We just need to inform it that it need not concern itself with a internet connection.
Thanks. Regards, Mike -- Mike Diehn Diehn Consulting, LLC Enfield, NH Please excuse my brevity. I'm sending this from my phone. On Dec 24, 2011 1:56 PM, "John Stoffel" <[email protected]> wrote: > > Hi all, > > In the spirit of New Years resolutions, and because I just found and > fixed this hack a few days ago, I'm coming clean on how one of my home > systems got hacked. > > I've got two kids, nine and five, and they each only use Linux systems > for their games and such. This is nice because I can manage them > remotely and just not think about it too much. They have simple > passwords though. Too simple. Sigh... > > This system is also the host I use to login to my home machine(s) from > the outside, with a dyndns.org hostname, etc. Of course I'm smart and > only allow incoming SSH and port 3000 so I can do some Mojolicious > hacking from the outside. Since nothing else listens on port 3000 > except me, I'm not worried. > > So I got hacked by someone who found my kid Jack's account and his > stupidly simple password. And put in a ssh scanning tool, fired up a > web server to listen for IRC command on a filtered port (so it's not > clear whether they actually got any data out of here or not...). But > it was all running as a non priviledged user, so I don't think so. > > I ended up killing off all the processes, changing all my kids > passwords, and generally feeling stupid. It's not like I haven't been > doing this for a long time, I should know better. > > And it looks like I got hit with: > > > http://blog.infosanity.co.uk/2010/07/21/example-of-post-exploit-utilities/ > > the GOSH utility stuff. > > quad:/dev/shm/. /.gosh# ls -ltra > total 15048 > -rwxr-xr-x 1 jack jack 249980 Feb 13 2001 screen > -rwxr-xr-x 1 jack jack 453972 Jul 12 2004 ss > -rwxr-xr-x 1 jack jack 21407 Jul 21 2004 pscan2 > -rwxr-xr-x 1 jack jack 842736 Nov 24 2004 ssh-scan > -rwxr-xr-x 1 jack jack 265 Nov 24 2004 gen-pass.sh > -rwxr-xr-x 1 jack jack 22354 Dec 1 2004 common > -rwxr-xr-x 1 jack jack 26857 Aug 23 2005 5 > -rwxr-xr-x 1 jack jack 197 Aug 23 2005 secure > -rwxr-xr-x 1 jack jack 3346659 Jul 23 2006 1 > -rwxr-xr-x 1 jack jack 0 Sep 26 2006 vuln.txt > -rwxr-xr-x 1 jack jack 54703 Apr 20 2008 4 > -rwxr-xr-x 1 jack jack 54703 Apr 20 2008 2 > -rwxr-xr-x 1 jack jack 28956 Apr 20 2008 3 > -rwxr-xr-x 1 jack jack 3483 Nov 1 2009 mass > -rwxr-xr-x 1 jack jack 94988 Nov 1 2009 userrootmic.txt > -rwxr-xr-x 1 jack jack 49510 Nov 1 2009 userroomare.txt > -rwxr-xr-x 1 jack jack 5050323 Nov 1 2009 sortateusr.txt > -rwxr-xr-x 1 jack jack 1184 Nov 1 2009 CITESTE-INAINTE-SA-INCEPI > -rwxr-xr-x 1 jack jack 1599 Feb 10 2010 a > -rwxr-xr-x 1 jack jack 121 Feb 10 2010 go.shA > -rwxr-xr-x 1 jack jack 122 Feb 10 2010 go.shB > drwxr-xr-x 3 jack jack 80 Dec 20 18:11 .. > -rwxr-xr-x 1 jack jack 5050323 Dec 21 10:11 pass_file > -rw-r--r-- 1 jack jack 0 Dec 21 10:11 77.49.pscan.22 > drwxr-xr-x 2 jack jack 500 Dec 21 10:11 . > > > The only reason I noticed this sucker is that the load was over 2 on > the system and I was wondering what my kid was doing on there, since > it's not a system they're allowed on or know about really. > > So I've done a couple of things: > > 1. changed passwords. > > 2. locked down SSH access more, so that only my username and one other > can get in via SSH now. > > 3. applied the latest debian patches, but I was already quite upto > date. > > > > So, just a friendly reminder, even us professionals can screw up. I > will be more anal in the future, and working harder to have services > and such default to DENY, rather than allow. > > Cheers, and Happy New Year! > John > _______________________________________________ > sage-members mailing list > [email protected] > http://mailman.sage.org/mailman/listinfo/sage-members >
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
