brian Tierney <> wrote:
Maybe just a brute force password attack that succeeded? Did you have a good password on that system?
On Oct 10, 2013, at 9:21 AM, Amit <> wrote:
> Hi,
>
> No sudo ability to this user. Also no other user account hacked. Not even any service got disrupted or misused.
>
> Thanks
> Amit
>
>
> Sent from my HTC
>
> ----- Reply message -----
> From: "Aaron Brown" <>
> To: "Amit" <>
> Cc: "<>" <>, "<>" <>
> Subject: [perf-node-users] Perfsonar Server got hacked (non root user)
> Date: Thu, Oct 10, 2013 8:22 pm
>
>
> Hey Amit,
>
> So this user broke into your 'admin' account, and not root, bwctl, perfsonar, other user accounts? Did this account have sudo ability?
>
> Cheers,
> Aaron
>
> On Oct 10, 2013, at 10:47 AM, Amit <<mailto:>> wrote:
>
> Hi,
>
> Today I could not ssh to my perfsonar servers (two) using a user account. When I login to server I identified that my linux user got compromised somehow from internet.
>
> I could see the ssh connection from an internet IP to my server. Also crontab entry for that user got changed. Please find below detail
>
> 4344 ? Ss 0:10 ps HOSTNAME=Perf-Delhi TERM=xterm SHELL=/bin/bash HISTSIZE=1000 SSH_CLIENT=201.231.245.195 4158 22 SSH_TTY=/dev/pts/0 USER=admin LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36: MAIL=/var/spool/mail/admin PATH=. PWD=/home/admin/.?/.? LANG=en_US.UTF-8 HISTCONTROL=ignoredups SHLVL=3 HOME=/home/admin LOGNAME=admin SSH_CONNECTION=201.231.245.195 4158 14.139.5.202 22 LESSOPEN=|/usr/bin/lesspipe.sh %s G_BROKEN_FILENAMES=1 _=./ps
>
> Also the hacker installed some script in my user home directly and was trying to connect to IRC port 6667 and was also listening some tcp and udp port.
>
> Iptables is already running on my server, I could not identify the root cause for this. I have deleted all the data from home directly and also crontab entry.
>
> Please help me out.
>
> --
> Thanks & Regards
>
> Amit Kumar
> Scientific Officer
> Operation and Routing Group
> M/O Communication and IT, NIC, A- Block, CGO Complex, New Delhi
> Ph. +911122900332, NKN VoIP:5032
>
>
- [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user), Aaron Brown, 10/10/2013
- <Possible follow-up(s)>
- [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user), Brian Tierney, 10/10/2013
- [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user), Jim Warner, 10/10/2013
- Message not available
- Message not available
- [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user), Jason Zurawski, 10/11/2013
- [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user), Soichi Hayashi, 10/11/2013
- [perfsonar-user] Help with inconsistent bwctl measurements, Roderick Mooi, 10/16/2013
- Re: [perfsonar-user] Help with inconsistent bwctl measurements, Brian Tierney, 10/16/2013
- Re: [perfsonar-user] Help with inconsistent bwctl measurements, Jason Zurawski, 10/16/2013
- Re: [perfsonar-user] Help with inconsistent bwctl measurements, Wefel, Paul, 10/16/2013
- Re: [perfsonar-user] Help with inconsistent bwctl measurements, Alan Whinery, 10/16/2013
- Re: [perfsonar-user] Help with inconsistent bwctl measurements, Eli Dart, 10/16/2013
- Re: [perfsonar-user] Help with inconsistent bwctl measurements, Roderick Mooi, 10/17/2013
- Message not available
- Re: [perf-node-users] Re: [perfsonar-user] Help with inconsistent bwctl measurements, Jason Zurawski, 10/17/2013
- [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user), Jason Zurawski, 10/11/2013
- Message not available
- Message not available
- [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked (non root user), Jim Warner, 10/10/2013
Archive powered by MHonArc 2.6.16.