Re: HELP! I've been had! Someone hacked into my Linux box. What now?

---

• From: "jg" <juangarcia@xxxxxxxxxxxxxx>
• Date: 10 Nov 2006 12:09:08 -0800

---

I forgot to mention my setup...

Box sits behind a Wireless Access Point with wep128 encryption. This
AP acts as a firewall for all NAT'ed traffic (including my Linux box).
I have the router redirect all SSH traffic to my Linux box. Other than
that, all other ports are not redirected.

[I am broadcasting my SSID but I have not used my laptop in about a
month. Hence no traffic over the air, so I don't think anyone hacked
in by reversing my WEP key.]

I have Suze9.1 running on my Linux server. It is only a SAMBA server.
It only has one NIC. I'm not using it as a firewall.

Thanx again to all who help.

jg

jg wrote:

A few days ago I noticed my Linux box had been rebooted (typically runs
24/7.) Upon further investigating I found someone had attempted to
login to my box (via ssh) close to 5000 times a few days earlier. As
far as I could tell, they had not been succesful. However, I have my
doubts now. I have since closed my router's ssh virtual server's
redirect to it. I have also closed all outgoing traffic from it
(however, pings still get out, not sure why.)

At any rate, since then, my box reboots every morning at 9:00 AM! Not
sure how this is being done. crontab shows nothing. Does anyone have
any ideas what I can do to find out which program is causing the
rebooting? Anything I should be looking for?

I'm guessing I'm going to have to assume worst case scenario here and
reformat my entire system. (Which I have been meaning to do anyway to
add some kind of RAID.)

Also, what can I do in the future to prevent something like this from
happening again? I thought my passwords were pretty secure... but I
guess I was mistaken. I cannot really do a private/public key since I
need access to my box from multiple locations. Also, is this more
secure?

Thanx to all who reply.

jg

.

---

• Follow-Ups:
  • Re: HELP! I've been had! Someone hacked into my Linux box. What now?
    • From: Martin Klar

• References:
  • HELP! I've been had! Someone hacked into my Linux box. What now?
    • From: jg

• Prev by Date: HELP! I've been had! Someone hacked into my Linux box. What now?
• Next by Date: Re: HELP! I've been had! Someone hacked into my Linux box. What now?
• Previous by thread: HELP! I've been had! Someone hacked into my Linux box. What now?
• Next by thread: Re: HELP! I've been had! Someone hacked into my Linux box. What now?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP? ... >> I start by not giving logins and SSH access to users I don't trust. ... a network topology which goes around the ... >> firewall and thus is a serious hole to network security. ... >> have access via UPnP to, well, anything that device might happen to ... (Firewall-Wizards) Re: ssh attempts ... the excellent iptables firewall you probably already have on your system. ... consider changing the port SSH listens on. ... Login to account webmaster not allowed or account non-existent. ... Computer Emergency Response Teams, and Digital Investigations. ... (Security-Basics) Re: mpich and iptables firewall? ... to me it seems a very weird setup to have a firewall running ... on the cluster nodes. ... Using SGE you could disable rsh and ssh completely ... Chain FORWARD ... (comp.parallel.mpi) Re: Problems with ipfw and ssh ... I get this error when updating my firewall rules via ssh. ... ${addcmd} 50 allow all from any to any via lo0 ... debug1: PAM: cleanup ... (freebsd-questions) Re: Putting server on the internet or not ... If you are a home user, ... >> on the internet trying to access my machine via SSH. ... > firewall can be good but you will need to spend more time researching ... >> I'll bet Scot has a generator though. ... (Fedora)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)