Anyone, please help me.
My Server (RedHat 7) is being attacked this whole week between 9 AM - 8 PM everyday.
1. Someone is using the root access, i need to know how to kill a login using its TTY?
2. What is the best way to know and stop process that continuously run on a server?
Thank You.

I got this out of the NHF, securing your home machine. Here it is:

CONTROLLING LOGIN
You can control the ttys that root can log into by editing the /etc/securetty file [TRANSLATION: You can control the terminal consoles that root can log into, thus minimizing the risk of a cracker breaking in]. If you want to restrict user login completely and use root all the time (bad idea by the way), run the following command:

root# touch /etc/nologin

This file will prevent all users except root from logging in. The contents of the file /etc/nologin will be presented when a non-root user attempts to login. So if you do:

root# echo "Down for upgrade." > /etc/nologin

User's who log in will get this message:


Linux 2.2.5

Down for upgrade.


The connection will then be killed. Be wary of this. This maximizes security quite a bit, but as root, Linux will follow your every command and not prevent you from running dangerous commands. You may actually damage your system [TRANSLATION: If you accidentally run rm -rf / as root, you will spend the next hour re-installing Linux].

That will stop root access through the TTY

You should read through the NHF's Secure Your Home Machine and Armoring Linux in the security section. Also, if you don't need a service turn it off. I would print the info you need and unplug your box from the internet (pull the jack out of the wall so you don't change your system conf) and set it up. Turn off any services you don't need. If you have access to another box or can boot to another O.S. download updates from RedHat.com and install them.

That should kill your hacker. Setup a program to log connection atempts and get his I.P. Then post it here, and lets have some fun! :D

Falcon

BTW, in the quote, ignore everything after the first paragraph, and change your root password. A good password for root is about 15 digits long, with lowercase, uppercase, and numbers.

to answer your first question:

pids=`ps -ef | grep '^USERNAME' | grep TTY | awk '{print $2}'`
kill -9 $pids

where USERNAME is the username they are using, and TTY is the tty they are logged in on.

copy the above code to a workspace and edit the appropriate areas. then copy and paste the edited code to a terminal as root (both lines). the first line finds the process id's of their shell and any processes they may be running in that shell and puts them into a variable, the second line reads the variable for the procces ids and kills those processes.

as for the second question, I'm not so sure there is a best way, but:

ps -auxe

will show you all processes run by all users as well as their associated ttys. a tty of ? means a daemon (continuous background process) or a zombie process. from there, you can selectively kill 'em off using:

kill -s 9 PROCESS

or use a variation of the code above (I'm sure you can figure it out)

Not to be the pessimist here, but a cracked system is no good, no matter how well you lock it down afterwards. The only assurance you can ever have of having a totally clean, trojan and backdoor free system after being cracked is to unplug the machine from the Internet, reinstall everything from trusted media, set up security, and THEN hook it up to the net.

Amen, it's a reely reely bad idea to try to fix this. He may have put 19 backdoors in there. Before you re-install, see if you can puzzle out how he got root. There are a lot of vulnerable "things" that we run. Fix that. Then, a firewall, and it will be very hard next time. There's just tons about this very subject on the web. Sorry, I know how it feels, like having your home robbed. But, it's just part of the learning process. Good Luck! Ray

Actually /etc/nologin prevents normal users from loggin in. Root will continue to have access to the system. Once your system is cracked, don't bother fixing it like Strike said. A reinstall is really the safest bet.