I use my Ubuntu for private and business purposes. Can I also install tools on my computer that are actually there to perform penetration tests? Or is it harmless?
I was cyber-attacked by someone from China and they managed to install Yam (crypto mining) on my Ubuntu 14.04 server.
I managed to close their ssh access through the public IP. and I have remedied the damage they did. Except for two things that have me confused still.
1- I can not edit /etc/rc.local from root. they have a script in there to adduser 'setup' with root permissions. I cant edit the script although it is owned by root and has the permission. I get permission denied. I can edit other files so the filesystem is not read only.
2- Every time I log in via ssh, I get the welcome message, then "You have mail" followed by a huge number of permission denied errors like this:
You have mail.
find: `/var/log/speech-dispatcher': Permission denied
find: `/var/log/samba/cores': Permission denied
-bash: /var/log/Xorg.1.log.old: Permission denied
-bash: /var/log/apache2/error.log.43.gz: Permission denied
-bash: /var/log/apache2/error.log.14.gz: Permission denied
-bash: /var/log/apache2/access.log.44.gz: Permission denied
-bash: /var/log/apache2/error.log.13.gz: Permission denied
-bash: /var/log/apache2/crm65.com-access_log: Permission denied
-bash: /var/log/apache2/access.log.9.gz: Permission denied
-bash: /var/log/apache2/error.log.36.gz: Permission denied
-bash: /var/log/apache2/error.log.16.gz: Permission denied
-bash: /var/log/apache2/error.log.11.gz: Permission denied
-bash: /var/log/apache2/testcrm-error.log: Permission denied
-bash: /var/log/apache2/error.log.46.gz: Permission denied
-bash: /var/log/apache2/error.log.18.gz: Permission denied
-bash: /var/log/apache2/access.log.45.gz: Permission denied
-bash: /var/log/apache2/access.log.34.gz: Permission denied
-bash: /var/log/apache2/vtigercrm-access.log: Permission denied
.
.
it basically goes through the whole /var/log directory.
I am not sure what is happening there.
ANY help is appreciated!
Today, I listed my iptables for a routine check -- and discovered two strange UFW rules that I don't remember setting up myself, referring to two specific IP addresses that I can't identify:
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
This is kind of scary. Did someone manage to hack into my server and add these rules? If not, what happened?
(And if some malicious agent did hack into my firewall, why would they use ports 5353 and 1900, that aren't being forwarded by my router??)
I have an Ubuntu system running an apache server. I have found a process cache.sh which I think might be a crypto-mining process and which is running all the time on my server consuming up to 98% CPU. This is causing other stuff to stop working like MySQL and apache.
I used the top command to find out that cache.sh is consuming all the CPU.
I have tried killing the process but it starts running again after some time.
I then learned that I could pause the process instead of killing it and that works quite well but I still want to find out what it is and get rid of it permanently. After restarting the whole server this process starts automatically.
The process cache.sh is running under www-data user, which is also responsible for handling the apache process which runs under the same user.
What could I do to find the origin of this process and to resolve this issue?
In a course named ethical Hacking for beginners , I learned that wifi has some modes in which we can switch between but I don't know that what was the normal mode and how to switch on it
I used following commands :-
ifconfig wlo1 down
iwconfig wlo1 mode monitor
ifconfig wlo1 up