Security Issue

Guy Thouret lists at thouret.co.uk
Thu Feb 12 18:54:37 UTC 2009 

On Thu, 2009-02-12 at 13:43 -0500, H.S. wrote:

> Walton Hoops wrote:
> > I could use some help from the Ubuntu wizards out there.
> > I run a home server, using Ubuntu 8.10.  It very low traffic, with most of
> > the traffic being e-mail.  Last night, over the course of an hour it
> > recorded roughly 8 GB (4 up and 4 down) of traffic over the course of 2
> > hours (monitoring with vnstat) and then dropped back to normal. Looking at
> > the logs, the traffic did not come through apache, sendmail,or SSH.  Judging
> > from the fact that the up/down are equal, I'm guessing I've was used as a
> > proxy for something (I don't have a proxy server installed), but I know not
> > what.  So, I have two questions.
> > 1.) Any suggestions on how to further investigate this?  At this point I'm
> > at a loss.
> > 2.) How would you suggest further hardening my security, since it seems it
> > was compromised? I use Firestarter to lock down my ports, Fail2Ban to stop
> > those pesky SSH brute force attacks, and Snort to keep an eye out for other
> > attacks.
> > Any input would be appreciated.
> > Walton
> > 
> > 
> 
> I am no security expert, but I would suggest you take out the network
> cable of that machine till you are sure it has not been compromised.
> 
> Are there other machines on this network?


First place I would start is to check your logs for successful ssh
connections:

grep Accepted /var/log/auth.log

This will show you date/time and IP address of successful SSH
connections.
To check if any of these have gained root permissions through su:

grep Successful /var/log/auth.log

What services are open on the machine in question?
I would then check the logs for each of the services in question around
the time of the activity to see in detail exactly which service
generated/consumed the traffic.
At what point are you observing the bandwidth, is this on a router, on
the eth0 interface of the machine or an aggregate of all interfaces?
Is it theoretical that 4G out and then in could be on a loopback
interface?

Guy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20090212/95753794/attachment.html>

More information about the ubuntu-users mailing list