Websters New World Hacker Dictionary
5 stars based on
Hi there A few weeks ago i was unable to log into my system. So i booted a rescue disk changed the password. I also noticed that there was an account called guest. I'm using a router which is connected to a cable modem. The router allocates I. P addresses in the I noticed that there were log entries in the router's log that had the address Seeing as the pool starts from You think that's strange well i uninstalled all trade practices act refunds and exchanges services like apache2, using snort to detect the-binary command trafficking apt-get remove.
However apache2 still appears in a process list. When i try to uninstall apache2 again it just says the apache2 is not installed. These are good indications that i'm owned right?.
What can i do without reinstalling? Why can't i remove apache2? I ran chkrootkit and it didn't pick anything up. How do i put tripwire on a USB stick ready for a new install?. How the hell do i get rid of apache2 or tell if it's trojaned? Also there are no ports open on my router so how did they get through N. Removing the "apache2" package does not using snort to detect the-binary command trafficking apache. It is basically a meta-package, and the package containing the actual server is a dependency of it.
It is a temporary non-persistent account stored in memory. I believe the user should be deleted when the guest user logs off. I haven't read anything which seems to suggest you were hacked unless you can confirm someone changed your password or authenticated remotely.
Routers don't always assign addresses sequentially. Are you running any servers besides apache? Did you set a root password? Do you have a wireless network?
If so, what type of encryption? There are some modems with known security holes. Not that I know a lot about rootkits and hiding hacking trails but you may want to watch network traffic once in a while using using snort to detect the-binary command trafficking and wireshark Even after a reboot.
No i didn't set a root password. Yes someone did lock me out of my account from remote. Since then i've reinstalled. But as mentioned this system, that i'm using now, still has signs of hacking activity i.
But there were these entries in auth. Any clarification would be great. Remember i couldn't remove apache2. Well, as mentioned, i ran the command to remove it but after a reboot it is still listed in the process list.
Thank you for your help regards methodtwo. By the way the guest account was not removed and is still in there. Having said this i never even had a guest session or initiated anything that would add a guest account. Sorry, I forgot to take out the "-s", which means simulate but don't actually do anything. I like to test commands before I post them, but didn't actually want to remove my web server. Thank you for your help regards methodtwo I'm not familiar with neptune.
Is it an application you installed? Also, you never posted the output from the netstat command I suggested. Simply not being able to login doesn't convince me someone actually changed your password remotely.
I must have another package installed that depends on apache2 because i can't remove it, right?. I followed the thread on intrusion detection on these, ubuntu, forums. I realised that it was a bad trade using snort to detect the-binary command trafficking to have services running just to monitor traffic.
I thought i would be better off without snort and apache2 running than i would be with snort and apache2 running, right?. So what is the command to remove apache2 now is it??: Thank you for your time Regards methodtwo. I already gave you the command to remove apache! In other words, that command removes apache, not simply the meta package containing 2 files. Your command removes the meta package and a few modules, not apache2.
Using snort to detect the-binary command trafficking a terminal and type: This command will completely remove apache, including configuration files and mods.
I don't think so. That would purge the apache2 package, which is next to nothing. If you want to purge apache, replace "remove" with "purge" in the command I posted previously.
Note the removing a package leaves its configuration files in system. If a plus sign is appended to the package name with no intervening spacethe identified package will be installed using snort to detect the-binary command trafficking of removed.
Make certain you've removed anything someone may have dropped onto your system. Also, look into getting firestarter, learning how to port stealth, and check out packages like snort, psad, tripwire, and the like. This won't make you hack proof but it does make it a hell of a lot harder for people to get into your system.
Especially without you knowing about it. You can open firestarter and watch your active connections.
I'd recommend doing this a few times while you're on your system to make sure a trojan or some crap someone may have uploaded is not trafficking outbound without your permission. You can get a more detailed network traffic report using etherape as well. All these tools can be installed with synaptic and have a plethora of tutorials on google.
Apache2 only was removed when i removed all the packages that i installed after following the using snort to detect the-binary command trafficking detection thread on this forum: