Results 1 to 9 of 9

Thread: should agetty be running on my server??

  1. #1
    Join Date
    Aug 2008
    Posts
    17

    Default should agetty be running on my server??

    I have this line in ps:
    /sbin/agetty /dev/xvc0 38400 vt100-nav

    I think this may be a last trace of a hack attack perhaps?
    I can't see why it is running and think I need to kill it.

  2. #2
    Join Date
    Dec 2007
    Posts
    1,141

    Default

    /dev/xvc0 is the Xen virtual console - this should not indicate an issue by itself.

  3. #3
    Join Date
    Aug 2008
    Posts
    17

    Default

    Thanks Dan. Does this mean that this just sits there waiting to see if anyone tried logging onto the web-based shell in the Xen console? I had just killed a half dozen mingetty instances and squashed what appeared to be a web-based irc system even though I have the irc ports closed.

  4. #4
    Join Date
    Dec 2007
    Posts
    1,141

    Default

    If you believe that your VPS may have been compromised, please create a support ticket and change the password for your VPSLink account immediately.

  5. #5
    Join Date
    Nov 2008
    Posts
    9

    Default

    the only stuff i dont like is the ambiguation by the support tools between hypervisor password and root password

    this is getting me steamed

    taken from another thread
    stevea 2008-01-18 02:09 PM CST
    Don't assume you've been hacked. The only thing tha tis clear is that you hace a /bin/sh shell running on your serial port.

    This a real serial port, so it's local and almost no chance tht any hacker would bother with it.
    This ....
    Quote:
    sh3.1# Login Incorrect
    sh: rroot: command not found
    Helps explain things. The message "Login Incorrect" no doubt came from a valid authentication program probably kicked off by mingetty The output was seen by the /bin/sh shell, and when it saw "rroot" it couldn't find the command.

    I *think* the system had a shell running on tty1 before you connected. It was probably not the result of a login or else the /var/run/utmp was deleted. When you connected the system you connected FROM (not TO) has some characters stuck in it's output buffer, possible including a Login prompt or "Login incorrect" pending as output.

    *DO* read your logs and also do a "who -a /var/run/utmp" and "who -a /var/run/wtmp" and make sure you can matchup all the event and state changes & login/outs.

    Characters can sit in the buffer forever until the connecton condition

    mnisay 2008-01-18 02:33 PM CST
    i agree, i dont think you were hacked based from your secure logs unless the hacker kicks in from other open ports and since your only open port is ssh port, /var/log/secure should show you the point of entry unless it was also modified.

    additionally, your ssh port is binded locally based from your logs...so i guess a cheer up for you

    myep 2008-01-18 06:48 PM CST
    Quote:
    Originally Posted by stevea
    Don't assume you've been hacked. The only thing tha tis clear is that you hace a /bin/sh shell running on your serial port.

    This a real serial port, so it's local and almost no chance tht any hacker would bother with it.
    This ....


    Helps explain things. The message "Login Incorrect" no doubt came from a valid authentication program probably kicked off by mingetty The output was seen by the /bin/sh shell, and when it saw "rroot" it couldn't find the command.

    I *think* the system had a shell running on tty1 before you connected. It was probably not the result of a login or else the /var/run/utmp was deleted. When you connected the system you connected FROM (not TO) has some characters stuck in it's output buffer, possible including a Login prompt or "Login incorrect" pending as output.

    *DO* read your logs and also do a "who -a /var/run/utmp" and "who -a /var/run/wtmp" and make sure you can matchup all the event and state changes & login/outs.

    Characters can sit in the buffer forever until the connecton condition
    Well thanks for the info, but do you know why executing

    sh3.1# cat /etc/passwd
    would say :
    Changing password for user root.
    New UNIX password:

    I found that to be very odd. Could it mean /bin/sh only caught the "passwd" part?

    FedoraForum.org - Have I been hacked?

  6. #6
    Join Date
    Nov 2008
    Posts
    9

    Default

    VPSLINK is clearly using the "control panel, or center", the XEN hypervisor, and a few scripts to operate the OHHHH SOOO ambiguously named "root password", and transmitting the password directly to the browser (SSL mind u but still!)

    The wiki and several posts direct the question about changing the root password, NOT THE ROOT PASSWORD FOR THE ACTUAL OPERATING SYSTEM, towards, get this....

    A button that doesn't exist...


    I could write a poem about the inconsistencies around here.

  7. #7
    Join Date
    Dec 2007
    Posts
    1,141

    Default

    @MattMiller: Addressed in your Stop the madnessssss thread.

  8. #8
    Join Date
    Aug 2008
    Posts
    17

    Default

    Filed that support ticket thanks::

    Hello,

    As VPSlink is an unmanaged service we are unable to assist you with
    securing your VPS. From what you have described, it is highly probable
    that a malicious user has installed a rootkit on your VPS, allowing them
    a backdoor into your server. Your best course of action would be to
    back up critical data and reinstall the OS on your VPS as soon as possible.

    --
    VPSLink Support

  9. #9
    Join Date
    Aug 2008
    Posts
    17

    Default

    OK, found the bugger: the roundcube webmail hack with html2text.
    I updated the file to the newest from their site, RC mail still appears to work.
    I added a line to apache's config file and restarted the webserver:
    RedirectMatch 415 (.*)html2text(.*)$
    This should foil the scanners (try grepping your access logs for 'html2text' whether you have roundcube installed or not) by returning a "not supported" error message.
    RC mail still appears to work ok.
    HTH anyone else out there...

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •