Re: Urgent!!! My computer seems to be hacked, pls HELP!!!




Todd H. wrote:

"Jenny" <ahajenny@xxxxxxxxx> writes:
Dear groups,

My computer was told that it sent unusual packets from port 60609 to
some computer with IP 61.50.138.237 port 22. (more than 20 flows per
second!!!)

I am running Fedora Core 5 plus "OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct
2005", I use netstat to check services I open, only mysql, samba,
vsftp, ssh, http.

I check /var/log, message and security. I can't find any successful
logging from others. But I do find many many attacks from 61.50.138.*
(not including the one 61.50.138.237 which my computer attacked!!!),
and none of them successes.

I have some questions to ask all of you, please help me!!!

1. is my computer hacked? if no, then why my computer sends packets
from port 60609 to some computer port 22 ?

If neither you nor any authorized user to your knowledge is using the
machine then this ssh connection to an IP in china is very likely a
compromise.

2. if my computer is hacked, then what can I do? reinstalling the
system is the only way???

Yup. It's the only way to get back to a known state. Wiping and
reinstalling from original media.

But that's not needed, you can find which process is using that
particular port and kill it (use lsof). Then run a rootkit detection
and/or anti-virus detection to try to find out where that process came
from (there are several to choose from). Before that I would harden
ssh access, no access except your user.

HTH
--
René Berber

.



Relevant Pages

  • Re: Webmin? Good, Bad, Ugly?
    ... Configure your network so you have ssh access to the server ... This also sort of gets around a problem I have where webmin ... For Changing the port from the GUI: ...
    (Ubuntu)
  • I need a reverse proxy solution for SSH
    ... I have an SSH access to this machine at port 22.There are ... virtual machines directly. ... for SSH what can I do.So is there some thing equivalent to an Apache ...
    (Ubuntu)
  • Re: ssh security
    ... >> ssh to another port instead of 22 in hopes that would put a halt to it ... > If you don't need remote SSH access, configure the server not to listen ... Good suggestions as well as the one to use keys if you need ssh access. ... Since someone took the time to scan for and find your ssh port then they ...
    (Fedora)
  • Re: Off topic: Hacker
    ... everyone has seen if they have ssh open to the Internet. ... Best course of action if you need ssh access is to make sure you have ... dictionary words, 10 or more characters, uses numbers and special ... One alternative is to move the ssh port to a different port number. ...
    (Fedora)
  • Re: Urgent!!! My computer seems to be hacked, pls HELP!!!
    ... My computer was told that it sent unusual packets from port 60609 to ... I can't find any successful ... machine then this ssh connection to an IP in china is very likely a ...
    (comp.security.ssh)