Thursday, October 21, 2010

Security please? anyone?

Look what I found out on my server today:

netstat -p
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.*.*:60416 quakenet.euroserv.com:ircd ESTABLISHED 2630/crond
tcp 0 0 192.168.*.*:41016 clanserver4u.de.quaken:ircd ESTABLISHED 2630/crond

This is something you *DO NOT* wanna see on your server.

Yesterday I set up an account for a friend just to upload me some files on the ftp. The password was weak as I thought I would delete the acount inmediatly afterwards but...I forgot to!

And in one day time someone already broke into my machine and set a cron job to start this "conncection" or whatever. First of all I'm gonna clean up this mess and then I'll try to dig into the logs and find out where this attack come from.

Regards

[UPDATE]

Oct 19 22:40:43 laurelin sshd[5688]: Accepted password for esteban from 87.218.237.117 port 54790 ssh2
Oct 19 20:10:14 laurelin sshd[13002]: Accepted password for esteban from 218.17.150.196 port 10060 ssh2
Oct 19 20:11:37 laurelin sshd[13226]: Failed password for root from 218.17.150.196 port 19205 ssh2

There he is! And he is up and running:

nmap 87.218.237.117

Starting Nmap 5.21 ( http://nmap.org ) at 2010-10-21 03:23 CEST
Nmap scan report for 117.237.218.87.dynamic.jazztel.es (87.218.237.117)
Host is up (0.069s latency).
Not shown: 989 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
80/tcp open http
1720/tcp filtered H.323/Q.931
1863/tcp open msnp
1864/tcp open paradym-31
4443/tcp open pharos
4662/tcp filtered edonkey
5190/tcp open aol
5566/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 8.99 seconds

nmap 218.17.150.196

Starting Nmap 5.21 ( http://nmap.org ) at 2010-10-21 03:24 CEST
Nmap scan report for 218.17.150.196
Host is up (0.36s latency).
Not shown: 983 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
443/tcp open https
445/tcp filtered microsoft-ds
995/tcp open pop3s
1720/tcp filtered H.323/Q.931
1863/tcp open msnp
3306/tcp open mysql
4444/tcp filtered krb524
5190/tcp open aol
5989/tcp open unknown
8000/tcp open http-alt
8443/tcp open https-alt
11111/tcp open unknown
Posted by at No comments:

Wednesday, October 20, 2010

Replacing white spaces (' ') with underscores ('_')

You've got plenty of files with spaces on its name and you wanna replace them with underscores?
Check this:

for i in *;do TARGET=`echo $i | sed 's/\ /_/g'`; mv "$i" $TARGET;done

In my case, these were rar files which I then wanted to uncompress:

for i in *;do unrar x "$i" ;done

Bash is really usefull, ain't that right?
Posted by at No comments:

Sunday, October 10, 2010

Hard Disk troubles

This is something you definitely do not wanna see on your screen:

=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: FAILED!
Drive failure expected in less than 24 hours. SAVE ALL DATA.
See vendor-specific Attribute list for failed Attributes.

I'm loving more and more my N900 as I've made the backup on it!!!

You may be asking why the hell I do not have an external hard disk, aren't you? Well, because I'm an idiot :S

Tomorrow I'll try to get one new hard disk.

Regards
Posted by at No comments:

Saturday, October 9, 2010

Change of direction

As I've recently started to work as a system administrator I've decided to change the focus of this blog: it will be unix/linux related (mainly) as well as others OSs's.

It will probably become a "backup" of the staff I encounter on my daily work but hopefully I'll add something on my freetime :)

Best regards to all,

Damnshock
Posted by at No comments:
Subscribe to: Posts (Atom)