Author Topic: Security breach?  (Read 1301 times)

chrisbirkinshaw

  • Guru
  • ****
  • Posts: 431
    • View Profile
Security breach?
« on: November 29, 2007, 07:44:34 pm »
I have just seen the following when typing "screen -r"

        9876.RemoteAssistance_SSH_NoMon_pf      (Detached)
        9828.RemoteAssistance_Web_pf    (Detached)
        9771.RemoteAssistance_SSH_pf    (Detached)

I have never seen these before and certainly haven't enabled remote assistance. Has my system been compromised?

Thanks,

Chris

totallymaxed

  • LinuxMCE God
  • ****
  • Posts: 4660
  • Smart Home Consulting
    • View Profile
    • Dianemo - at home with technology
Re: Security breach?
« Reply #1 on: December 01, 2007, 12:20:38 pm »
I have just seen the following when typing "screen -r"

        9876.RemoteAssistance_SSH_NoMon_pf      (Detached)
        9828.RemoteAssistance_Web_pf    (Detached)
        9771.RemoteAssistance_SSH_pf    (Detached)

I have never seen these before and certainly haven't enabled remote assistance. Has my system been compromised?

Thanks,

Chris


Hi Chris,

Hmmm... that does seem a little strange. I would suggest that you Mantis this so that it can be investigated or past as 'normal'

You can add this to the Mantis bug tracking Db here http://mantis.linuxmce.org/my_view_page.php

Andrew
Andy Herron,
CHT Ltd

For Dianemo/LinuxMCE consulting advice;
@herron on Twitter, totallymaxed+inquiries@gmail.com via email or PM me here.

Get Dianemo-Rpi2 ARM Licenses http://forum.linuxmce.org/index.php?topic=14026.0

Get RaspSqueeze-CEC or Raspbmc-CEC for Dianemo/LinuxMCE: http://wp.me/P4KgIc-5P

Facebook: https://www.facebook.com/pages/Dianemo-Home-Automation/226019387454465

http://www.dianemo.co.uk

chrisbirkinshaw

  • Guru
  • ****
  • Posts: 431
    • View Profile
Re: Security breach?
« Reply #2 on: December 04, 2007, 07:09:43 pm »
Found this:

tail -f /var/log/pluto/pluto.log
1       12/04/07 17:44:02       /usr/pluto/bin/SetupRemoteAccess.sh (server)    Crontab entry (special) already present. Not adding.
1       12/04/07 17:44:02       /usr/pluto/bin/RA_ChangePassword.sh (server)    User 'remote' already exists. Not adding.
1       12/04/07 17:44:02       /usr/pluto/bin/RA_ChangePassword.sh (server)    Setting password for 'remote' user
1       12/04/07 17:44:02       /usr/pluto/bin/SetupRemoteAccess.sh (server)    SSH_pf tunnel already present. Not enabling.
1       12/04/07 17:44:03       /usr/pluto/bin/SetupRemoteAccess.sh (server)    SSH_ph tunnel enabled.
1       12/04/07 17:44:03       /usr/pluto/bin/SetupRemoteAccess.sh (server)    Web_pf tunnel already present. Not enabling.
1       12/04/07 17:44:03       /usr/pluto/bin/SetupRemoteAccess.sh (server)    Web_ph tunnel enabled.


# more /etc/cron.d/SetupRemoteAccess
*/1 * * * * root /usr/pluto/bin/SetupRemoteAccess.sh

# more /etc/cron.d/SetupRA-Special
*/10 * * * * root /usr/pluto/bin/SetupRA-Special.sh