Search:

Type: Posts; User: marsanyi; Keyword(s):

Page 1 of 2 1 2

Search: Search took 0.01 seconds.

  1. Thread: "Jun" hack

    by marsanyi
    Replies
    39
    Views
    6,137

    Re: "Jun" hack

    Oh. Also: updated ssh settings to disallow password-based entry, disallow root login.
  2. Thread: "Jun" hack

    by marsanyi
    Replies
    39
    Views
    6,137

    Re: "Jun" hack

    Sorry, I've been away from my office for a few days so missed a bit of posting. I infer from this that I'm the "OP". My investigative efforts were posted as I went; of course, at the end of the...
  3. Thread: "Jun" hack

    by marsanyi
    Replies
    39
    Views
    6,137

    Re: "Jun" hack

    Yes to cat food IP addresses. I turned off root password access, as per vanilla Ubuntu setup. My router belongs to my ISP and I can't access it directly, so I'll just alert them and let them worry...
  4. Thread: "Jun" hack

    by marsanyi
    Replies
    39
    Views
    6,137

    Re: "Jun" hack

    Current status:
    - found another duplicate, /usr/bin/bsd-port/getty, same file size. Masquerading as /usr/sbin/getty. Killed, removed.
    - disabled ssh altogether so the bad guys can't log back in...
  5. Thread: "Jun" hack

    by marsanyi
    Replies
    39
    Views
    6,137

    Re: "Jun" hack

    Yes, isn't it? However, I'm not running a webserver on this box.
  6. Thread: "Jun" hack

    by marsanyi
    Replies
    39
    Views
    6,137

    Re: "Jun" hack

    Thanks, Habitual, tgalati4, those four scripts look reasonable and show up as false-positive for Ubuntu.

    bashiergui: yes, I'm offline while doing this analysis. I forced "jun" to fire up once in...
  7. Thread: "Jun" hack

    by marsanyi
    Replies
    39
    Views
    6,137

    Re: "Jun" hack

    Sorry,QIII, will do. Couldn't find a button on the HTML text input widget to do it for me, so I was lazy.
  8. Thread: "Jun" hack

    by marsanyi
    Replies
    39
    Views
    6,137

    Re: "Jun" hack

    Found another suspicious binary: /usr/bin/bsd-port/getty. Same size as "jun". Shows up on nethogs as a big uploader (when I let it). Not present in my other Ubuntu install.

    Spelunking through...
  9. Thread: "Jun" hack

    by marsanyi
    Replies
    39
    Views
    6,137

    Re: "Jun" hack

    Re: gdm/lightm: my mistake, I removed /tmp and didn't create a new one with the right permissions. Fixed. I'll keep you posted on the activity.
  10. Thread: "Jun" hack

    by marsanyi
    Replies
    39
    Views
    6,137

    Re: "Jun" hack

    Hmm. I can no longer log in through gdm (or whatever 12.04 is using). I _can_ login from tty1. Keeping an eye on ps -aux and nethogs for an hour or so.
  11. Thread: "Jun" hack

    by marsanyi
    Replies
    39
    Views
    6,137

    Re: "Jun" hack

    Ran rkhunter. Nice! Saves a bunch of spelunking on my part. sudo less /var/log/rkhunter.log | grep -C 1 "Warning" found a few things:


    [10:47:42] /usr/local/bin/rkhunter ...
  12. Thread: "Jun" hack

    by marsanyi
    Replies
    39
    Views
    6,137

    Re: "Jun" hack

    More files in /tmp:
    .ICE-unix
    .winbindd/pipe
    .X0-lock
    .X11-unix/X0
  13. Thread: "Jun" hack

    by marsanyi
    Replies
    39
    Views
    6,137

    Re: "Jun" hack

    Sorry, got ahead of myself. ssh-VE... is a directory containing a socket, "agent.2509". "keyring-YP..." is a directory containing four sockets, "control", "gpg", "pkcs11", "ssh". at-sp2 is a...
  14. Thread: "Jun" hack

    by marsanyi
    Replies
    39
    Views
    6,137

    Re: "Jun" hack

    Nothing suspicious in crontabs, I re-checked after you reminded me, thanks.

    Thanks for the pointer to /tmp, though; I'd forgotten about that. Looking in there, I see:

    at-spi2...
  15. Thread: "Jun" hack

    by marsanyi
    Replies
    39
    Views
    6,137

    Re: "Jun" hack

    sudo lsof -p 4794 (.sshd) shows:

    COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
    .sshd 4794 root cwd DIR 8,1 4096 2 /
    .sshd 4794 root rtd DIR 8,1 4096...
  16. Thread: "Jun" hack

    by marsanyi
    Replies
    39
    Views
    6,137

    Re: "Jun" hack

    So ps -aux proves more useful than ps -A. The /usr/bin/java job running low in the list is indeed my cloud backup, CrashPlan. I see an entry for root, job 4794 (fairly late loaded) running...
  17. Thread: "Jun" hack

    by marsanyi
    Replies
    39
    Views
    6,137

    Re: "Jun" hack

    I can do that, tar.gz'd the binary. The raw binary is 1.22Mb, the compressed is 468K. With whom should I share the link?
  18. Thread: "Jun" hack

    by marsanyi
    Replies
    39
    Views
    6,137

    Re: "Jun" hack

    I'll check out chkrootkit, thanks. I'm trying to figure out what's running that's behind all this and surgically exposing it. We'll see how far I get.
  19. Thread: "Jun" hack

    by marsanyi
    Replies
    39
    Views
    6,137

    Re: "Jun" hack

    Thanks for the pointer, I'll go try some of those tools.

    I have a copy of "jun" quarantined. Hexdump on the binary didn't show anything I recognized (strings of text, for example).
  20. Thread: "Jun" hack

    by marsanyi
    Replies
    39
    Views
    6,137

    "Jun" hack

    I think I've been hacked.

    Noticed today that the net was pokey, a tell-tale. System Status showed pretty constant uploading going on to somewhere, in bursts of several minutes, followed by...
  21. [ubuntu] Re: VirtualBox error: Kernel driver not installed (rc=-1908)

    For those for whom /etc/init.d/vboxdrv doesn't exist, you might try this:

    sudo apt-get install --reinstall virtualbox-dkms

    Even though I had virtualbox-dkms installed, I had to force a...
  22. Re: HOWTO: Make festival TTS use better voices (MBROLA / CMU / HTS)

    Used calrama's pre-compiled voice files from post at http://ubuntuforums.org/showthread.php?t=751169&p=11347639#post11347639; downloaded tarball, un-tar'd, sudo mv'd to /usr/share/festival/voices/us....
  23. Re: HOWTO: Make festival TTS use better voices (MBROLA / CMU / HTS)

    Works as advertised on 12.04LTS. Thanks very much for making this available.
  24. Replies
    2
    Views
    2,984

    [ubuntu] Re: SFTP connection time out

    I had a similar problem. Solution for me was to notice that, when ssh'ing in manually from a terminal, I received warnings about non-matching certificates for both the machine (name.local) and the...
  25. Replies
    5
    Views
    3,144

    [all variants] Re: Gigabyte GA-990FXA-UD5 compatibility

    I've spent two days unsuccessfully trying to set up 12.04LTS on a 990FXA-UD3. Issues with networking and USB out of the box. Would not recommend to anyone whose time is valuable.
Results 1 to 25 of 31
Page 1 of 2 1 2