I had a whole fricking thing written up, then hit a wrong key and it went to the main anandtech site, and wiped the text from the buffer.
Anyway, we apparently got cracked into tonight. Kinda fun and funny, though annoying.
My Linux machine got up and running a couple of nights ago, and I hadn't bothered to secure it or anything yet because I'm going to be wiping it out in the next few days to reinstall (partition issues). I hadn't even bothered to start playing with stuff much because I didn't want to have to do it all over again later.
So, to play from work, I had the telnet, ftp, ssh, and http ports forwarded using the LinkSys cable/dsl router, sending those ports to my box. My roommate had also been using VNC for a short time, so he was still set up as the DMZ host in the router.
We were working on some computers tonight trying to salvage useable stuff from them, and he noticed that his My Documents folder on his desktop had been renamed to 777, and he wasn't able to even click on his desktop. He rebooted, and was able to change the name. We assumed he must have just accidentally renamed it and been hitting the 7 key at the time or set something on the key. The computer itself has been having issues, so we thought that explained not being able to touch the desktop.
Then later, I brought the monitor back in for my Linux box (we'd been using it for testing servers) and plugged it in. Since I'm still new to Linux and all impressed by it, I like to check the running processes, plus it assures me that the D.Net client is still running.
This time, I noticed a lot more processes than usual, several of which I'd never seen before. There were all kinds of things running that I never did, like cron and httpd and smtpd. I KNOW cron had never been running before, and I don't think smtpd had been. Httpd was before, since the default install allows you to browse the docs in HTML in a browser. However it was now using over 14% of the CPU, which had never happened, and RC5 had always used 99.9% of the cpu time before. There were also a few other processes running I didn't recognize.
I killed all of them, got back down to pretty much no processes running. But I'd like to know how somebody got in and maybe where they came from. However I don't know enough to know where the message files go, if any, or where the screen buffer goes during boot. I read the other day that all Linux boot messsages go into a certain file, buyt I don't remember where.
I'm just glad I hadn't started making use of the machine. Still pisses me off somewhat. Almost puts me off of Linux, not because it's bad or that I think it's Linux's fault; I didn't secure it, it's my fault. But being able to access from home means running at least ssh protocol (only telnet and http had been active; ssh was installed but I was getting checksum errors at work so I went back to telnet for now). So this means I HAVE to learn how to secure the machine, and I've got precious little time as it is.
Anyway, just thought it'd be fun to tell people about. It's very odd to see that CRON is running, and not be able to find out why.
Anyway, we apparently got cracked into tonight. Kinda fun and funny, though annoying.
My Linux machine got up and running a couple of nights ago, and I hadn't bothered to secure it or anything yet because I'm going to be wiping it out in the next few days to reinstall (partition issues). I hadn't even bothered to start playing with stuff much because I didn't want to have to do it all over again later.
So, to play from work, I had the telnet, ftp, ssh, and http ports forwarded using the LinkSys cable/dsl router, sending those ports to my box. My roommate had also been using VNC for a short time, so he was still set up as the DMZ host in the router.
We were working on some computers tonight trying to salvage useable stuff from them, and he noticed that his My Documents folder on his desktop had been renamed to 777, and he wasn't able to even click on his desktop. He rebooted, and was able to change the name. We assumed he must have just accidentally renamed it and been hitting the 7 key at the time or set something on the key. The computer itself has been having issues, so we thought that explained not being able to touch the desktop.
Then later, I brought the monitor back in for my Linux box (we'd been using it for testing servers) and plugged it in. Since I'm still new to Linux and all impressed by it, I like to check the running processes, plus it assures me that the D.Net client is still running.
This time, I noticed a lot more processes than usual, several of which I'd never seen before. There were all kinds of things running that I never did, like cron and httpd and smtpd. I KNOW cron had never been running before, and I don't think smtpd had been. Httpd was before, since the default install allows you to browse the docs in HTML in a browser. However it was now using over 14% of the CPU, which had never happened, and RC5 had always used 99.9% of the cpu time before. There were also a few other processes running I didn't recognize.
I killed all of them, got back down to pretty much no processes running. But I'd like to know how somebody got in and maybe where they came from. However I don't know enough to know where the message files go, if any, or where the screen buffer goes during boot. I read the other day that all Linux boot messsages go into a certain file, buyt I don't remember where.
I'm just glad I hadn't started making use of the machine. Still pisses me off somewhat. Almost puts me off of Linux, not because it's bad or that I think it's Linux's fault; I didn't secure it, it's my fault. But being able to access from home means running at least ssh protocol (only telnet and http had been active; ssh was installed but I was getting checksum errors at work so I went back to telnet for now). So this means I HAVE to learn how to secure the machine, and I've got precious little time as it is.
Anyway, just thought it'd be fun to tell people about. It's very odd to see that CRON is running, and not be able to find out why.
Facebook
Twitter