Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ARRRRRRRRRRRRRGH! 1

Status
Not open for further replies.
gbaughma

gbaughma

IS-IT--Management
Staff member
Nov 21, 2003
4,772
US
Just need to vent for a second.

Some low-life sorry &(@*&(%*&#@# hacked my Linux box today. I don't know how they got in.. it had to be through SSHD, or through a vulnerability somewhere.

Anyway... they changed my root password, created a root-level account for themselves called "Test", cleared out my log files so I couldn't track them down, and started a DOS attack on someone.

Now I can't even get the system to boot, and I'm going to have to re-install.

They'd better *HOPE* I never find them.



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg
 
Sort by date Sort by votes
Do you have a boot or install disc? If so, you can boot into single user mode and change the root password. Put up a firewall as soon as possible and shut down every port that is not specifically needed. If you have a server using a particular port, make sure that server is secure.
 
Upvote 0 Downvote
  • Thread starter
  • Moderator
  • #3
Unfortunately, they really did a number on me.

I booted off of the CD, and tried to get into single-user mode.. but the filesystem was opening read-only, and mount was giving me a segmentation fault. :(

The only ports open were 80 (web), 21 (FTP), 25 and 110 (mail) and 22 (SSHD). The server was on the inside of a NAT, with those three ports forwarded. Since this attack, I turned off port 22... but I really can't turn off the other two.

I had seen several attempts at logins on my log watch on SSH, but I added those IPs to my hosts.deny as soon as I'd get the report.

I don't know how they got in... but (at this very moment) I'm trying a reinstall without formatting the filesystem, so I can maintain my web pages, home directory, etc.

<Sigh> It's going to be a long, long night.



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg
 
Upvote 0 Downvote
  • Thread starter
  • Moderator
  • #5
thedaver:
The machine took itself off the network. It wouldn't boot. lol.



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg
 
Upvote 0 Downvote
  • Thread starter
  • Moderator
  • #6
The system is back up again... and I turned off my SSHD forwarded port (which is a *REAL* pain in my butt, because that means that I can't log into it either unless I'm at home).

I also changed the ROOT login, the ROOT group name...

So now, to log in, you have to log in as a regular user, SU to the new root login (which you would have to know in advance).

Is there a way, however, to make it so that only CERTAIN logins have access to the su command?



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg
 
Upvote 0 Downvote
How many users need a login account? If you are the only user who needs a shell account then you can give all your other users /sbib/nologin in replace of a shell. This way they can access their mail but that's about it. If you must supply some users with a shell account then you can limit what they can do with the 'sudoers' command. Type man sudoers to see how this is done.
 
Upvote 0 Downvote
I'm very sorry for what happen to you, same had happen to me just 6 months ago.

It's really pain to reinstall everything just to get where you were at the beginning. Ouch...



Regards Dan
 
Upvote 0 Downvote
  • Thread starter
  • Moderator
  • #10
Well, it appears that SOMEHOW they got in through FTP with uid=0... I've turned off FTP, and put in the sshdfilter and put port 22 back through my firewall again.... we'll see how it goes.



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg
 
Upvote 0 Downvote
if they accessed your system through FTP then I would sugesting your FTP config to disalow root login, this is set by default in VSFTP I do not know about any others I am afraid.
 
Upvote 0 Downvote
Code: 
Well, it appears that SOMEHOW they got in through FTP with uid=0... I've turned off FTP, and put in the sshdfilter and put port 22 back through my firewall again.... we'll see how it goes.

A grumpier security administrator would point out that closing the attack vector(s) (FTP, SSH filtering) does not go far to assure that the system is not otherwise compromised with other backdoors, trojans, keyloggers, etc.

You didn't mention your effort to clean the system, so I thought I'd float that notion of concern. Appreciate your sharing your experiences here for others to benefit from.

D.E.R. Management - IT Project Management Consulting
 
Upvote 0 Downvote
  • Thread starter
  • Moderator
  • #13
if they accessed your system through FTP then I would sugesting your FTP config to disalow root login
Click to expand...
You know, I looked at that, and it was configured that way. I'm still not 100% sure of how they got in.

You didn't mention your effort to clean the system, so I thought I'd float that notion of concern.
Click to expand...

As near as I can tell, they 1) changed my root password, 2) set up another root-access account for themselves called "test", 4) deleted the logs (they misspelled "messages" when they deleted/re-created the log files, and 5) started a DOS attack.

So, once I got the system back up and running, I
1) changed my root password... if they're doing a brute-force hack on *THAT* one, it will take YEARS.
2) deleted the "test" account they had created
3) Turned OFF FTP on my port forwarding; it will be inconvenient, but it closes the hole
4) Installed the script mentioned by thedaver... so any attacks on my sshd port (I need *some* way to get into the system remotely) will follow the "3 strikes and you get added to /etc/hosts.deny" rule. ;)

I had at one point changed the root user name to something different, however Postfix started to really gripe about it, since it evidently uses sudo, and said "root doesn't own the file", etc. Since the hackers have been trying to log in with uid=0 instead of "root", it didn't really matter WHAT the root account was named, so I changed it back.

Additionally, the only spot that root is allowed to log on now is at the console. I never log on as root unless I'm at the console anyway; best practice is to su when you need to do something as root, so that you don't accidently do things (ultimate power corrupts ultimately.. hehe)

I also thoroughly examined my web directories, to make sure they hadn't dropped a perl backdoor or other such nasty in there while they were there.

Overall, I think I "caught" it soon enough before the system became *REALLY* compromised. Security logs are e-mailed to me daily, and every day I go through and add IP addresses to my /etc/hosts.deny who have attempted to gain root access. The script that thedaver gave me will not only automate that, but there won't be a "lag" between the time that someone attempted to gain access, and the logwatch e-mail is generated.

I *suspect* that they got in through FTP, since my logwatch was telling me of failed attempts into ftp using uid=0; although they could have done a brute-force against sshd... they wouldn't have been able to do a dictionary attack against it.... I always use "strong" passwords. The password that's on root now is rediculous...well over 10 characters (I won't say how MANY over 10 characters... hehe). That's why I was floored when someone got in.

I know at one time I had a "weak" version of awstats, and someone "pwnd" my web page. (that ticked me off, too), but since then, I've been keeping awstats up-to-date with security patches. It's a possibility that they got in that way, but somehow I doubt it.



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg
 
Upvote 0 Downvote
gbaughma said:
... Since the hackers have been trying to log in with uid=0 instead of "root", ...
Click to expand...

What do you mean by this? Actually supplying "uid=0" as the username? What services support that syntax, as I've not seen it before...?

Annihilannic.
 
Upvote 0 Downvote
Given your strong passwords, it seems likely that they got in via an exploit rather than brute force, and then escalated their privilege level. The hole might still be there...

Steve

[small]"Every program can be reduced by one instruction, and every program has at least one bug. Therefore, any program can be reduced to one instruction which doesn't work." (Object::perlDesignPatterns)[/small]
 
Upvote 0 Downvote
  • Thread starter
  • Moderator
  • #16
Annihilannic:
(gosh, that's a long ID to type out... lol)

That's what my logs are showing.... if I can find one, I'll show you. Ahh. Here's one:

Oct 22 09:12:01 londo vsftpd(pam_unix)[16250]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=222.68.192.16

.... I got several hundred of these, before I installed that script. Now, even though root access to FTP is disabled, it's interesting the way it's logging that....



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg
 
Upvote 0 Downvote
Some time ago I had someone get in through a user's relatively weak password in vsftpd; my logs showed that over 22,000 attempts were required (which took less than 10 minutes). They managed to put a paypal phishing site on my web server space (without elevated privleges thankfully). After that I started running vsftpd under xinetd. Because relatively few people need access to my ftp server, I set xinetd to only allow certain IP address ranges. Everyone else is immediately denied before even getting a login prompt from vsftpd. Since then, I never see more than 2 connection attempts from any IP address and it works just fine for those of us that are on the allowed list.
 
Upvote 0 Downvote
How are you authenticating users who attempt to login via SSH? If you have not done so, I recommend that you configure your SSH daemon to only allow SSH2 asymmetric key authentication. It will require that your users generate keypairs and give you the public key to set up for them. As I understand it, cracking strong passwords is hard; but cracking high-bitwidth keypairs is much harder.

And can you do away with FTP entirely? On my system, I allow FTP to the system only from inside my network. For users outside my network, I require they use SFTP, which works through SSH and thus requires asymmetric keys.



Want the best answers? Ask the best questions! TANSTAAFL!
 
Upvote 0 Downvote
  • Thread starter
  • Moderator
  • #19
Well, there's only one user besides myself that FTP's anything....

Come to think of it, I don't FTP... I link up a samba share to my 2003 server, and copy files from there.

The only reason that he FTP's is to update the web pages he manages; so he can just e-mail me the changes and I'll put them online.

I wonder how I'd go about configuring the SSH daemon... <old man voice> in the old days, you just telnetted in.. we didn't need none of this high-falutin' security stuff... </old man voice>



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg
 
Upvote 0 Downvote
man sshd_config and you're away!

Annihilannic's not difficult, it's just two "anni"s with a "hil" in the middle and a "c" no the end. :p

Annihilannic.
 
Upvote 0 Downvote
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top