i got hacked. what were they up to?

skyfolly · Posted: Wed Aug 18, 2004 1:47 pm Post subject:

I am wondering if my server is behind a router, would that router's firewall enough to protect me from anything? I am using port 8080 as http port as 80 is blocked by ISP.

Hard to compromise my server through a router with limited ports open, right?
_________________
I am the only being whose doom
No tongue would ask no eye would mourn
I never caused a thought of gloom
A smile of joy since I was born.
emily bronte

smart · Guru Joined: 19 Nov 2002 Posts: 455

You don't need to count closed ports anyway, only open ports count and they count equal no matter if the are other ports closed by router or closed due to service non existant.

BlinkEye · Posted: Wed Aug 18, 2004 2:28 pm Post subject:

btw, i noticed: over a 100 login attempts during the past few days :twisted:

_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick

kalisphoenix · Apprentice Joined: 28 Sep 2003 Posts: 211 Location: Ohio

user: test
pass: test
shell: /bin/analrapewithnailstuddedbroomstick.sh

I'm sure that there's some way to fuck someone up over ssh. I mean, the connection goes both ways, right?

Of course, I suppose this could have indeterminate results depending on whether he sshed into PersonA's box, then from there to PersonB's, and then to mine.

I am paranoid... I've been noticing these for a few days and thought it was someone fuckin' with me. Found this thread through pure chance. Anyone else getting IPs in Germany, France, and elsewhere?

Jeremy_Z · l33t Joined: 05 Apr 2004 Posts: 671 Location: Shanghai

Well supposing there is buffer overflow in the ssh client, yse you could do some nasty retaliation :lol:

_________________
"Because two groups of consumers drive the absolute high end of home computing: the gamers and the porn surfers." /.
My gentoo projects, Kelogviewer and a QT4 gui for etc-proposals

kalisphoenix · Apprentice Joined: 28 Sep 2003 Posts: 211 Location: Ohio

dat · Posted: Fri Aug 20, 2004 12:49 pm Post subject:

BlinkEye · Posted: Fri Aug 20, 2004 2:11 pm Post subject:

he wasn't using anything. these are logs from his system because someone tried (and failed) to login.
this line is special though:

NeddySeagoon · Posted: Fri Aug 20, 2004 3:04 pm Post subject:

I've got some of these break in attempts.
The ones I have checked out all seem to come from *NIX boxes.

You can do whois <IP address from log> to get to the ISP, then send them the log fragment.
More interesting is telnet <IP address from log> 25 to connect to the smtp mail client on the box(es) that were tapping on your door. The ones I have tried all claim to be running sendmail, which suggests they are not windows boxes.

I've not sent mail that way yet, if the probes are comming from a block of dynamically assigned IP addresses, I could well spam the wrong user.

I've been tempted you open a 'honeypot' account that runs a script on every successful login to do the whois lookup, then email abuse@ISP with the log fragment or even email root@<IP _Addr> so innocent victims get to know their box is compromised.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

kaidon · n00b Joined: 01 Nov 2003 Posts: 72

i've also noticed these kind of break in attempts starting arround mid of juli.

found this thread on fulldisclosure explaining a bit what's going on:
http://archives.neohapsis.com/archives/fulldisclosure/2004-07/thread.html#1008

this worm/script/whatever seems to be finding ton's of boxes with same/same accounts out there. ammount of hit's is rapidly increasing.

first it was solely checking for guest and test accounts. in the meantime it checks for guest, test, user, admin and tries multiple root passwords.
it's really becoming a plague.

cheers
k

den_RDC · Posted: Fri Aug 20, 2004 11:13 pm Post subject:

dat · Posted: Sun Aug 22, 2004 11:55 pm Post subject:

rtn · Guru Joined: 15 Nov 2002 Posts: 427

flappy · Posted: Mon Aug 23, 2004 6:56 am Post subject:

gdesklets + multitail - displays your log file to your desktop - i know straight away when someone tries to break in... the moment i see this i log into the attacking systems ssh with the username "f*ck" first then again with the username "off"

nielchiano · Veteran Joined: 11 Nov 2003 Posts: 1287 Location: 50N 3E

Once again, it is proven that an unprotecter computer on the internet (either win or linux) is not safe; unless YOU take some security steps;

This is how my server is secured (So far NO break-in attempts, but there will be, once upon a time): GUIDE:

Run SSH on a non-default port (i.e. NOT on TCP/22). Make your pick 1022, 22022, ... you can go up to 65535
to do this, edit /etc/ssh/sshd_config, look for (or insert) this rule:

Code:

Port 1022
(change 1022 for your port)
Of cource, you'll have to specify on ALL the clients that will connect to use that port (ssh -p 1022 under linux)
Add a group called 'ssh' (or whatever) add users that should be able to login to that group (to be done as root)

Code:

groupadd ssh

then edit /etc/group and look for the line starting with 'ssh' (or the name you just chose) to the end, add the list of users:
Code:

ssh:x:NNN:user1,user2,...
(NNN will vary)
Allow only key-logins:
You will need to have your key-file with you all the time (e.g. on USB-stcik)

dyqik · Posted: Mon Aug 23, 2004 9:37 am Post subject:

Hmm, I have a selection of 6 or 7 attempts to login as test, NOUSER and root in my logs on the 22nd. I have to connect to my work machine (which is connected to the UK academic network, no firewalls allowed beyond what the University provides) from a wide variety of clients, so the only real option for me is to use password SSH on a default port.

On the other hand, I check the logs, and SSH and ICMP are the only open ports, so I think that that is secure enough for now. They didn't seem to want try and crack the passwords. I'm going to disallow root SSH logins though.

dat · Posted: Mon Aug 23, 2004 10:21 pm Post subject:

froonk · Posted: Tue Aug 24, 2004 12:20 pm Post subject:

I found such entries in my log, too. Anyway, I'm not very afraid of those 'attacks' since I pick my passwords very carefully (at least that's what I suppose). Although I'm a bit afraid that someone could bruteforce any of my accounts. Is there a way to increase the time sshd waits after a failed login? I took a quick look at the man page, but found nothing.

nielchiano · Veteran Joined: 11 Nov 2003 Posts: 1287 Location: 50N 3E

bcore · n00b Joined: 09 Apr 2003 Posts: 59 Location: Toronto

Argh.. Just noticed some more stuff at the bottom of .bash_history.. I didn't even notice this before.. I had snipped the bottom part off, cause I saw my own typing, and figured this was a part of it.

Valhlalla · Posted: Thu Aug 26, 2004 2:19 am Post subject:

My system is set up to email me any failed logins, but since I'm parranoid I'm going to check anyway

_________________
Pork Chop Sandwiches, Oh Sh*t!

qzec · Tux's lil' helper Joined: 19 Jul 2004 Posts: 89

I think its time for me to check my system.

Q

nok · n00b Joined: 26 Aug 2004 Posts: 1

There has indeed been a spate of these automated attempts to login to too-obvious accounts of computers running sshd; since July I have had a long list of them for each computer I adminster in the weekly logwatch report.

Some previous postings make this sound quite a desperate situation --- e.g., hardware firewall, portknocking, highly restictive ip ranges allowed to connect, etc. Somewhat following the attitude of the original post, I'd like to say I feel these are over-reactions, i.e. for most people any increase in security would be outweighed by expense or inconvenience.

Turn off unneccesary services.
If having to run services for a local network that are not to be seen from the internet then consider a few simple iptables rules to ensure the services are blocked from the internet regardless of the services' own possible bugs or config file errors.
Update sshd or other servers regularly (e.g. a cron job to emerge sync then check for keywords in the output of emerge -up world ).
Consider forbidding ssh root logins -- a very good idea, since root is one username that no-one needs to guess.
If you really only want to use ssh frrom a few known addresses, try limiting access by address.
Above all, make sure user accounts have good passwords.

I'd be interested to hear comments on whether there have ever been linux iptables problems that would have made a hardware firewall a better option for preventing unwanted incoming connections.

Also, for those mentioning being "rooted" (without a `u'), do you mean the root password was guessed, or that some exploit was run as another user to become root? What exploit? Was it something in a standard gentoo installation.

Finally, try an automated reporting system such as logwatch -- a clever attacker who gains root would be able to hide the activities, but a wealth of information about system changes and failed or successful logins is obtained in other circumstances!
_________________
Nathaniel Taylor

dannycool · Posted: Thu Aug 26, 2004 2:12 pm Post subject:

nok, rooted just means that the box was entirely compromised and an intruder got root access.

I've been working on a special ssh account on one of my boxes where you get a chrooted bash within a jail that's created on the fly, so after you log out the state of the jail is preserved and any following login would end up with a new jail...

But I'm unsure if I should really open up a ssh account. Even if it can't actually do much (except of course log what has been attempted to do).