Help, getting hacked - 未名空间MITBBS历史存档

国际科技财经博客移民网络热点娱乐民生时事公众号

Redian新闻

>未名空间

>Security - 系统安全

Help, getting hacked

Help, getting hacked# Security - 系统安全

s*d2000-07-05 07:07

1 楼

I am quite certain that someone had broken into some of my unix machines.
And I need your help on several questions. Thanks in advance.
One is running AIX 4.1, it was known to be using as an open mail relay.
I found the following problem:
1. There is one extra user with the user name "+" and user id "0", this should
be a clear sign of hacking. Is that right?
2. There's a lot of failed login in my /ect/security/failedlogin, with user
name "UNKNOWN", and from some unidentified IP address. Such as

T*r2000-07-05 07:07

2 楼

from your description, your hosts perhaps are hacked. The
best solution is
to back all your data (no executive, even source code), and
then reinstall the systems totally. After installation,
change all users name and passwords, including root,
shutdown all services that are not necessary...

s*d2000-07-05 07:07

3 楼

Thank you very much for your help. Can you also give me some suggestions on
the questions in item 2 in my orginal post?

【在 T********r 的大作中提到】

: from your description, your hosts perhaps are hacked. The
: best solution is
: to back all your data (no executive, even source code), and
: then reinstall the systems totally. After installation,
: change all users name and passwords, including root,
: shutdown all services that are not necessary...

D*I2000-07-05 07:07

4 楼

I can help on this question: following is my trace result on
this IP
IP: Lacations:
207.45.222.217 41.883N, 87.617W
207.45.222.225 39.742N,104.992W
207.45.222.233 37.442N,122.142W
207.45.223.74 47.608N,122.325W
207.45.222.86 49.250N,122.942W
207.45.223.174 48.817N,124.025W
207.45.223.154 48.817N,124.025W
203.50.13.69 33.825S,151.200E
203.50.13.66 33.825S,151.200E
139.130.249.226 33.825S,151.200E
203.50.6.129 33.825S,151.200E
139.130.36.238 33.825S,1

【在 s*****d 的大作中提到】

: I am quite certain that someone had broken into some of my unix machines.
: And I need your help on several questions. Thanks in advance.
: One is running AIX 4.1, it was known to be using as an open mail relay.
: I found the following problem:
: 1. There is one extra user with the user name "+" and user id "0", this should
: be a clear sign of hacking. Is that right?
: 2. There's a lot of failed login in my /ect/security/failedlogin, with user
: name "UNKNOWN", and from some unidentified IP address. Such as

l*a2000-07-05 07:07

5 楼

How do you obtain the location info from the ip on the trace?

【在 D*******I 的大作中提到】

:
: I can help on this question: following is my trace result on
: this IP
: IP: Lacations:
: 207.45.222.217 41.883N, 87.617W
: 207.45.222.225 39.742N,104.992W
: 207.45.222.233 37.442N,122.142W
: 207.45.223.74 47.608N,122.325W
: 207.45.222.86 49.250N,122.942W
: 207.45.223.174 48.817N,124.025W

D*I2000-07-05 07:07

6 楼

It wont' help a lot, but:
1. make you feel much better
2. if he continue attack, we have the info to further locate
him
3. If he really from that city, we have the ISP's name which
can be used to completely locate him from ISP's log file
given the time he lunchs the attack from that IP ( incase of
a crime, and this is the CCP's trick to find out who's the
guy who post antiCCP stuff on bbs )
I guess he's just playing around.

s*d2000-07-05 07:07

7 楼

Thank you very much! I posted it about 6 weeks ago. Also my thanks to carmel
and other friends.
I also think these guys are just playing around, not a big problem. The real
problem is that somebody is continuously using my workstation as a mail relay.
I have tried to block it by removing the "-bd" switch for my sendmail, then
it sems will not be able to forward any email :-(. guess I have to upgrade my
sendmail, 'coz it's really old (5.64).
Thanks again for your kind help.

【在 D*******I 的大作中提到】

: It wont' help a lot, but:
: 1. make you feel much better
: 2. if he continue attack, we have the info to further locate
: him
: 3. If he really from that city, we have the ISP's name which
: can be used to completely locate him from ISP's log file
: given the time he lunchs the attack from that IP ( incase of
: a crime, and this is the CCP's trick to find out who's the
: guy who post antiCCP stuff on bbs )
: I guess he's just playing around.

D*I2000-07-05 07:07

8 楼

some useful site:
I . Hack Thyself
1. grc.com // auto scan and will issue a report to you for
any holes
2. hackerwhacker.com
3. dslreports.com
II Protection
1. zonelabs.com // auto plugs the holes free for home use

【在 s*****d 的大作中提到】

: Thank you very much! I posted it about 6 weeks ago. Also my thanks to carmel
: and other friends.
: I also think these guys are just playing around, not a big problem. The real
: problem is that somebody is continuously using my workstation as a mail relay.
: I have tried to block it by removing the "-bd" switch for my sendmail, then
: it sems will not be able to forward any email :-(. guess I have to upgrade my
: sendmail, 'coz it's really old (5.64).
: Thanks again for your kind help.

a*s2000-07-05 07:07

9 楼

Excuse me...can you tell me where to get the localtion of IP??
Anywhree can get it..???Please mail me..Thanx...^^
c******[email protected]

【在 D*******I 的大作中提到】

: some useful site:
: I . Hack Thyself
: 1. grc.com // auto scan and will issue a report to you for
: any holes
: 2. hackerwhacker.com
: 3. dslreports.com
: II Protection
: 1. zonelabs.com // auto plugs the holes free for home use