| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
Comments:
<0> having the pc offline when not in use...
<1> and investigate
<2> have you ever owned someone?
<2> tell the truth
<0> heh
<2> _switch, how do I investigate?
<3> from what I can see, for my user2, .vnc/xstartup isn't even called when starting a new vnc session. Any idea why?
<4> hi all
<2> HOW did I get owned?
<3> what calls it when a vnc session is started?
<5> what daemons were running?
<1> *G* gnurdux there are tons of methods...
<2> a lot
<2> im DMZ
<1> via an exploit public or not
<2> and I have apache
<1> via SE the cirtain user
<1> via brute-force
<1> luck/accident
<2> do you think that they only hacked that user?
<5> if you cant eliminate one by one what was vulnerable, then you wont know
<1> backdoored software
<6> Gnurdux right now the bes start is that .bash_history file ..... see if they were actually logged in
<2> IE if i delete that user, will it be ok?
<6> no
<2> Splinter2, there is one line in there that didnt come from me
<2> uptime
<6> what was it
<6> ahhh
<1> dude .. if I were you I'd do a system reinstall
<1> and this time I'd give a fsck about security.
<2> whats so ahhh about that Splinter2 ?
<1> what's your distribution ?
<2> debian testing
<6> Gnurdux uptime
<2> yes?
<2> what about it
<0> well... an unstable version...
<6> thats all that was not you
<2> Splinter2, whats revealing about typing uptime?
<2> yes
<1> debian testing is hardly unstable
<2> i think uptime wasn't me
<2> almost certain
<3> Does anybody here have any expertise on VNC?
<2> Splinter2, is there anything revealing about that?
<6> Gnurdux that they may have actually logged in and not just planted something
<1> if I'd own a system, I'd check it's uptime.
<1> but that doesn't say anything.
<7> If I had money, I'd spend it
<8> oh guys... i'm worried. i think i'm in deep ****
<8> so i bought a 300gig hard drive and have been using it for a while
<1> sha1sum: ntzt ntzt ntzt
<7> "would" statements are pretty much useless
<2> so if they logged in, how do I check that?
<8> and when i got up this morning, i saw my desktop had been frozen for many hours, not long after I had gone to bed
<6> Gnurdux take a longer look through your log files (more then tail) they may have been in a couple of days back
<8> and now all my partitions are corrupt (using xfs)
<6> Gnurdux is there a file /var/log/auth
<2> yes
<8> i'm trying to run xfs_check and xfs_repair... bit i get disk read errors
<2> i just grepped for the username
<1> run a checkroot hunter, check your logs, do it while your computer is offline
<6> look through it
<1> gather all the data you can
<1> then reinstall
<1> and this time give a fsck about security.
<2> ill do a pastebin
<1> --a rootkit
<2> well
<1> those are usual things you can do
<2> none of it is suspicious
<0> look at /var/log/wtmp
<6> k
<1> if the attacker know's his ****, chances are you won't discover anything.
<1> -knows
<9> If the sysadmin knows his stuff then the attacker is doomed.
<2> Binary file /var/log/wtmp.1 matches
<2> hmmm
<2> it matches that username
<2> whats wtmp
<9> Of course, not an awful lot of sysadmins know their stuff...
<6> it would
<1> ignacio: not always.
<2> whats wtmp?
<0> it's a log for successful logins
<8> ahh.. i'm boned aren't I? my drive is dead... my fscking expensive nice 300gig drive is dead
<2> does it include su's and stuff clarjon1 ?
<1> even the most competent admin can be "fooled"
<0> i dunno
<2> does /var/log/wtmp include sus?
<2> how do i read wtmp
<2> its binary
<10> ok, I fixed the permissions on /var/run/utmp but user login info doesn't show up still, why?
<2> _switch, help me
<10> I've tried a fresh login
<2> how do i read /var/log/wtmp.1
<8> anybody know what to do if i get read errors on a disk?
<6> Gnurdux try strings /var/log/wtmp.1 > <some temp file>
<11> TragicZ get a new hard drive
<11> after testing it
<8> Kevin`: eh.. something that doesn't even me shelling out a lot of money?
<11> test the hard drive
<11> add badblock lists to fs
<11> and hope
<8> it hasn't even been a whole month since i bought and starded using this thing
<8> it's a western digital drive...
<2> pts/4
<2> ts/4wesley
<2> pool-68-163-43-148.phil.east.verizon.net
<2> pts/4
<2> thats in the output
<0> gnurdux: try this: last -f /var/log/wtmp.1 | more
<0> nm
<2> is that worth notin?
<8> Gnurdux: if that's not you, then yeah
<5> Gnurdux usr/bin/last to read wtmp or utmp, i forget which
<2> pts/5
<2> ts/5wesley
<2> pool-68-163-43-148.phil.east.verizon.net
<2> pts/5
<2> wesley pts/3 pool-68-163-43-1 Thu Mar 2 21:47 - 21:52 (00:04)
<2> wesley pts/3 pool-68-163-43-1 Thu Mar 2 20:35 - 20:43 (00:08)
<2> wesley pts/6 pool-68-163-43-1 Thu Mar 2 15:36 - 16:20 (00:44)
<2> wesley pts/6 pool-68-163-43-1 Thu Mar 2 12:33 - 12:48 (00:15)
<2> wesley pts/6 pool-68-163-43-1 Thu Mar 2 10:52 - 10:56 (00:04)
<2> wesley pts/5 pool-68-163-43-1 Wed Mar 1 16:11 - 16:11 (00:00)
<2> wesley pts/4 pool-68-163-43-1 Wed Mar 1 16:01 - 16:01 (00:00)
<11> I ***ume that's you
<2> not me
<2> but its benight
<5> ln -s last lastb in usr/bin, to see failed logins
<0> try this: grep refused /var/log/secure*
<2> its a shell account
<2> so thats all not suspicious
<0> Gnurdux: try this: grep refused /var/log/secure*
<2> i was working with it because the guy left
<2> grep: /var/log/secure*: No such file or director
<0> hmm
<11> I normally keep a /var/log/all to waste disk space :)
<0> what is in ur /var/log directory?
<2> question: did he hack while I was working, or did he hack the script earlier?
<11> me?
<0> no, Gnurdux
<8> omg.. there's no way it's only been 17 days...
<8> if this hard drive died after only 17 days...
<0> but urs too, to see what u have compared to his
<11> TragicZ refund
<9> That's called DOA.
Return to
#linux
or
Go to some related
logs:
UPnP FC6 router
change language login screen osx
python long to string
#perl
unable to lock the list directory+could not open lock file /var/lib/apt/lists/lo
okiesmokie
sql+all_packages
perl each char scalar
#centos
nvidia-drivers 8762 access violation
|
|