LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Compromised by SSH bruteforce (http://www.linuxquestions.org/questions/linux-security-4/compromised-by-ssh-bruteforce-363814/)

MBH 09-15-2005 11:30 PM

Compromised by SSH bruteforce
 
After reading the article, I realised that I was hacked.

Hello,

Yesterday, I slept at 7 pm and woke up today at 3:30, to find that my PC has restarted.

I jumped to /var/log and started looking there..

in messages I found this to be interesting ::

Code:

Sep 15 17:38:19 MBH kernel:  sda: I/O error: dev 08:00, sector 0
Sep 15 18:00:48 MBH -- MARK --
Sep 15 18:20:48 MBH -- MARK --
Sep 15 18:40:48 MBH -- MARK --
Sep 15 19:00:48 MBH -- MARK --
Sep 15 19:20:48 MBH -- MARK --
Sep 15 19:40:48 MBH -- MARK --
Sep 15 20:00:48 MBH -- MARK --
Sep 15 20:20:48 MBH -- MARK --
Sep 15 20:40:48 MBH -- MARK --
Sep 15 21:00:48 MBH -- MARK --
Sep 15 21:20:48 MBH -- MARK --
Sep 15 21:40:48 MBH -- MARK --
Sep 15 22:00:48 MBH -- MARK --
Sep 15 22:19:51 MBH kernel: eth0: Setting half-duplex based on MII #8 link partner capability of 0000.
Sep 15 22:20:01 MBH kernel: eth0: Setting full-duplex based on MII #8 link partner capability of 45e1.
Sep 15 22:40:48 MBH -- MARK --
Sep 16 00:00:48 MBH -- MARK --
Sep 16 00:20:48 MBH -- MARK --
Sep 16 00:24:16 MBH sshd[9177]: Did not receive identification string from ::ffff:210.22.12.156
Sep 16 00:25:41 MBH sshd[9194]: Invalid user 1 from ::ffff:210.22.12.156
Sep 16 00:25:41 MBH sshd[9194]: Failed password for invalid user 1 from ::ffff:210.22.12.156 port 418$
Sep 16 00:40:48 MBH -- MARK --
Sep 16 01:00:48 MBH -- MARK --
Sep 16 01:20:48 MBH -- MARK --
Sep 16 01:40:48 MBH -- MARK --
Sep 16 02:00:48 MBH -- MARK --
Sep 16 02:20:48 MBH -- MARK --
Sep 16 02:40:48 MBH -- MARK --
Sep 16 02:56:30 MBH syslogd 1.4.1: restart.
Sep 16 02:56:32 MBH kernel: klogd 1.4.1, log source = /proc/kmsg started.
Sep 16 02:56:32 MBH kernel: ey):
Sep 16 02:56:32 MBH kernel: IPv6 v0.8 for NET4.0

The I/O error shows the last time I used the PC.
Notice the sshd messages. Someone has been trying to login (and apparently they did), then restarted the PC.

I scanned with nmap and found these ports to be open :: 111,631,3663,45100

Am I correct with my guess? was I hacked? Where else should I look? Should I check for implanted scripts? Where?

The SSH attack article mentioned that compromised computers have IRC bots installed. Where can find these, if any, and how to disable them?

Thanks in advance

Tinkster 09-16-2005 12:04 AM

If the person had logged in successfully you would have seen
a "password accepted" in the log as well ... also, you would most
likely see entries in the output of "last" for it.

If you're concerned about having been compromised, download
some live DISTRO with chkrootkit and rootkithunter on it.

Also, if the machine had gone down by user-interaction, there
would me messages to that effect in the logs. More likely a fluke
in the power-grid or maybe a hardware problem?



Cheers,
Tink

MBH 09-16-2005 12:17 AM

Thanks.

I'm downloading Slack 10.2 and gonna do a clean install afterwards.

For now, I've stopped & disabled rc.sshd, downloaded rkhunter and did a scan. Only PHP seems to be vulnerable -- which doesn't matter since I don't run apache, only local PHP scripting.

Capt_Caveman 09-16-2005 10:10 PM

Unless you had exceptionally poor passwords, then the ssh bruteforce is unlikely to have been successfull as most versions of the tool only use a rudimentry set of usernames and passwords. The command 'last -i' should also show any successfull remote logins. The disk I/O error would seem to suggest a hardware failure as the likely cause of the shutdown as Tink mentioned.

I scanned with nmap and found these ports to be open :: 111,631,3663,45100
How do you perform the scan, locally (i.e like scanning yourself) or from another system? What nmap scan did you use? If you haven't already hosed the system, run 'netstat -pantu' and post the output.


All times are GMT -5. The time now is 09:08 AM.