Security breach?

chrisbirkinshaw · November 29, 2007, 07:44:34 PM

I have just seen the following when typing "screen -r"

9876.RemoteAssistance_SSH_NoMon_pf (Detached)
9828.RemoteAssistance_Web_pf (Detached)
9771.RemoteAssistance_SSH_pf (Detached)

I have never seen these before and certainly haven't enabled remote assistance. Has my system been compromised?

Thanks,

Chris

totallymaxed · December 01, 2007, 12:20:38 PM

Quote from: chrisbirkinshaw on November 29, 2007, 07:44:34 PM
I have just seen the following when typing "screen -r"

9876.RemoteAssistance_SSH_NoMon_pf (Detached)
9828.RemoteAssistance_Web_pf (Detached)
9771.RemoteAssistance_SSH_pf (Detached)

I have never seen these before and certainly haven't enabled remote assistance. Has my system been compromised?

Thanks,

Chris

Hi Chris,

Hmmm... that does seem a little strange. I would suggest that you Mantis this so that it can be investigated or past as 'normal'

You can add this to the Mantis bug tracking Db here http://mantis.linuxmce.org/my_view_page.php

Andrew

chrisbirkinshaw · December 04, 2007, 07:09:43 PM

Found this:

tail -f /var/log/pluto/pluto.log
1 12/04/07 17:44:02 /usr/pluto/bin/SetupRemoteAccess.sh (server) Crontab entry (special) already present. Not adding.
1 12/04/07 17:44:02 /usr/pluto/bin/RA_ChangePassword.sh (server) User 'remote' already exists. Not adding.
1 12/04/07 17:44:02 /usr/pluto/bin/RA_ChangePassword.sh (server) Setting password for 'remote' user
1 12/04/07 17:44:02 /usr/pluto/bin/SetupRemoteAccess.sh (server) SSH_pf tunnel already present. Not enabling.
1 12/04/07 17:44:03 /usr/pluto/bin/SetupRemoteAccess.sh (server) SSH_ph tunnel enabled.
1 12/04/07 17:44:03 /usr/pluto/bin/SetupRemoteAccess.sh (server) Web_pf tunnel already present. Not enabling.
1 12/04/07 17:44:03 /usr/pluto/bin/SetupRemoteAccess.sh (server) Web_ph tunnel enabled.

# more /etc/cron.d/SetupRemoteAccess
*/1 * * * * root /usr/pluto/bin/SetupRemoteAccess.sh

# more /etc/cron.d/SetupRA-Special
*/10 * * * * root /usr/pluto/bin/SetupRA-Special.sh

LinuxMCE Forums

News:

Security breach?

chrisbirkinshaw

totallymaxed

chrisbirkinshaw