like virus

zats · Post by **zats** » 2014/03/18 14:14:32

Could anybody help me. I found that my HOSTS file is changed with some MS HOSTS file that contains 127 - localhost and many 127 - bla.xx.com lines (just staff - no sense I guess). After rebooting file is changes again (I edited it). How can I find what changes it? I'm not an experienced use: where can such process start and how can I find it out?

gerald_clark · Post by **gerald_clark** » 2014/03/18 16:43:06

CentOS does not have a "HOSTS" file.
If you are referring to 'etc'hosts, you did not post its contents, so we cannot tell you whether it is correct or not.
There should always be a 127.0.0.1 entry.

zats · Post by **zats** » 2014/03/20 07:43:28

For sure it's '/etc/hosts' - I just highlighted it as microsoft used. Becouse the original file was substituted with ms one: its every line ends with additional code, it has much text with ms copyright and so on. In extra it comprises many line with "127.0.0.1 sdhf.sd4d.com'-like staff ('127.0.0.1 localhost' is presented too) - addresses look like random-generated. After I deleted extra lines and rebooted that ('wrong') file appeared again (sumthing restore it on reboot). Then, I found extra use 'gusr' which was in root group and had ID=0 (exactly!) so I was able to delete it with userdel only, and one extra user 'news' without peculiaties. Then, I looked into '.bash_history' and found something strange (the fragment is attached). I remove and restored everything I had found, '/etc/hosts' stoped changing, but I'm not sure is there something else in the system. How can I check it?

avij · Post by **avij** » 2014/03/20 08:29:30

Congratulations, you have been hacked. The next step is to backup any data and configuration you have on your server. After that, reinstall the operating system and restore your data and configuration from the backup. That is the only way to make sure everything has been cleaned.

After you have reinstalled the operating system, make sure PermitRootLogin in /etc/ssh/sshd_config is set to "no" to disable root logins via ssh.

roklebor · Post by **roklebor** » 2014/03/25 01:01:04

Isn't it better, instead of disabling root login via ssh, to just disable password authentication for ssh and use only pubkey auth?

fredvps · Post by **fredvps** » 2014/03/25 14:24:30

or perhaps simply use a sensible password?

Post by **TrevorH** » 2014/03/25 15:20:30

A sensible password is still only one-factor authentication, a key file you need to have the private key _and_ the passphrase for it...

fredvps · Post by **fredvps** » 2014/04/08 12:19:06

doesnt that just amount to a more complicated password?

Post by **TrevorH** » 2014/04/08 12:37:06

Only if you think that a 2KB file containing random characters that then needs a password to unlock it amounts to a more complicated password. It's "something you have and something you know" vs "something you know"

fredvps · Post by **fredvps** » 2014/04/08 15:54:40

I'm sure you're right trevor but I find myself unconvinced.
It seems to me something that can be mathematically unlocked is easier
to get at than something simply made up.
either is susceptable to brute force attack
a crypto solution also having susceptability to mathematical attack
that can shorten the brute force necessary. And still all you need is a password.

CentOS

like virus

like virus

Re: like virus

Re: like virus

Re: like virus

Re: like virus

Re: like virus

Re: like virus

Re: like virus

Re: like virus

Re: like virus