i got hacked. what were they up to?

evoweiss · Posted: Tue Aug 17, 2004 3:29 am Post subject:

Hi All,

This is definitely becoming an interesting thread and I've got a bit more to contribute after an interesting email today.

I received an email that was purportedly from zywall and asked me to fill out a 'customer survey'. It smelled like BS to me, and using the wonderful pine email client, I quickly saw that it was.

I would have been redirected to some website that, undoubtedly, would have fscked around with some aspect of my set-up.

Unfortunately, I managed to accidently delete the email. Did anybody else receive something similar and how did they know I use a zywall router/firewall (lucky guess?).

Also, I noticed a post that mentioned port knocking. I've heard of this before, but am not sure what it is nor how to set it up. Care to explain it to me and point me to any useful how-tos in the event that I'm interested?

If I receive another email like it (and I probably will), I'll be sure to save it this time and even do a wget on the url I'm directed to, post the html code, etc.

Best,

Alex

bcore · n00b Joined: 09 Apr 2003 Posts: 59 Location: Toronto

Paulten · Posted: Tue Aug 17, 2004 10:03 am Post subject:

So you got a test user without a password right? Does ssh permit users with empty password? It should not, I have
PermitEmptyPasswords no in my sshd_config, I don't if I put it there myself or if this is default behavior.

Did you have username: test and passwd: test maybe ? :p

Later
_________________
Homepage : http://paul.kde.no Jabber ID : tenfjord@jabber.org
"Dei levde som dyr. Dei verken røykte eller drakk" -Ukjent

JudgeNik · Posted: Tue Aug 17, 2004 10:25 am Post subject:

As he previously stated in the first post:

Paulten · Posted: Tue Aug 17, 2004 10:38 am Post subject:

devon · l33t Joined: 23 Jun 2003 Posts: 943

Captain_Loser · Tux's lil' helper Joined: 19 Mar 2003 Posts: 106

I notcied that I was getting about 5 of these crack attempts a day, so I set up a simple firewall to see if I could try to keep some of this stuff away. I made a script that uses iptables with anti portscan and anti os-fingerprinting stuff in it. I know that it is impossible to stop all port scans and all os fingerprinting attempts, but I can try. Now that I run this firewall I haven't gotten any of these crack attempts against my machine. The attempts on my machine had been going on for about a month, and now they have stopped. I am putting this script on other linux boxes that are getting hit to see if this stops the attempts on them as well.
_________________
KHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN!!!!!!!

silentbob · Apprentice Joined: 09 Nov 2003 Posts: 159 Location: UK

OdinsDream · Veteran Joined: 01 Jun 2002 Posts: 1057

Could someone help me figure out where my /var/log/sshd information is?

I have other entries in /var/log/, but I have no ssh-related files or directories. ps shows:

/usr/sbin/syslogd -m 0

...running. Do I need to specifically enable sshd logging somewhere? Many thanks, great thread!
_________________
s/(?<!gnu\/)linux(?! kernel)/GNU\/Linux/gi

Don't blame me. I didn't vote for him.

http://john.simplykiwi.com

Captain_Loser · Tux's lil' helper Joined: 19 Mar 2003 Posts: 106

Yoda_Oz · Posted: Tue Aug 17, 2004 8:45 pm Post subject:

you dudes are really smart. how did you get to know all that stuff? i would not have the first idea of anything yous are talking about!
im in total awe!
_________________
DELL INSPIRON 5150 (2004)
Intel P4 HT 3.06
512Mb
nVidia GeForce FX Go5200 64Mb
Actiontec 802CAT1 Wireless PCMCIA
Linux Kernel vmlinuz-2.6.10-2-386

Mben · Posted: Tue Aug 17, 2004 9:21 pm Post subject:

after reading this tread i took a look at my logs and found that i too had been probed. is there any way to report this? that part of my log is below:

silentbob · Apprentice Joined: 09 Nov 2003 Posts: 159 Location: UK

revertex · l33t Joined: 23 Apr 2003 Posts: 806

hi guys!
this tread is really interesting to open my eyes about security.
looking in these forums you can found nice tip that how make your boxes a little more safe.

-port knocking hide your ports to regular port scanners, only revealing when a special portscan sequency is send.

-keychain, you need bring your key with you, not so handy, do not use in untrusted machine.(look at ibm developerworks drobbins article )

-skey, the one way password, just work one time, perfect for login form untrusted machines.

-edit your sshd_config, disallow passwordless logins, root logins, and if possible allow login only for one user or group.

-if you ssh from work/school tha haven't a static ip, create a dinamic dns account (no-ip, dyndns) for your office box and only allow logins from that address, like "myoffice.homeip.net", me_at_school.homeip.net"

-use a nice root tail to watch what's happen closely

-install something like chkrootkit, integrit, snort, configure once and run forever, no excuses.

silentbob · Apprentice Joined: 09 Nov 2003 Posts: 159 Location: UK

zerojay · Veteran Joined: 09 Aug 2003 Posts: 1033

Goodle · n00b Joined: 11 Jan 2004 Posts: 20

I think it would be interesting to set up a honeypot for this lame attack. It looks like the poeple that are trying this have no idea what they are doing... It would be fun to screw round with them. Of course this would take time to set up a honeypot... SELinux Joy!

skyfolly · Posted: Wed Aug 18, 2004 5:53 am Post subject:

would it be more secure without SSH installed?

Damn it, I have to install iptables and chrootkit tonight right away.
_________________
I am the only being whose doom
No tongue would ask no eye would mourn
I never caused a thought of gloom
A smile of joy since I was born.
emily bronte

Goodle · n00b Joined: 11 Jan 2004 Posts: 20

Jeremy_Z · l33t Joined: 05 Apr 2004 Posts: 671 Location: Shanghai

I may be going to write a port knocking client / server in Perl, if some are interested i will post it.

My main concern is to secure my parent's gentoo routing box, currently it has all ports stealth (excepted some p2p ports) and i want to write something to knock the ssh port from my home.
_________________
"Because two groups of consumers drive the absolute high end of home computing: the gamers and the porn surfers." /.
My gentoo projects, Kelogviewer and a QT4 gui for etc-proposals

skyfolly · Posted: Wed Aug 18, 2004 7:58 am Post subject:

shorewall looks good enough for me, quite nice documentation too. I am reading it.
_________________
I am the only being whose doom
No tongue would ask no eye would mourn
I never caused a thought of gloom
A smile of joy since I was born.
emily bronte

Paulten · Posted: Wed Aug 18, 2004 8:03 am Post subject:

I have a small iptables script which I think works very well.

And another sshd_config tip is to "PermitRootLogin no".

And while we are on the subject I recommand using ssh pubkeys.
I use ssh-keygen and generate a key and upload it to the server as I described in this article http://paul.kde.no/modules/articles/article.php?id=5
and btw I got a tip that I should use DSA instead of rsa as I wrote in that article, I'll change it when I get some spare time.
Alternative, net-misc/keychain is worth looking into.

I also use /etc/hosts.allow to permit ssh access only to the IP's listed.
Create the file /etc/hosts.allow and add :
sshd : localhost : allow
sshd : someip : allow
sshd : workip : allow
sshd : ALL : deny

From debian's hosts.allow :

TheUlk · Tux's lil' helper Joined: 01 Mar 2004 Posts: 97

Hi all,

I've seen a lot of those breakin-attempts but I don't care that much about it.

I allow just one user to ssh from one certain ip.

I hope this is enough to protect my computer from ssh-breakins.

cu tu

Suggestions wellcome!