LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-13-2006, 06:58 AM   #1
rusty105
LQ Newbie
 
Registered: Dec 2005
Distribution: RH & Fedora Core
Posts: 18

Rep: Reputation: 0
Hacked !!??


Well it happened! I opened up SSH on my box about 2 weeks ago so I could do some maintenance on the run. Well this morning I go to log in as root, and BAM!! My root password was changed! I quickly check to see if my regular account works, and that was fine, so far as I can tell. I checked my logwatch e-mails, which I haven't checked in about a week, and about 5 days ago someone attempted to login as 'root' some 2000 times and failed. Further down in the report the 'ssh' section had all the failed passwords, looks like a dictionary attack!! Which due to my stupidity would have no problem finding root's password in time. Sure enough the next days logwatch had the same attack, all from the same IP, then the next day, no attack. So I think I have a pretty good idea when this happened. I was able to view the password file to look for additional users, I only have a few, and none were added. So maybe he just comprised 'root', which is all he really needs anyway! I closed off SSH to the world, so only I can login at the terminal, but the other services are running, until I get home to shut things down. I have another box I can get up and running to take over while I do an autopsy on this one, which brings we to my questions:

System is Fedora Core 1

1. Where do I start? I want to be able to see what changes he made if possible. I did see 2 strange files 'shadow-' and I think 'groups-' or 'sgroup-' something to that effect. I know there should be a 'shadow' file for passwords, and that was there, but what about the '-' on the end of the other file? I am not sure they should be there.

2. Do I need to wipe this system, or can I just change the root PW and make sure it is strong this time!

3. What can I do to prevent this in the future, I really need ssh up and running!


Thanks!!
Rusty
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 06-13-2006, 07:12 AM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,785
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Do your logs ever show a successful root login? Tons of failed attempts with a sudden stop doesn't absolutely mean you were cracked.


Quote:
I closed off SSH to the world, so only I can login at the terminal, but the other services are running, until I get home to shut things down.
If you have been compromised, this isn't going to keep them out. They may have installed other methods to access the box. Unplug this box from the network.

Quote:
1. Where do I start?
In the Security References sticky at the top of this forum. There is a section devoted to forensics. Rkhunter and chkrootkit are probably good places to start.

Quote:
2. Do I need to wipe this system, or can I just change the root PW and make sure it is strong this time!
You need to wipe the system. There is no other way to make sure that you got everything they may have installed. Changing the root password is nowhere near enough.

Quote:
3. What can I do to prevent this in the future, I really need ssh up and running!
Well for starters, not allowing root access through ssh would be a fine idea. Strong passwords is another. You probably also want to investigate using key based authentication.

And when you get this box restored, I would suggest running a file integrity checking system like Tripwire, Aide or Samhain. If those are installed before you connect to the net they can tell you what files have been changed if another breach occurrs.

Last edited by Hangdog42; 06-13-2006 at 07:14 AM.
 
Old 06-13-2006, 07:16 AM   #3
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Any of the programs on the server could have been rewritten to allow access in the future, so to be safe it is best to reinstall.

In the future, A) don't allow root to login to ssh. Log in using your normal user account and use sudo instead. B) Choose a better password for root and your regular user password. C) Change your username. The hacker knows it now. D) Enter your user name in AllowUsers. ( man 5 sshd_config ) This will deny all other connection attempts. This is why I suggested changing your regular user name. One more thing the cracker has to guess.
 
Old 06-13-2006, 07:20 AM   #4
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 66
I personally would reinstall this box from scratch due to my paranoia...

A few tips for the future.

1. Don't allow direct root login via ssh. You can disable this by setting PermitRootLogin no in /etc/ssh/sshd_config. Also make sure you have PermitEmptyPasswords no in there somewhere.

2. Set good passwords. I auto-scramble my root password to something totally random and long. I then stash this password away (envelope in a lockbox) and use sudo for day-to-day root access. If I have to open the envelope for any reason the password gets changed and a new envelope gets created.

3. Use the firewall. Setup iptables to drop everything and then explicitly go back and enable what you need to use.

4. Move SSH to non-standard port. I used to get thousands of login attempts a day via ssh.. I moved it to a different port and now I don't get all the script kiddies on the block attempting to login...
 
Old 06-13-2006, 07:24 AM   #5
slackie1000
Senior Member
 
Registered: Dec 2003
Location: Brasil
Distribution: Arch
Posts: 1,037

Rep: Reputation: 45
hi there,
generating some public/private keys can make life easier as well.
Quote:
Originally Posted by jtshaw
4. Move SSH to non-standard port. I used to get thousands of login attempts a day via ssh.. I moved it to a different port and now I don't get all the script kiddies on the block attempting to login...
this has also helped a lot in my case. this won't protect you from port scanning but will reduce quite a bit of the standard attacks.
regards,
slackie1000
 
Old 06-13-2006, 08:28 AM   #6
rusty105
LQ Newbie
 
Registered: Dec 2005
Distribution: RH & Fedora Core
Posts: 18

Original Poster
Rep: Reputation: 0
WOW you guys are fast!!!
OK , some more background. The hacked box is behind a Smoothwall firewall, and all access other the web, and e-mail have been turned off at the firewall. I kinda thought I was going to have to wipe the system, but ..... well anyway. SSH was on the standard port, but now I agree, I should move it. Will any port above 1024 work, or should I keep it below 1024. I have always had difficulties setting up tripwire, is there a good "how to" somewhere? As far as forensics, where should I look, I am curious to see what they changed, and how. If they didn't clear the history file, I should be able to see what commands were used, but is there anything else??

Thanks
Again!!!
Rusty
 
Old 06-13-2006, 08:56 AM   #7
tangle
Senior Member
 
Registered: Apr 2002
Location: Smithville, TN
Distribution: Slackware
Posts: 1,744

Rep: Reputation: 71
Here is a link to some good RH 9 tutorials. They might help with the tripwire setup.
http://www.redhat.com/docs/manuals/l...ide/index.html
 
Old 06-13-2006, 09:05 AM   #8
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 66
Any port will work for SSH providing it isn't in use for something else. I typically put it on a port under 1024, but that is only because I'm firewalled at various places I connect from and not allowed to use most ports.
 
Old 06-13-2006, 09:14 AM   #9
rusty105
LQ Newbie
 
Registered: Dec 2005
Distribution: RH & Fedora Core
Posts: 18

Original Poster
Rep: Reputation: 0
In an attempt to make this as painless as possible, can I reload the OS onto 1 hard drive. Use this drive for the OS, install the 'hacked' drive, but only for the data that is on there. Transfer all the data to the 'new' drive, leaving all the configs, and OS programs alone, then remove the 'hacked' drive. Does this pose any security issues??

Rusty
 
Old 06-13-2006, 09:26 AM   #10
taylor_venable
Member
 
Registered: Jun 2005
Location: Indiana, USA
Distribution: OpenBSD, Ubuntu
Posts: 892

Rep: Reputation: 40
Here's what I suggest: (1) get rid of password authentication altogether, switch to keypair only (2) only allow your normal user to log in, like jschiwal said, and do admin work through sudo. As for switching ports, I don't think it really matters. A portscan will still reveal that your SSH server port is open, and connecting to it will reveal the fact that it's SSH. In other words, it can (and will) still be attacked, which is why I say switch to keypair auth only. The length of time it would take to successfully brute-force a keypair system is several magnitudes longer than that required to brute-force a password system. The same argument goes for switching your username, IMO. Anytime you merely hide information away (i.e. switching ports or user names) you're only buying yourself a small amount of time up front, without actually boosting security. It's like comparing steganography to cryptography; obviously, crypto is better. Always operate with the least privilege and most rigorous authentication mechanism possible.

One last note: if you always access this server from the same IP address or block, you can add a rule to your firewall to only accept connections on SSH from that address/block. If you have a very clever firewall, you should also be able to limit the number of connections per time period from a particlar address or block, limiting the effectiveness of dictionary attacks. OpenSSH has this capability, too, IIRC; but since it's not at the firewall level it's not as flexible.
 
Old 06-13-2006, 09:26 AM   #11
slackhack
Senior Member
 
Registered: Jun 2004
Distribution: Arch, Debian, Slack
Posts: 1,016

Rep: Reputation: 46
i definitely think you should take the box offline and reinstall if you have any concerns at all. but i'm just wondering where the evidence of being hacked is? someone tried to compromise you with a dictionary attack, but there is no evidence they succeeded. passwd- group- shadow- files are common, if not necessary, on all systems. i even have a gshadow- file.

definitely do a forensics check using the resources and help available here, but imho a complete reinstall just because you *think* you were hacked might not be necessary. if after going through everything there's any question at all that you were hacked, then by all means reinstall (and also implement the other security measures: better passwords, alternative ssh port, IDS, etc.) but if you can't find anything, you might just consider yourself lucky this time -- while having learned some good lessons on security -- and save yourself a lot of work.

 
Old 06-13-2006, 09:55 AM   #12
rusty105
LQ Newbie
 
Registered: Dec 2005
Distribution: RH & Fedora Core
Posts: 18

Original Poster
Rep: Reputation: 0
99.99% sure I was hacked, A dictionary attack was used (logwatch report showed that), and my root PW was changed Right now it is damage control and recovery time, hoping to be back up and running 100% by tomorrow!

For my own info, how do I find out how mant days since a PW was changed? I know there is a way to have the OS force a user to change their PW after a preset time, but how does it know how much time has passed? I would like to know exactally when the root PW was changed. Hopefully I can associate that time to an IP address to report!

Rusty
 
Old 06-13-2006, 10:13 AM   #13
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 52
That's a nice hacker, he changed your password because it was too simple.
In case you get hacked again and he would loose his zombie.
 
Old 06-13-2006, 10:15 AM   #14
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD
Posts: 2,004

Rep: Reputation: 304Reputation: 304Reputation: 304Reputation: 304
Quote:
Originally Posted by rusty105
For my own info, how do I find out how mant days since a PW was changed?
Normally, "ls -l /etc/shadow". This won't tell you WHICH password was changed however. And if you were hacked it's a simple and standard thing to to do cover your (the cracker's) tracks. This may included changing timestamps on /etc/shadow, deleting or altering logfiles, replacing the ls command with a trojan version, etc. Basically, anything you think you can trust ... you can't.
Quote:
I was able to view the password file to look for additional users, I only have a few, and none were added.
If you were hacked, how would you know this? If you're using for example, "cat" to look at your password file for changes, who says the cracker didn't just install some custom version of cat that filters out the new user from /etc/passwd? You don't. That's the point. You might be able to expose this trick by booting your system from a Knoppix CD and using the known-good "cat", "ls", "ps", etc. from there.
 
Old 06-13-2006, 10:18 AM   #15
taylor_venable
Member
 
Registered: Jun 2005
Location: Indiana, USA
Distribution: OpenBSD, Ubuntu
Posts: 892

Rep: Reputation: 40
I believe the time information is kept in /etc/pwd.db and /etc/spwd.db which are database files containing login information. See pwd_mkdb(8) for more info. (At least, on BSD this is the way it's done. On Linux... maybe, I don't know.)

No matter what OS you're on, that information has to be stored in some password file somewhere; so if you're lacking for clues just start going through and lookin' at them. Another indication may be the mtime for the password files, but a clever cracker would touch() those back to the original dates to avoid this.

However, if the password does not have an expiry time, the time when it was last changed may not be noted, as it is not necessary to compute any times based on that password.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
What after been hacked? mOOm Linux - Security 2 04-22-2005 07:58 PM
Have I been hacked? PAB Linux - Security 3 04-18-2005 06:21 PM
Have I been HACKED?? fenice1976 Linux - Software 3 07-05-2004 08:00 PM
am i being hacked? tearinox Linux - Security 5 11-13-2003 06:00 PM
hacked WannaLearnLinux Linux - Newbie 7 10-18-2003 01:34 AM


All times are GMT -5. The time now is 07:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration