Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I had turned ssh on a while ago to do some remote work. I was just looking over

ID: 662124 • Letter: I

Question

I had turned ssh on a while ago to do some remote work. I was just looking over some netstat info when I noticed someone had established an ssh session with me D: I turned ssh off immediately and looked up the address.

Netstat said the ssh session was "established". I'm assuming that means they know my password, and I'm going to change it either way, but I want to know if they definitely know my password. I assume my computer's been leaking because there were 68 packets in my Send-Q; I don't know exactly what that is, but I don't like the "Send" bit.

Am I ok if I just wipe my computer and put all my data back on it? I don't do anything important, and I don't connect to any networks that might have sensitive research material or keep much banking or personal information on there. Should I "nuke it from orbit", or is that overkill? If it isn't, how would I go about doing it?

Explanation / Answer

Whether or not you should leave SSH exposed is subject to debate. I'll avoid that.

When you attempt to login to an SSH server, you complete the handshake prior to entering credentials. This means that even without a username or password, an SSH connection can show up as established. If someone was trying to brute force you, you would see some connections as being established.

You should check your server log files. If they have root access, it's easy to hide any wrong doing, so this is not a guarantee.

I would start with your lastlog to see your most recent successful logins. I would then check for failed SSH login attempts, and see if there is any relation to that IP

grep sshd.*Failed /var/log/auth.log | less

There is more you can and should be doing if you feel like you have been compromised. I am not going to cover everything, but wanted to suggest that there is the possibility that you were not compromised based solely on the data you have provided.

Related Questions

I had already asked this question and recieved the answer [(n-C4H9)4]TcOBr4 whic
Question #577227
I had an experiment where we measured boiling and freezing points of water with
Question #2033925
I had an idea for a website. After much coding and thinking out the idea, I\'ve
Question #646279
I had an organic lab that didn\'t read the first column and we reran it again an
Question #818046
I had another question in mind, but thought that I should ask this one first. Ba
Question #659402
I had ask for some help before to get me started. It helped a lot.Thank you, but
Question #3616880
I had attached three different pages..the page 1 links to page 2 and page 2 link
Question #3484445
I had been first introduced to the idea of declarative syntax when using Angular
Question #647066

Navigate

Previous
I had trouble with understanding why they put 0.57M on the denominator of Q ulti
Next
I happened to read an interesting article the other day that talked about buildi

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.