Guest MoMule Posted March 19, 2005 Report Share Posted March 19, 2005 Recently I have been receiving emailed logs from my firewall (9.2) showing that: Security Warning: World Writable files found : -/usr/share/locale/dk/language/.sniffer When I view the .sniffer file, it shows: /bin/login -- 'user name' : Password: 'user password' This file lists every logon attempt, including incorrect passwords - all in plain text! Does this look like a hacker job? How do I find out what is running this file, and better yet, how do I stop and remove it! Thanks for your help, MoMule Quote Link to comment Share on other sites More sharing options...
devries Posted March 19, 2005 Report Share Posted March 19, 2005 http://mandrake.net/article.pl?sid=03/05/14/152221 Reinstall and change your passwords :( Quote Link to comment Share on other sites More sharing options...
axel_2078 Posted March 25, 2005 Report Share Posted March 25, 2005 I couldn't get that link to load. Why would you need to reload? Why not just change the root and user passwords? If that file reflects the changes, can't you just change the username and password in the file to gibberish? Quote Link to comment Share on other sites More sharing options...
Havin_it Posted March 25, 2005 Report Share Posted March 25, 2005 Because if someone's got root on your system, they may read your new password from that file before you even get the chance to 'obfuscate' it. And who knows what other nastiness...! Face it - you may think being aware you've been hacked puts you one step ahead, it doesn't. It just puts you one less step behind. Once they get root, think what they can do: create new users with innocuous names like 'webclient' or something, with root group priviliges. They could make several of these if they expect you to be a strong opponent. And as long as they can hang onto just one such account, your system is, I'm afraid, 0wn3d. Reinstall is the ONLY way to be certain of escape, unless you know every file and user-account on your system like the back of your hand (don't forget the binaries!). Hell, it's quicker to reinstall Mandrake than just think about that kind of investigative task. Quote Link to comment Share on other sites More sharing options...
ChrisM Posted March 25, 2005 Report Share Posted March 25, 2005 http://mandrake.net/article.pl?sid=03/05/14/152221 Reinstall and change your passwords :( <{POST_SNAPBACK}> As axel says, the link won't load :( can you resubmit please? Quote Link to comment Share on other sites More sharing options...
devries Posted March 25, 2005 Report Share Posted March 25, 2005 Google cache: http://66.102.9.104/search?q=cache:vbLL9OE...4/152221+&hl=en Quote Link to comment Share on other sites More sharing options...
ChrisM Posted March 25, 2005 Report Share Posted March 25, 2005 Thanks devries Quote Link to comment Share on other sites More sharing options...
Guest MoMule Posted April 20, 2005 Report Share Posted April 20, 2005 Well, I read the link (it worked for me the day it was posted), and found the files to remove. I then built a new firewall (with less ports opened, and no more winbind/samba/2000 server configuration). I left the cracked firewall in place to see what would happen (hence why I never responded to this thread until now). About three weeks later, my logs caught someone using a user's login and su -'ing to root to install gwee and a couple of other things on the firewall. This user's account had been used previously to run ftp commands (.bash_history file)... So the poster that typed: "Face it - you may think being aware you've been hacked puts you one step ahead, it doesn't. It just puts you one less step behind. Once they get root, think what they can do: create new users with innocuous names like 'webclient' or something, with root group priviliges. They could make several of these if they expect you to be a strong opponent. And as long as they can hang onto just one such account, your system is, I'm afraid, 0wn3d." ...is absolutely correct! Thanks for the link devries, and the help!! MoMule Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.