i got hacked. what were they up to?

[sixtymhz]

Anyone have experience on setting up honey pots??

[Karak]

You know, like so many others, I saw this thread and after reading it thought "hrmm... maybe I should look at my sshd logs..." and holy god! Look at this!

May 24 04:00:50 [sshd] Server listening on 0.0.0.0 port 22.
May 24 13:33:13 [sshd] Did not receive identification string from 67.102.203.251
May 24 13:46:22 [sshd] Invalid user anonymous from 67.102.203.251
May 24 13:46:23 [sshd] Invalid user passwd from 67.102.203.251
May 24 13:46:25 [sshd] Invalid user chuck from 67.102.203.251
May 24 13:46:26 [sshd] Invalid user darkman from 67.102.203.251
May 24 13:46:27 [sshd] Invalid user hostmaster from 67.102.203.251
May 24 13:46:28 [sshd] Invalid user jeffrey from 67.102.203.251
May 24 13:46:30 [sshd] Invalid user loverd from 67.102.203.251
May 24 13:46:31 [sshd] Invalid user eric from 67.102.203.251
May 24 13:46:32 [sshd] Invalid user lauren from 67.102.203.251
May 24 13:46:38 [sshd] Invalid user mark from 67.102.203.251
May 24 13:46:39 [sshd] Invalid user sin from 67.102.203.251
May 24 13:46:40 [sshd] Invalid user richer from 67.102.203.251
May 24 13:46:42 [sshd] Invalid user fluffy from 67.102.203.251
May 24 13:46:43 [sshd] Invalid user gold from 67.102.203.251
May 24 13:46:44 [sshd] Invalid user tomcat from 67.102.203.251
May 24 13:46:46 [sshd] Invalid user cosinus from 67.102.203.251
May 24 13:46:47 [sshd] Invalid user httpd from 67.102.203.251
May 24 13:46:48 [sshd] Invalid user squirrelmail from 67.102.203.251
May 24 13:46:50 [sshd] Invalid user trash from 67.102.203.251
May 24 13:46:50 [sshd] Invalid user kent from 67.102.203.251
May 24 13:46:52 [sshd] Invalid user ace from 67.102.203.251
May 24 13:46:53 [sshd] Invalid user backup from 67.102.203.251
May 24 13:46:54 [sshd] Invalid user fish from 67.102.203.251
May 24 13:46:55 [sshd] Invalid user java from 67.102.203.251

and that is a very small snippet! Wow okay... time to bone up on security!

[kitana_ann]

If it wasent for this thread I would not think for a minute that my server was in jeperdy! Here´s what I found in my log:

Code: Select all

May 30 02:04:19 server sshd[18798]: Accepted keyboard-interactive/pam for me from 143.97.2.35 port 18248 ssh2
May 30 02:04:19 server sshd(pam_unix)[18804]: session opened for user me by (uid=0)
May 30 02:04:42 server su(pam_unix)[18818]: session opened for user root by me(uid=1000)
May 30 02:04:50 server su(pam_unix)[18818]: session closed for user root

The creepy part is that I am not awake at that time and I dont know who´s ip that is. I checked the .bash_history for both root and user and I only see code that I have executed . I am soo confused over what happend? Any ideas on where else I could check?

[moocha]

You know, like so many others, I saw this thread and after reading it thought "hrmm... maybe I should look at my sshd logs..." and holy god! Look at this!

May 24 04:00:50 [sshd] Server listening on 0.0.0.0 port 22.
May 24 13:33:13 [sshd] Did not receive identification string from 67.102.203.251
May 24 13:46:22 [sshd] Invalid user anonymous from 67.102.203.251

<snip>

May 24 13:46:55 [sshd] Invalid user java from 67.102.203.251

and that is a very small snippet! Wow okay... time to bone up on security!

Er, if you don't look at the logs, why even bother logging at all? Resource hog if they're not used.

[moocha]

If it wasent for this thread I would not think for a minute that my server was in jeperdy! Here´s what I found in my log:

Code: Select all

May 30 02:04:19 server sshd[18798]: Accepted keyboard-interactive/pam for me from 143.97.2.35 port 18248 ssh2
May 30 02:04:19 server sshd(pam_unix)[18804]: session opened for user me by (uid=0)
May 30 02:04:42 server su(pam_unix)[18818]: session opened for user root by me(uid=1000)
May 30 02:04:50 server su(pam_unix)[18818]: session closed for user root

The creepy part is that I am not awake at that time and I dont know who´s ip that is. I checked the .bash_history for both root and user and I only see code that I have executed . I am soo confused over what happend? Any ideas on where else I could check?

The attacker got root privileges so that machine is completely compromised. I wouldn't trust it for anything anymore. Back up your user data, reformat and reinstall. You also have to assume your account on each and every other machine you've logged on from this machine was compromised, and so on and so forth in a nice chain. Basically, reformat, reinstall, change all your passwords for any purpose (be it email accounts, webmail accounts, various sites, etc etc) from a machine you trust, use strong passwords or no passwords at all (S/Key or PKI authentication), and keep up to date with glsa-check. If the compromised machine or any of the other machines you logged into also has other users, have them do the same if possible, and at least have them change their passwords when logged in from a trusted machine.
As to .bash_history - its value as evidence is zero. Try it for yourself - log into an account, type some commands, kill your shell with

Code: Select all

kill -9 $$

then log in again and check .bash_history. The commands you typed won't be there. The only way to be absolutely sure of what was typed is to have a kernel with a strong security infrastructure, have it log all execs, and have it send logs to a physical line printer - paper printouts at a remote location are quite hard to fake . Such measures are overkill on home machines though, so it's a tradeoff between security and usability, as always.

[Karak]

Er, if you don't look at the logs, why even bother logging at all? Resource hog if they're not used.

Of course you're right, I came down with a temporary case of pendejitis... I'll be looking at the log files very closely from now on.

[kitana_ann]

Thanx for the tip! I found out who the IP belongs to and it is my job. At my work computer I log into my server. But the wiered part is how it could have loged in in the middle of the night. I use the program putty and filezilla to log in as via ssh. Do you guys now any security holes with those programs that could have cause this behavior? I usally only lock my computer when I go home, I will from now on shut it down.

[Karak]

Do you save passwords at all on your work computer? Do you use the same password for more than one account?

[kitana_ann]

All my passwords are diffrent on every computer/account. Only thing is that I have automatic login in filezilla. The login is for my ordenary user not root. That makes me wonder how root got logged in?

[Karak]

Does someone else use your computer when you're not there?

[kitana_ann]

Yes some users may use my compuer. But the only way to get access is to shut down the computer by force and then log in with there account. Since I lock my computer. What are you sugessting?

[Karak]

Well even if they have to reboot the machine, the programs installed (PuTTy) is still there and can be accessed, do you have a profile saved there for your home machine, or do you type in the IP address everytime you connect? If you've got a profile saved there, that explains how someone with your work IP knew to connect to your home machine... as to how they got your root password I can't say, but there is always a way...

[kitana_ann]

Well I do not have a profile, I always type in the ip address everytime. It is really weired....
Hate to reinstall, reinstallation takes time and no saftety on the net during that time. But I guess thats the price you have to pay if your not carefull.

Thanx for your post.

[freebies_11]

Your fault for naming your user 'me' I would say.

[smurfd]

once hacked, consider everything you had on the disk, to be possible threats.
reformat, re-install, beef up security.

[kitana_ann]

Your fault for naming your user 'me' I would say.

I changed my user name when I pasted the text in this post. Also my server isen´t named "server".

[cyberb0b]

But the wiered part is how it could have loged in in the middle of the night.

Maybe your clocks are not correct. Either that or you have a split personality, because:

May 30 02:04:42 server su(pam_unix)[18818]: session opened for user root by me(uid=1000)

I believe this log statement means the user "me" typed "su" and entered the correct root password. Either you use really simple passwords, or you have been hacked by the guy on the other side of the mirror.

[Freman]

I love the sight of people in a panic over their logs saying "Hi, someone tryed to log in with this username but failed"

That's all it is folks.

Sure you should beef up your security with port knocking, firewalls, non-default ports, pubkey auth, no-root access, restricted user access. But for the better part as long as it keeps saying "failed" you're fine.

All a firewall does if they're failing is silence your logs.

I myself run scripts that aggregate ip's from mail logs, ftp logs, web logs and sshd logs with various levels of "paranoia"
I also run 2 layer firewalls - a gateway / router running tiny bsd implementation and individual host firewalls on every machine.
* one worm like attack on http results in instant 48 hr block on all firewalls
* three relay rejects on email results in 48 hr block on all firewalls
* three wrong passwords on ssh result in 48 block on all firewalls
* bogus data / three wrong logins on ftp result in 48 block on all firewalls.

The only time anyone's ever broken in to one of my boxes was way back before I implemented this system and it was an exploit in proftpd that let them in, not ssh.

My firewalls above arn't aimed so much at security, just cutting back the logging.

Still I wouldn't mind being able to run a daemon in front of syslogd to intercept and act on log messages as they happen rather then in cron...

Something I tell my users: Face it, there's heaps of bogus traffic running around on the internet, 99% of it can be safely ignored if you are using basic security proceedures and common sence. No point harping up evertime a login fails.

[moocha]

All a firewall does if they're failing is silence your logs.

Wrong.

[linuxgeekery]

Hmmm... from bcore's logs it seems that the hacker is tricky. To host his IRCBot, virus, what ever it is , he uses free hosting sites using subdomains. 100free.com, netfirms, etc. When you do a whois, it tells you about the hosting site, not the subdomain

[linuxgeekery]

Wait a fcking second...
I got someone trying to get at my box from the same ip 131.234.36.152! And what's special is it was on my Winblows box. Yes, I still have one (for a tad of gaming )

[darker]

Starting from the beginning of April there have been 5517 attempts on my machine. None have gotten through.

[CptPajamas]

i've been using xinetd and tcp wrappers to secure SSH access exclusively from trusted IP ranges / IP's.

hosts.allow and hosts.deny with appropriate /etc/services entries is king.

[edudlive]

I don't have sshd running , I'll check my server.

Doesn't seem it has had any attempts to gain access other than my friend using my FTP

[moocha]

Starting from the beginning of April there have been 5517 attempts on my machine. None have gotten through.

That you know of .
</UtterParanoia>
Sorry, couldn't help myself .