attacks – Does a hacker know which IP they hacked?

Suppose someone hacks my computer (by any means, say a virus or trojan
like RAT), will they be able to know my IP address in real time? This
is about dynamic IP addresses.

Yes,By “hacking” your computer,i am guessing you mean popping a shell on the system,they would know the public/private IP address of the system when they receive the connect back or when they connect to your system by opening your system ports.

recovery mode – My entire Android system has been hacked and reconfigured by my BF how do I rake back control of my device?

Has new certificates, new custom maps api, spies on my activity, will not hard reset, says it is not rooted but really is, turns regular apps into system apps, logsmy activity, will not download most of the time, has files I did not create, using google and android packets, coding etc. PLEASE HELP!!!

❕NEWS – John Cantrell hacked a BTC address as part of a Twitter contest | Proxies-free

It is best to store bitcoins in a paper wallet. To do this, you can download a special open source program from the Internet, which generates a secret key, a public key and based on the address of the wallet. this program must be compiled and run on a computer that is not connected to the Internet. and it will generate you a secret key that cannot be picked up faster than 1000 years. Then you send your bitcoins to this newly generated wallet and no one will be able to get them except you!

 

web application – has my server been hacked?

I manage a Debian GNU/Linux web server. I put in place simple iptables logging rules a long time ago, among other things. Here they are:

# iptables -A OUTPUT -d (mySmtpSmarthost)/32 -p tcp -m tcp --dport 25 -j ACCEPT
# iptables -A OUTPUT -d (mySmtpSmarthost)/32 -p tcp -m tcp --dport 465 -j ACCEPT
# iptables -A OUTPUT -d (mySmtpSmarthost)/32 -p tcp -m tcp --dport 587 -j ACCEPT
# iptables -A OUTPUT -p tcp -m tcp --dport 25 -j LOG
# iptables -A OUTPUT -p tcp -m tcp --dport 465 -j LOG
# iptables -A OUTPUT -p tcp -m tcp --dport 587 -j LOG

immediately followed by

# iptables -A OUTPUT -p tcp -m tcp --dport 25 -j DROP
# iptables -A OUTPUT -p tcp -m tcp --dport 465 -j DROP
# iptables -A OUTPUT -p tcp -m tcp --dport 587 -j DROP

The goal here is to catch anything suspect, mainly rogue PHP scripts that connect directly to some hacked (smtp?) server out there. There is a Exim mail server on localhost which hands off messages to external smarthost, so that the WordPress wp_mail() function works, with the help of a SMTP plugin that configures it to use localhost as SMTP server.

In other words I’m saying: dear rogue script, either you use the configured smarthost (so that I can bust you there) or you are already busted here.

That obvoulsy assumes the server hasn’t been hacked to the root… and here comes my question.
Yesterday I found this in the logs:

Nov 21 12:23:55 web kernel: (35501.571711) IN= OUT=eth0 SRC=my.server.public.ip DST=109.89.132.126 
  LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=81 DPT=587 WINDOW=0 RES=0x00 ACK RST URGP=0
                                                     ^^^^^^ This!

while

# netstat -nltp | grep :81
#

so I deduce that something managed to bind port 81 on the locally configured public IP address and tried to send a message to 109.89.132.126 on port 587.

Is that at all possible without having root privileges?

databases – How can MongoDB be hacked on a private network

We had MongoDB on a server that only listen is own, but our client required us to change MongoDB to another server, so first I ask them if the network was private or I should set a firewall to do the replica and then changed the other configurations to point at the new server.
They say that it was a private network.

I add on the bind on the old server 192.168.0.6 that was his own private IP and I started the replica. I left it all night, and in the morning I noticed I have been hacked and one of the database was README_TO_RECOVER_YOUR_DATA. There is a lot of information about this ransomware but that’s not what I’m worried about, we had backups and all the stuff so we could recover most of the data.

The thing it bothers me is HOW. I checked the logs:

 2020-11-06T07:45:51.771+0100 I NETWORK  (conn4033) end connection 176.123.5.15:63894 (5 connections now open)
 2020-11-06T07:45:58.346+0100 I NETWORK  (conn4031) end connection 192.168.0.6:42949 (4 connections now open)
 2020-11-06T07:45:58.346+0100 I NETWORK  (initandlisten) connection accepted from 192.168.0.6:43007 #4035 (5 connections now open)
 2020-11-06T07:45:59.148+0100 I NETWORK  (initandlisten) connection accepted from 176.123.5.15:64089 #4036 (6 connections now open)
 2020-11-06T07:45:59.427+0100 I NETWORK  (initandlisten) connection accepted from 176.123.5.15:64092 #4037 (7 connections now open)
 2020-11-06T07:45:59.878+0100 I COMMAND  (conn4037) dropDatabase database_1 starting
 2020-11-06T07:46:02.041+0100 I NETWORK  (initandlisten) connection accepted from 176.123.5.15:64108 #4038 (8 connections now open)
 2020-11-06T07:46:04.560+0100 I NETWORK  (initandlisten) connection accepted from 176.123.5.15:64141 #4039 (9 connections now open)
 2020-11-06T07:46:06.828+0100 I COMMAND  (conn4037) dropDatabase database_1 finished
 2020-11-06T07:46:06.829+0100 I COMMAND  (conn4037) command database_1 .$cmd command: dropDatabase { dropDatabase: 1 } keyUpdates:0 writeConflicts:0 numYields:0 reslen:58 locks:{ Global: { acquireCount: { r: 3, w: 2,
  W: 1 } }, Database: { acquireCount: { w: 1, W: 1 } }, oplog: { acquireCount: { w: 1 } } } 6950ms
 2020-11-06T07:46:06.829+0100 I COMMAND  (conn4038) dropDatabase database_2 starting
 2020-11-06T07:46:06.903+0100 I NETWORK  (conn4036) end connection 176.123.5.15:64089 (8 connections now open)
 2020-11-06T07:46:07.056+0100 I NETWORK  (conn4037) end connection 176.123.5.15:64092 (7 connections now open)
 2020-11-06T07:46:07.174+0100 I COMMAND  (conn4038) dropDatabase database_2 finished
 2020-11-06T07:46:07.174+0100 I COMMAND  (conn4038) command database_2 .$cmd command: dropDatabase { dropDatabase: 1 } keyUpdates:0 writeConflicts:0 numYields:0 reslen:61 locks:{ Global: { acquireCount: { r: 3, w:
  2, W: 1 }, acquireWaitCount: { W: 1 }, timeAcquiringMicros: { W: 4424340 } }, Database: { acquireCount: { w: 1, W: 1 } }, oplog: { acquireCount: { w: 1 } } } 4769ms
 2020-11-06T07:46:07.174+0100 I COMMAND  (conn3983) getmore local.oplog.rs query: { ts: { $gte: Timestamp 1604626286000|594 } } cursorid:72911333337 ntoreturn:0 keyUpdates:0 writeConflicts:0 numYields:0 nreturned
 :2 reslen:207 locks:{ Global: { acquireCount: { r: 8 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 6617185 } }, Database: { acquireCount: { r: 4 } }, oplog: { acquireCount: { r: 4 } } } 9624ms
 2020-11-06T07:46:07.174+0100 I NETWORK  (conn4038) end connection 176.123.5.15:64108 (6 connections now open)
 2020-11-06T07:46:07.315+0100 I WRITE    (conn4039) insert READ_ME_TO_RECOVER_YOUR_DATA.README query: { content: "All your data is a backed up. You must pay 0.04 BTC to 15iXDfXsjseSASsm5P8uQMSj5fmLQuHNMn 48 hours for recover it. After 48 hours expiration we will l...", _id: ObjectId('5fa4f12cfcf3b186c639216b') } ninserted:1 keyUpdates:0 writeConflicts:0 numYields:0 locks:{ Global: { acquireCount: { r: 4, w: 4 }, acquireWaitCount: { w: 1 }, timeAcquiringMicros: { w: 2380706 } }, Database: { acquireCount: { w: 3, W: 1 } }, Collection: { acquireCount: { W: 1 } }, oplog: { acquireCount: { w: 2 } } } 2522ms
 2020-11-06T07:46:07.316+0100 I COMMAND  (conn4039) command READ_ME_TO_RECOVER_YOUR_DATA.$cmd command: insert { insert: "README", ordered: true, documents: ( { content: "All your data is a backed up. You must pay 0.04 BTC to 15iXDfXsjseSASsm5P8uQMSj5fmLQuHNMn 48 hours for recover it. After 48 hours expiration we will l...", _id: ObjectId('5fa4f12cfcf3b186c639216b') } ) } keyUpdates:0 writeConflicts:0 numYields:0 reslen:80 locks:{ Global: { acquireCount: { r: 4, w: 4 }, acquireWaitCount: { w: 1 }, timeAcquiringMicros: { w: 2380706 } }, Database: { acquireCount: { w: 3, W: 1 } }, Collection: { acquireCount: { W: 1 } }, oplog: { acquireCount: { w: 2 } } } 2522ms
 2020-11-06T07:46:07.316+0100 I NETWORK  (conn4039) end connection 176.123.5.15:64141 (5 connections now open)

How is possible that a public IP like 176.123.5.15 connected to the database? I know I open it without any passwords or firewalls but was it exposed to externally?
Is it possible that the clients already had this in the local network?
What should be our next steps there? I guess we will firewall, but will it be enough?

hacked – Monit Malware prevention

I recently noticed that my website had been hacked with a plugin that that was forcefully added to my WordPress site called “Monetization Plugin”. I am working on cleaning the site at the moment, but am curious as to how to prevent something like this from happening again. I have 2 anti-malware plugins that have been running on the site already previously. There is online articles and forums that I found about the redirection malware and how to clean it, but not as to how the attack is performed in the first place. Any idea as to how this attack occurs so one can know how to prevent it in the future?