Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

hacker gained user access...
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
odioworks_com
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jan 2005
Posts: 82
Location: Charlottesville, Virginia
PostPosted: Wed Jun 22, 2005 9:05 am    Post subject: hacker gained user access... Reply with quote
It seems to have started yesterday. From what I gather the hacker gained user access - and has started using my machine as a spam relay. I have no idea how many messages were sent out in the last 24 hours.

This all started when we had MySQL problems and had to reset the server. At points, for extended periods of time, the server was up yesterday and accepting connections from any log in. Not sure if this was related to the break in attempt.

The hacker used the email "mike@odioworks.com". mike was a user - however I had not set mike up for email in the mailsql database (therefore he shouldn't have been able to send emails...) I set up the mail server using this guide: http://gentoo-wiki.com/HOWTO_Linux_Virtual_Hosting_Server

You can find the first instance of "mike@odioworks.com" from /var/log/messages at: http://www.odioworks.com/hack_log.txt
Here are a few more lines from /var/log/messages during the thick of it: http://www.odioworks.com/hack_log2.txt

Also, looking in /etc/passwd I found some suspicious names. I have already deleted mike (the account associated with the login attempt, but I found other usernames which I do not recognize. Specifically, "operator" and "ow" both have shells. You can find the /etc/passwd file at http://www.odioworks.com/passwd.txt - I removed the users I could confirm as legit.






My questions are...

1) Given MySQL was accepting connections from any user / pass combo - would it have been possible to gain access to the real MySQL passwords stored in the mysql:user table? Or are these passwords encrypted?

2) I set up postfix using this tutorial: http://gentoo-wiki.com/HOWTO_Linux_Virtual_Hosting_Server,
which authenitcates emails based on users stored in the mailsql database. The hacker seemed able to send emails even after I shut the mysql down... any ideas?

3) I have deleted the "mike" user account... is it safe to start postfix back up?

4) Should I be worried about the “operator” and “ow” users in my /etc/passwd file?

5) Is it likely that my domain (odioworks.com) will be blacklisted?

Thanks for your help
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2977
Location: Germany
PostPosted: Wed Jun 22, 2005 9:48 am    Post subject: Reply with quote
You don't know what else the hacker may have done to your system. Pull the plug, use a boot disk to format the drive (if you like, create an image for post-mortem analysis first), restore the latest uncompromised backup and make sure the hacker can't use the same method again before reconnecting the machine to the net.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy