i got hacked. what were they up to?

[iothal]

Perhaps this can be of use to somebody.
Caveat, I'm not a good scripter...

cronjob:
#!/bin/sh
grep "Invalid user" /var/log/auth.log | gawk '{print $10}'|sort -u > /tmp/drop
grep "Failed password for root from" /var/log/auth.log | gawk '{print $11}'|sort -u >> /tmp/drop
cat /etc/badips >> /tmp/drop
cat /tmp/drop | sort -u > /tmp/dropu
#Compare dropu and badips, only drop
#members who are in dropu but not in badips
#Drop them
/sbin/drop.pl
cp /tmp/dropu /etc/badips
rm /tmp/drop
rm /tmp/dropu


perlscript:
#!/usr/bin/perl -w
# point to wherever you keep /sbin/iptables
my $iptables='/sbin/iptables';
my $alreadyBlocked = '/etc/badips';
my $couldBeAssholes = '/tmp/dropu';

#Sanity check
open(BLOCKED, $alreadyBlocked) || die("Could not open block file!");
open(NEW, $couldBeAssholes) || die("Could not open prospects file!");

#Read could be assholes and if not found in alreadyblocked
#yeah... smack them!
my @blocked = <BLOCKED>;
my @new = <NEW>;

my %seen; # lookup table for already blocked
my @notblocked; # not already blocked

# build lookup table
foreach $item (@blocked) { $seen{$item} = 1 }

foreach $entry(@new)
{
push(@notblocked,$entry) unless $seen{$entry};
$seen{$entry} = 1;
}

my $block="32";
my $target = "NOLOGDUMP";
my $chain = "INPUT";
my $inf = "eth0";
foreach $entry(@notblocked)
{
chomp($entry);
#print "Dropping: ".$entry."\n";
system("$iptables -A $chain -i $inf -s $entry/$block -j $target");
}

iptables ( stolen from a previous post in this thread):
#Chain to drop script kiddies
iptables -N NOLOGDUMP > /dev/null
iptables -F NOLOGDUMP
iptables -A NOLOGDUMP -p tcp -j REJECT --reject-with tcp-reset
iptables -A NOLOGDUMP -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A NOLOGDUMP -j DROP

Oh, and u probably need to touch /etc/badips before the first run.
Enjoy!

[assaf]

LOL @ this thread... Good thing i'm running sshd on port xyxyx...

[sloof3]

We've all done it before but there is already a better tool to check the logs for failed logins: http://denyhosts.sourceforge.net/

[LostControl]

[blommethomas]

just read through a few messages of this threads.
I'm not a professional, but I'm installing LINUX now.
My dad has got a LINUX comp already and he was informed by e-mail about attempts to connect to the Internet, anyone knows more about this?
_________________
IK BEN GEK

[fuzzythebear]

This thread ( and by jove was it long to read it all .. ; )
we seen a lot about remote logins and ssh .. but and this might be good
for a new thread how about physical security ?

If the attacker is in fact a theif coing in and stealing a disk in a
tray or stealing the machine ? How would we be able to make
sure that the data would be safe from prying eyes..

Ex . we all know that the OS need not be running on a particular disk to
be able to read it and use it ..

How would we go about to protect the data in that kind of an occurence ?
Is it possible to make the data unreadable without a floppy in the drive ?
a small usb key or somethign else i have no clue about ?

In fact .. once the disk is out the machine , is there any way at all to protect
the data ?

Fuzzy

[heartburn]

fuzzythebear,

that's why god created data centers. Physical security is just that: physical. Sure, there's encryption... maybe even self-destruction. But nothing beats a few well-trained, highly paid, professional armed guards standing outside the 6-inch thick, retina-scanning steel doors of a natural-disaster-proof, underground building complete with around-the-clock video surveillance and an identically equipped backup facility on another continent. Or, you could just lock the machine in the basement. I guess it all depends on what you're trying to protect. But if you're worried about people who actually come in contact with the machine, you need to think physical. Software solutions will be secondary.


d11wtq,

You really should read about the DSA authentication.
http://www.gentoo.org/doc/en/articles/openssh-key-management-p1.xml?style=printable
You can configure your machine to use DSA authentication instead of PAM. Then, passwords are almost a non-issue. Nobody can even get to a login prompt without a valid private key. After I set up DSA-only authentication on my webserver, I went from literally hundreds of failed login attempts per day to zero (not counting my own fat-fingered passphrase misspellings). It's definitely worth it.

- mark

[heartburn]

One more thing I did recently was set to set up a daily cron job to emerge and run chkrootkit. I know that many people run chkrootkit as a cron job, but I was thinking that if I was cracking a system, I might want to replace chkrootkit with a script that produces a false report. So I figured the best thing to do is rebuild it right before I run it each time. I suppose that could be faked too. Unfortunately, my machine is hosted so I don't have the option of putting an unwritable version in the CD drive. Any thoughts?

I also started running psad. That's the port scan detection system configured by bastille. It looks pretty good, but I can't find very much information about it on the web. Is anyone else using it? Does anyone have any tips on configuring it?

- mark

[mutlu_inek]

[AmosMutke]

[MrUlterior]

[yottabit]

28,036 unsuccessful attempts in one month... Unreal.

Usernames spam, erin, draco, bank, 123, abc123, abc, ghost, admin, nobody, ftpuser, allan, dummy, public, test, danny, linda, www, www-data, info, sales, oracle, support, testing, yamaguchi, alonso, cynthia, stefan, fuck, karl, ed, angela, fred, amy, pgsql, upload, chris, pop, franklin, andrew, owner, owners, op, db, anita, bind, ben, beny, bert, alin, theo, philip, roland, emil, enzo, felix, francis, ian, ismail, jared42, akcesbenefit, greg, cs, wwwrun, rolo, web1, matt, web, anonymous, apples, xxx, miller, chicago, tweety, snoopy, ashley, bandit, madison, princess, viper, francois, mortimer, lucas, leslie, leroy, lara, sec2, sec1, sec, kassa, maneager, maneager1, emi, emiliano, cafe, internet, play, open, samba, kathi, cgi, nicole, denied, work, cyborg, right, file, text, gnome, kde, lftp, ventas, spg, jag, ag1, ac, lm, aa, jg, khan, rmgadm!, rmgadmin, daniel, hectorh, epanchi, pvm, junkbust, radvd, dennis vivian, larry, jacob, game, cvs, benahmed, rachafi, ramamurthy, tia, ricky, nuzahar, cindy, bernard, ace-html, bestrella, darcos, vojeda, smakom, bannamuki, yoshida, tunekiyo, yakayama, t-miyata, t-ikeda, shigeno, mizoguti, kyoda, kawano, jinta, horii, eigyou, dozono, denryoku, anthony, hunter, joshua, exit, juan, nathan, william, yusaf, sitasubedi, sanjiv, sagun, rajen, kamal, arun, aroon, smc, tcp, log, logs, administrator, jack, marvin, andrea, barbara, adine, alan, albert, alberto, alex, alfred, ali, alice, allan, andi, andrew, student, r00t, download, nigel, upload, services, office, bobby, username, sharon, aron, brett, alex, mike, data, http, httpd, shop, ........................ many many many more, and those were all from 222.122.21.202 just yesterday.

I should install DShield on my Smoothwall. That would be cool to see how much it lessens the impact. I have been using public-key auth since I first saw the attacks last October. My passwords are fine, but I'm afraid some of my users probably use bad passwords.

I would like to block all of these attempts simply to save processor cycles, Internet congestion, and intranet congestion. I thought about installing that 'reactive' firewall mod for Smoothwall too... too many connection attempts within so many seconds from a given IP and it automagically firewalls that IP.

J
_________________
Play The Hitchhiker's Guide to the Galaxy!

[kamikaze04]

yottabit, you would like to test : Denyhosts , great program, and it blocks ips doing dictionary attacks perfectly. I really recommend it. My servers passed from thousands of login attempts in a month to 10 in a day
_________________
Todo lo que quisiste saber sobre google en: www.noticiasgoogle.es

[yottabit]

[LostControl]

[Bigun]

Guh, I now have an 11 Mb log of nothing but SSH login attempts!

This is old, anyway possible to honeypot the attempts to make it quit hogging bandwidth?

I attempted to stop sshd but the script wouldn't stop trying.

I mean, make some lame username like "a" with the password "a" and make the default shell /dev/null or something.
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim

[Barnoid]

[Adrien]

[piercey]

[linuxgeekery]

I've had several hundred breakin attempts over the last 2 days. I created a 'test test' account with a honeypot script as it's shell. So when the hacker gets in, he'll be greeted with a message saying "Sorry, this box is secured. =)" and a "cat /dev/urandom". It also logs the IP address and sends it to a log.

[assaf]

[MrUlterior]

[vectox]

Lol..gotta love that last one. I think it's better to reduce the load on the system completely. Your right...a few hundred attempts and the system is overloaded with honeypot processes. Sure it's cool on a user level, but most of these attempts are scripted and flooding the Internet with hundreds of attempts and the hacker is never going to see you "this box is secure msg". Use metalog...so it puts all sshd events in an sshd folder seperate from the syslog....save yourself greping the syslog file. I had ssh running on the standard ol port 22 for a while.....I got tons of brute force attempts...mostly from Korea, China and a small number from the US....reporting them all is a wasted effort...and most of them I would guess are just zombie boxes anyway...not the actual hackers box.

My solution, same as the person above, is to just change the port your running sshd on. It's simple....no extra processing on your server and unless your server is public to many users expecting to ssh to port 22.....your likely the only one logging onto it anyway. It still allows you to log onto it from anywhere in the world. Also like the user above I've been running sshd on a non-standard high port and haven't had one brute force attempt since...all the failed password attempts are by yours truly .

Suck it up people...change the stupid port!

[Bigun]

*snip*

[RBH]

I feel left out: despite having had a static IP for nearly 2 and a half years, I've not had one failed SSH login appear in my logs that wasn't my own doing. I run chkrootkit periodically (i.e. when I'm logged in finding things to do) and have never found anything.

I expect this is because my boxes are always behind a router that denies all packets that aren't specifically permitted (HTTP, DNS et al). Do you guys all connect directly, or something? Wouldn't a hardware router - just a bog standard Netgear one - be a good idea?

I might be talking out of my backside and apologies if that's the case, but this seems to be something of an obvious step to take.