like virus
like virus
Could anybody help me. I found that my HOSTS file is changed with some MS HOSTS file that contains 127 - localhost and many 127 - bla.xx.com lines (just staff - no sense I guess). After rebooting file is changes again (I edited it). How can I find what changes it? I'm not an experienced use: where can such process start and how can I find it out?
-
- Posts: 10642
- Joined: 2005/08/05 15:19:54
- Location: Northern Illinois, USA
Re: like virus
CentOS does not have a "HOSTS" file.
If you are referring to 'etc'hosts, you did not post its contents, so we cannot tell you whether it is correct or not.
There should always be a 127.0.0.1 entry.
If you are referring to 'etc'hosts, you did not post its contents, so we cannot tell you whether it is correct or not.
There should always be a 127.0.0.1 entry.
Re: like virus
For sure it's '/etc/hosts' - I just highlighted it as microsoft used. Becouse the original file was substituted with ms one: its every line ends with additional code, it has much text with ms copyright and so on. In extra it comprises many line with "127.0.0.1 sdhf.sd4d.com'-like staff ('127.0.0.1 localhost' is presented too) - addresses look like random-generated. After I deleted extra lines and rebooted that ('wrong') file appeared again (sumthing restore it on reboot). Then, I found extra use 'gusr' which was in root group and had ID=0 (exactly!) so I was able to delete it with userdel only, and one extra user 'news' without peculiaties. Then, I looked into '.bash_history' and found something strange (the fragment is attached). I remove and restored everything I had found, '/etc/hosts' stoped changing, but I'm not sure is there something else in the system. How can I check it?
- Attachments
-
- bash_history.PNG (28.81 KiB) Viewed 2249 times
Last edited by zats on 2014/03/20 08:32:58, edited 1 time in total.
Re: like virus
Congratulations, you have been hacked. The next step is to backup any data and configuration you have on your server. After that, reinstall the operating system and restore your data and configuration from the backup. That is the only way to make sure everything has been cleaned.
After you have reinstalled the operating system, make sure PermitRootLogin in /etc/ssh/sshd_config is set to "no" to disable root logins via ssh.
After you have reinstalled the operating system, make sure PermitRootLogin in /etc/ssh/sshd_config is set to "no" to disable root logins via ssh.
Re: like virus
Isn't it better, instead of disabling root login via ssh, to just disable password authentication for ssh and use only pubkey auth?
Re: like virus
or perhaps simply use a sensible password?
Re: like virus
A sensible password is still only one-factor authentication, a key file you need to have the private key _and_ the passphrase for it...
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: like virus
doesnt that just amount to a more complicated password?
Re: like virus
Only if you think that a 2KB file containing random characters that then needs a password to unlock it amounts to a more complicated password. It's "something you have and something you know" vs "something you know"
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: like virus
I'm sure you're right trevor but I find myself unconvinced.
It seems to me something that can be mathematically unlocked is easier
to get at than something simply made up.
either is susceptable to brute force attack
a crypto solution also having susceptability to mathematical attack
that can shorten the brute force necessary. And still all you need is a password.
It seems to me something that can be mathematically unlocked is easier
to get at than something simply made up.
either is susceptable to brute force attack
a crypto solution also having susceptability to mathematical attack
that can shorten the brute force necessary. And still all you need is a password.