i got hacked. what were they up to?

[LostControl]

Maybe you could try Fail2Ban. It will allow you to have an external access to your SSH server and will block script kiddies trying to break in It runs on my home server and blocks 3-4 attempts a day.

Ebuilds are available on the website or in bugzilla.

[christsong84]

Can anyone tell me why on Earth anyone is running a damn SSH server publicly?! For goodness sake, if you need admin access to your server outside then install yourself a damn VPN to do it such as OpenVPN or an IPSec one.

If you're behind a firewall that restricts outgoings that blocks VPN connections then I could understand but that's not very likely, and even then, it would have to allow SSH to get remote access. If you're in that position then have to make a serious considered decision about whether it's worth the risk to remote admin your server through a publicly available SSH service running on it. If you're having to consider configuring your firewall to disallow bots coming from Pakistan or somewhere else, talking about portknocking, worrying about totally securing your passwords or you're having to parse your logs like crazy as a knee-jerk reaction then you're simply never going to get ahead. I can get full remote access to my server but there are no dodgy unsuccessful SSH logins in my logs .

Sorry, but I think anyone who runs anything publicly like this is just plain silly - and I'm being polite there.

My servers are co-located 3 stories below ground on the other side of town. I sign in from the office for daily maintenance and checks. It's not on it's own network so I don't set up a VPN connection...SSH does the job just fine for me. Like I've said before, only bots have hit my servers so changing the port seemed to do the trick. (and the whole key based logins and such other obvious procedures )

[alex6z]

I have (an) open account(s) on my system. I put them there to see who would login and wait and see what they try to do. I just don't get why people are so scared. They shouldn't be able to get root access from the account. I have it set up with limits and outgoing firewall so they can't use an IRC bot. So far nothing too interesting has happened .
2005-07-19 my dynamic IP is ssh://admin@12.223.170.28/ try it out. I know it's risky allowing anonymous shell access, but it's still safer than windows and I really don't care anyway, computer are just toys for me

[nhaggin]

Can anyone tell me why on Earth anyone is running a damn SSH server publicly?! For goodness sake, if you need admin access to your server outside then install yourself a damn VPN to do it such as OpenVPN or an IPSec one.

The simple fact is that running any service whatsoever, on any port, is a security hazard. The only truly secure network is the one you don't build, and the only truly secure computer is in a concrete bunker, under armed guard, with console access only, etc. Even then, there are various points of attack one could use to gain access, if one really wanted to.

It is currently fashionable for 1337 $cr!p+ k!ddi3z to hit systems running SSH. Security-compromising errors have been found before in ipsec-tools, and if one wanted one could probably attempt to mount an attack against IPSec. OpenVPN is a great piece of software (I use it extensively), but I'm sure that a programming error will slip in at some point and that an attack could be devised against it. But for right now, SSH is a far more inviting target: so many more people use it, and there is a much simpler method of attack if the admin has open accounts on his box.

[red-wolf76]

Strange behaviours on my home network tonight, dudes...

Ok, so I got a nice little home network going at my place which my girl-friend, her parents and I use (yeah, I know it's corny to live in with the Ps but hey, it saves rent!). Topology is as follows:

Router ------------ Parents PC (WinXP)
|
Switch ------------ Girl-friend's PC (Gentoo 2.6.12-r6)
|------------------- My PC (Win2000)
|------------------- Bragi (D-Link Printer Server)
\--- Balder (Wireless Bridging Access Point) ---)) ((--- Asgard (WBAP)

Asgard is connected to another switch and two more boxen are hooked onto there, "dagon" and "nyarlathotep" which are also running Gentoo. The router does have an inbuilt "firewall", but some ports are mapped to the different boxen for direct Messaging connections. And some online gaming stuff (AAO, mostly but only to the Win2000 box). The router (and modem) is a German Zyxel Prestige 660HW with the "Arcorized" firmware, since we got it from Arcor, our DSL-Provider.

Now tonight (I'm not at home, mind you) I get a call from my gf that computers are behaving strangely. First of all, she got a window telling her "Just looking in. The boring guy!" (written in German, though!) which according to her description looks much like a simple X-Window. Then she panics and shuts down her Linux box but it starts up again, as does my Win2000 box (which was off in the first place!). However - she claims - my box kept shutting down again and trying to rise a couple of times. So I tell her to take the router off-line by turning off the power for it and the magic stops.

Now, I'm not in a position to verify all this, but I've no reason to believe she's lying. What has happed? Possible suspect for this is a guy who turned annoying on ICQ (she uses GAIM for that and YAHOO! on her box) and got told off by her.

Conclusions according to current knowledge:
1.) The guy came in over the router. Weird stuff stopped when it got downed, so I guess my wireless bridge is more or less secure still...
2.) Possibly he gained access to my gf's box, which runs the latest "x86" GAIM on top of Gentoo (2.6.2-gentoo-r6 kernel)
3.) He probably was able to send wake-on-lan packets to muck with the other boxen on the network
4.) I need to secure my network better. ASAP!

What was going on? Since I wasn't there to witness the whole event, I'm a bit skeptical about it all, but concerned nonetheless. I do fear that whoever was sending on-screen messages got root access though (which my gf doesn't have, even though the account can do "su".) so I'll be reading up on security a bit more than I was.

Are there any known vulnerabilities in GAIM that attackers can use to hijack a box in this manner?

It makes for a funny story, actually, but does anyone have a suggestion? Thanks for the time and don't bother trying not to laugh. Hell, even I had to chuckle about it...

[alex6z]

The thing it, when you make your box public, it defeats the point of hacking it. What's the point if the person your hacking doesn't care? Go hack your own box!

[lbrtuk]

The thing it, when you make your box public, it defeats the point of hacking it. What's the point if the person your hacking doesn't care? Go hack your own box!

That's all well and fine until your machine is being used as a spam relay, being used as a ddos drone, or is set up to relay child porn / stolen credit card numbers etc.

[jamapii]

Then she panics and shuts down her Linux box but it starts up again, as does my Win2000 box (which was off in the first place!). However - she claims - my box kept shutting down again and trying to rise a couple of times.

Some other box besides hers might be infested. Something must have sent those wake-on-lan packages.

(she uses GAIM for that and YAHOO! on her box)

gaim had some security issues recently, possibly it's not over yet

1.) The guy came in over the router. Weird stuff stopped when it got downed, so I guess my wireless bridge is more or less secure still...

WPA is generally considered OK, but I prefer openvpn.

The simple X window could be the Windows Message Service (if enabled in /etc/samba/smb.conf - it's "message command") (it is used in Windows to pop up windows with spam).

[red-wolf76]

Then she panics and shuts down her Linux box but it starts up again, as does my Win2000 box (which was off in the first place!). However - she claims - my box kept shutting down again and trying to rise a couple of times.

Some other box besides hers might be infested. Something must have sent those wake-on-lan packages.

I'll check for that. Are there any good tools for finding out if your box has been rooted or otherwise infected?

(she uses GAIM for that and YAHOO! on her box)

gaim had some security issues recently, possibly it's not over yet

I'll turn off the direct connections for now. That ought to stop the most obvious POE.

1.) The guy came in over the router. Weird stuff stopped when it got downed, so I guess my wireless bridge is more or less secure still...

WPA is generally considered OK, but I prefer openvpn.

I'm not sure the APs are capable of that, but I'll have a look.

The simple X window could be the Windows Message Service (if enabled in /etc/samba/smb.conf - it's "message command") (it is used in Windows to pop up windows with spam).

Ah, that'll go too then, if it is installed. I do use a SMB-utility to access the Win2K file shares when necessary.

Thanks for the pointers. I'm itching to get home and have a look.

[Zepp]

The package chkrootkit will try and look for installed rootkits, if they did that. Not sure otherwise how you can tell other then to watch it carefully, or unless they didn't erase some logs :/

[jamapii]

I'll check for that. Are there any good tools for finding out if your box has been rooted or otherwise infected?

... and rkhunter.

WPA is generally considered OK, but I prefer openvpn.

I'm not sure the APs are capable of that, but I'll have a look.

Recent APs should be capable of WPA, but openvpn is usually only done by computers. (client(s) <-> server)

[red-wolf76]

I'll check for that. Are there any good tools for finding out if your box has been rooted or otherwise infected?

... and rkhunter.

WPA is generally considered OK, but I prefer openvpn.

I'm not sure the APs are capable of that, but I'll have a look.

Recent APs should be capable of WPA, but openvpn is usually only done by computers. (client(s) <-> server)

Thanks for the pointers. Neither rkhunter nor chkrootkit found any abnormalities on the supposedly affected system. I do have root login over ssh enabled, but only from LAN IPs (if God is indeed merciful and my config correct) however so I can muck about on the box from my PC when my gf uses it.

So far the guy hasn't turned up again, so if I don't find anything on the other boxen, I'll check it off as a (probably relatively harmless) "sK1Rp7-K1Dd3e"-Intrusion along the lines of "Behold my mighty sexual prowess as I make your computer start up using a packet!"

Or it's all urban legend, I didn't witness the incident after all...

P.S.: The APs are WEP-enabled. D-Link has issues using WPA in Bridge Mode - God knows why!

[Zepp]

Don't enable direct root login for ssh, just add whatever use you want, like yours, to the wheel group and then login to that user via ssh and su to root.

[red-wolf76]

Don't enable direct root login for ssh, just add whatever use you want, like yours, to the wheel group and then login to that user via ssh and su to root.

Actually, this seriously sounds like a Good Thing™. It's what I do when I access the machines directly to avoid running KDE (or Gnome on another box) as root.

Just for an annoyingly dumb question (:oops:), though: Why exactly is allowing root SSH logins while restricting it to a trusted list of IPs a Bad Thing™? Is it because of spoofing IPs?

[Zepp]

Ya IPs and MAC adresses can be spoofed so it isn't really a great idea to depend on them for security that much :/

[agrippa_cash]

My XFS (and therefore X) didn't start a couple days ago, so I went through the logs and saw that someone did a ssh portscan of my computer. I thought that maybe I was hacked so I booted with an Insert knoppix disk and ran chkrootkit and rkhunter and the second alerted me that signs of GasKit were found on my system. The positive sign of GasKit was a /dev/dev. As the second dev had an entire system's worth of devs, I'm inclined to believe that this is an artifact from when I first began messing around with udev. No rootkit binaries or scripts were found and once I rm -Rf'ed /dev/* the warning disappeared.

X started fine once I rm'ed /tmp, so I think I may have cut the power on my surge protector too early and maybe some lock file was still in place causing xfs to fail. At least I hope this is the case. You confirmation would be appreciated.

PS: I have ssh root disabled, and almost no network services running.

[SwiftWind]

Holy cow...I checked my logs, there have been so many attempts. I have no idea how to check if there were any successful ones. For some reason in the SSHD folder its only keeping logs for the last 2 days. Can someone recommend what logs I should look for any successful logins? and in what directory?

I want to make sure no one got anything.

Thank you for your time.

[whiskers]

Wow, I just looked through my logs and found a whole lot of failed ssh logins, and what I guess are rootkit attempts.. I am very surprised to see this many cracking attempts aimed at me. I am running a very safe system, but it makes you think.. I am sure glad gentoo has things like emerge -u.

what is a "very safe system" and how can you get it there?

[meu]

Holy cow...I checked my logs, there have been so many attempts. I have no idea how to check if there were any successful ones. For some reason in the SSHD folder its only keeping logs for the last 2 days. Can someone recommend what logs I should look for any successful logins? and in what directory?

You can use the `last` command to see users who logged into the system. Although, this can only help if attacker haven't got root access, in which case he could just change the logs.

[hollywoodcole]

I have (an) open account(s) on my system. I put them there to see who would login and wait and see what they try to do. I just don't get why people are so scared. They shouldn't be able to get root access from the account. I have it set up with limits and outgoing firewall so they can't use an IRC bot. So far nothing too interesting has happened .
2005-07-19 my dynamic IP is ssh://admin@12.223.170.28/ try it out. I know it's risky allowing anonymous shell access, but it's still safer than windows and I really don't care anyway, computer are just toys for me

Nice work alex, I have been checking the bash_history for a while now and am finding some funny things!
i.e.
/sbin/shutdown -r 1

[segedunum]

The simple fact is that running any service whatsoever, on any port, is a security hazard. The only truly secure network is the one you don't build, and the only truly secure computer is in a concrete bunker, under armed guard, with console access only, etc. Even then, there are various points of attack one could use to gain access, if one really wanted to.

That's the usual cop-out rubbish I'm afraid. There are certain things you can do to make your system more secure, and piping SSH and other admin tools through a VPN is definitely one of them.

It is currently fashionable for 1337 $cr!p+ k!ddi3z to hit systems running SSH.

Which is why I recommend, not unreasonably, not running SSH and piping it through something else.

Security-compromising errors have been found before in ipsec-tools, and if one wanted one could probably attempt to mount an attack against IPSec.

Is that more or less likely than an attack on a public SSH server resulting in a compromise?

OpenVPN is a great piece of software (I use it extensively), but I'm sure that a programming error will slip in at some point and that an attack could be devised against it.

Yes, and it's far more difficult to mount an attack on this than on a running, publicly available SSH server. It's going to be that much more difficult to find a compromise. It's a question of who's your worst enemy.

But for right now, SSH is a far more inviting target: so many more people use it

Errr, yes - which is why I recommend piping your SSH and other admin tools through a VPN. It's the best, and most secure option. I also think you're misunderstanding things in that you're assuming that if VPN usage gets more popular than SSH then VPNs will be hacked, including Microsoft. That's normal tosh a a lot of people tend to assume. No one claims a VPN is uncompromisable, but having a VPN using a set of secured, signed and trusted certificates is going to be a heck of a lot tougher to have a script-kiddy go at than a public SSH server.

Think about it.

[labrador]

I have (an) open account(s) on my system. I put them there to see who would login and wait and see what they try to do. I just don't get why people are so scared. They shouldn't be able to get root access from the account. I have it set up with limits and outgoing firewall so they can't use an IRC bot. So far nothing too interesting has happened .
2005-07-19 my dynamic IP is ssh://admin@12.223.170.28/ try it out. I know it's risky allowing anonymous shell access, but it's still safer than windows and I really don't care anyway, computer are just toys for me

I was going to take a look but ssh to thath box timed out, and nmap says it
can't be found with a standard probe.

Have you heard of shell fork bomb attacks? Did you set up limits
to prevent that sort of abuse? Perhaps that's why I can't get on it?

There is no such thing as "safe" with a system you've set up with no
password and advertised to the whole world is wide open. Would you
leave your house unlocked, then publish an ad in the newspaper
that such and such an address is not locked?

[christsong84]

I have (an) open account(s) on my system. I put them there to see who would login and wait and see what they try to do. I just don't get why people are so scared. They shouldn't be able to get root access from the account. I have it set up with limits and outgoing firewall so they can't use an IRC bot. So far nothing too interesting has happened .
2005-07-19 my dynamic IP is ssh://admin@12.223.170.28/ try it out. I know it's risky allowing anonymous shell access, but it's still safer than windows and I really don't care anyway, computer are just toys for me

I was going to take a look but ssh to thath box timed out, and nmap says it
can't be found with a standard probe.

Have you heard of shell fork bomb attacks? Did you set up limits
to prevent that sort of abuse? Perhaps that's why I can't get on it?

There is no such thing as "safe" with a system you've set up with no
password and advertised to the whole world is wide open. Would you
leave your house unlocked, then publish an ad in the newspaper
that such and such an address is not locked?

note the date of that post and the fact that it's a dynamic IP (which was stated). THat's probably more the reason you can't get into it...it's somewhere else by now.

[philidias]

you need to get hacking preventing software such as zone alarms. Turn off your internet connection. Scan you computer.

[krazykit]

you need to get hacking preventing software such as zone alarms. Turn off your internet connection. Scan you computer.

Do you have any idea what you said? "zone alarms" possibly means a Windows software firewall known as ZoneAlarm. If you're asking to scan our computers with ZoneAlarm (again, Windows software, and it doesn't do this anyway)... Why are you posting advice when you can't even get the OS right?