LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 12-29-2012, 03:57 PM   #1
towheedm
Member
 
Registered: Sep 2011
Location: Trinidad & Tobago
Distribution: Debian Squeeze
Posts: 585

Rep: Reputation: 119Reputation: 119
Has my system been compromised?


OK, so a little history first. Just got this Samsung Galaxy S3 and thought I'd be great to now be able to access my home desktop while on the go.

After going some research (probably should have done more), I found out how I could access my desktop from an external network (AP or 3G) while on the road.

I forwarded port 22 on my router to my desktop PC and was then able to SSH into my desktop from the S3. Mind you, I did not set up SSH to use keys as I was not quite sure how it could be done from the S3 also. So I would log in with my username and supply my password.

I'll admit, I did have intentions of disabling all of this after testing but just completely forgot about it. Been playing with the S3 for all of the last two weeks. So port 22 remained open on the router.

While working at the console just now, I got a weird command line that I did not type. It was a search term I had entered on the S3 while browsing from it. Mind you, I'm now permanently logged in to Google Services.

I immediately closed the port and checked my auth.log file and found these:
Code:
Dec 29 11:04:31 <hostname> sshd[25639]: Address 218.60.8.228 maps to cncln.online.ln.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Dec 29 11:04:31 <hostname> sshd[25639]: Invalid user anonymous from 218.60.8.228
Dec 29 11:04:31 <hostname> sshd[25639]: pam_unix(sshd:auth): check pass; user unknown
Dec 29 11:04:31 <hostname> sshd[25639]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.60.8.228 
Dec 29 11:04:33 <hostname> sshd[25639]: Failed password for invalid user anonymous from 218.60.8.228 port 36665 ssh2
Dec 29 11:04:41 <hostname> sshd[25642]: Address 218.60.8.228 maps to cncln.online.ln.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Dec 29 11:04:41 <hostname> sshd[25642]: Invalid user passwd from 218.60.8.228
Dec 29 11:04:41 <hostname> sshd[25642]: pam_unix(sshd:auth): check pass; user unknown
Dec 29 11:04:41 <hostname> sshd[25642]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.60.8.228 
Dec 29 11:04:43 <hostname> sshd[25642]: Failed password for invalid user passwd from 218.60.8.228 port 38522 ssh2
Dec 29 11:04:47 <hostname> sshd[25644]: Address 218.60.8.228 maps to cncln.online.ln.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Dec 29 11:04:47 <hostname> sshd[25644]: Invalid user chuck from 218.60.8.228
Dec 29 11:04:47 <hostname> sshd[25644]: pam_unix(sshd:auth): check pass; user unknown
Dec 29 11:04:47 <hostname> sshd[25644]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.60.8.228 
Dec 29 11:04:49 <hostname> sshd[25644]: Failed password for invalid user chuck from 218.60.8.228 port 40368 ssh2
Dec 29 11:04:57 <hostname> sshd[25646]: Address 218.60.8.228 maps to cncln.online.ln.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Dec 29 11:04:57 <hostname> sshd[25646]: Invalid user darkman from 218.60.8.228
Dec 29 11:04:57 <hostname> sshd[25646]: pam_unix(sshd:auth): check pass; user unknown
Dec 29 11:04:57 <hostname> sshd[25646]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.60.8.228 
Dec 29 11:04:58 <hostname> sshd[25646]: Failed password for invalid user darkman from 218.60.8.228 port 41586 ssh2
Dec 29 11:05:07 <hostname> sshd[25648]: Address 218.60.8.228 maps to cncln.online.ln.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Dec 29 11:05:07 <hostname> sshd[25648]: Invalid user hostmaster from 218.60.8.228
Dec 29 11:05:07 <hostname> sshd[25648]: pam_unix(sshd:auth): check pass; user unknown
Dec 29 11:05:07 <hostname> sshd[25648]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.60.8.228 
Dec 29 11:05:09 <hostname> sshd[25648]: Failed password for invalid user hostmaster from 218.60.8.228 port 43211 ssh2
Dec 29 11:17:01 <hostname> CRON[25661]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 29 11:17:01 <hostname> CRON[25661]: pam_unix(cron:session): session closed for user root
Dec 29 11:20:01 <hostname> CRON[25670]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 11:20:01 <hostname> CRON[25670]: pam_unix(cron:session): session closed for user smmsp
Dec 29 11:40:01 <hostname> CRON[25717]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 11:40:01 <hostname> CRON[25717]: pam_unix(cron:session): session closed for user smmsp
Dec 29 12:00:01 <hostname> CRON[25761]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 12:00:01 <hostname> CRON[25761]: pam_unix(cron:session): session closed for user smmsp
Dec 29 11:04:57 <hostname> sshd[25646]: Address 218.60.8.228 maps to cncln.online.ln.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Dec 29 11:04:57 <hostname> sshd[25646]: Invalid user darkman from 218.60.8.228
Dec 29 11:04:57 <hostname> sshd[25646]: pam_unix(sshd:auth): check pass; user unknown
Dec 29 11:04:57 <hostname> sshd[25646]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.60.8.228 
Dec 29 11:04:58 <hostname> sshd[25646]: Failed password for invalid user darkman from 218.60.8.228 port 41586 ssh2
Dec 29 11:05:07 <hostname> sshd[25648]: Address 218.60.8.228 maps to cncln.online.ln.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Dec 29 11:05:07 <hostname> sshd[25648]: Invalid user hostmaster from 218.60.8.228
Dec 29 11:05:07 <hostname> sshd[25648]: pam_unix(sshd:auth): check pass; user unknown
Dec 29 11:05:07 <hostname> sshd[25648]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.60.8.228 
Dec 29 11:05:09 <hostname> sshd[25648]: Failed password for invalid user hostmaster from 218.60.8.228 port 43211 ssh2
Dec 29 11:17:01 <hostname> CRON[25661]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 29 11:17:01 <hostname> CRON[25661]: pam_unix(cron:session): session closed for user root
Dec 29 11:20:01 <hostname> CRON[25670]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 11:20:01 <hostname> CRON[25670]: pam_unix(cron:session): session closed for user smmsp
Dec 29 11:40:01 <hostname> CRON[25717]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 11:40:01 <hostname> CRON[25717]: pam_unix(cron:session): session closed for user smmsp
Dec 29 12:00:01 <hostname> CRON[25761]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 12:00:01 <hostname> CRON[25761]: pam_unix(cron:session): session closed for user smmsp
Dec 29 12:17:01 <hostname> CRON[25801]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 29 12:17:01 <hostname> CRON[25801]: pam_unix(cron:session): session closed for user root
Dec 29 12:20:01 <hostname> CRON[25810]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 12:20:01 <hostname> CRON[25810]: pam_unix(cron:session): session closed for user smmsp
Dec 29 12:40:01 <hostname> CRON[25858]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 12:40:01 <hostname> CRON[25858]: pam_unix(cron:session): session closed for user smmsp
Dec 29 13:00:01 <hostname> CRON[25901]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 13:00:01 <hostname> CRON[25901]: pam_unix(cron:session): session closed for user smmsp
Dec 29 13:17:01 <hostname> CRON[25941]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 29 13:17:01 <hostname> CRON[25941]: pam_unix(cron:session): session closed for user root
Dec 29 13:20:01 <hostname> CRON[25950]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 13:20:01 <hostname> CRON[25950]: pam_unix(cron:session): session closed for user smmsp
Dec 29 13:40:01 <hostname> CRON[25996]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 13:40:01 <hostname> CRON[25996]: pam_unix(cron:session): session closed for user smmsp
Dec 29 14:00:01 <hostname> CRON[26040]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 14:00:01 <hostname> CRON[26040]: pam_unix(cron:session): session closed for user smmsp
Dec 29 14:17:01 <hostname> CRON[26080]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 29 14:17:01 <hostname> CRON[26080]: pam_unix(cron:session): session closed for user root
Dec 29 14:20:01 <hostname> CRON[26088]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 14:20:01 <hostname> CRON[26088]: pam_unix(cron:session): session closed for user smmsp
Dec 29 14:40:01 <hostname> CRON[26164]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 14:40:01 <hostname> CRON[26164]: pam_unix(cron:session): session closed for user smmsp
Dec 29 15:00:02 <hostname> CRON[26276]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 15:00:02 <hostname> CRON[26276]: pam_unix(cron:session): session closed for user smmsp
Dec 29 15:17:01 <hostname> CRON[26322]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 29 15:17:01 <hostname> CRON[26322]: pam_unix(cron:session): session closed for user root
Dec 29 15:20:01 <hostname> CRON[26331]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 15:20:01 <hostname> CRON[26331]: pam_unix(cron:session): session closed for user smmsp
Dec 29 15:40:01 <hostname> CRON[26378]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 15:40:01 <hostname> CRON[26378]: pam_unix(cron:session): session closed for user smmsp
Dec 29 16:00:01 <hostname> CRON[26481]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 16:00:02 <hostname> CRON[26481]: pam_unix(cron:session): session closed for user smmsp
There were quite of few of these over the last few days, all from different addresses.

My syslog does not show any thing abnormal.

I'm concerned with the fact that the search term showed up on my console may indicated a possible break-in.

What else can I check to see what files, if any may have been modified?

If I want to continue leaving port 22 open, what security measures should I put in place to prevent this in the future?

I'm not too familiar with all the security measures as I'm not an expert in that field.

Your advise on this is greatly appreciated.

Thanks.
 
Old 12-29-2012, 04:06 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,135

Rep: Reputation: Disabled
The logs show a number of login attempts with common usernames. I see the same on my own systems, and they indicate login attempts by some script or commonly available tool. As long as you have strong passwords, you'll be OK.

I'd recommend key-based SSH authentication and/or firewall rules limiting the number of SYN packets from any one host in a given time period, say, 3 attempts in 5 minutes and you're locked out for half an hour. Does wonders for keeping the logs clean.
 
Old 12-29-2012, 04:32 PM   #3
towheedm
Member
 
Registered: Sep 2011
Location: Trinidad & Tobago
Distribution: Debian Squeeze
Posts: 585

Original Poster
Rep: Reputation: 119Reputation: 119
My concern is now did the search term I mentioned appear at my command prompt. As I said, this was not entered from my PC, but from the Galaxy S3.


Quote:
Originally Posted by Ser Olmy View Post
... and/or firewall rules limiting the number of SYN packets from any one host in a given time period, say, 3 attempts in 5 minutes and you're locked out for half an hour. Does wonders for keeping the logs clean.
I have no idea how to do this. Any quick guide? I' not sure if my wireless router (D-Link DIR-300) has this facility.

The SSH keys I can do.

Thanks again.
 
Old 12-29-2012, 06:38 PM   #4
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,135

Rep: Reputation: Disabled
Could the search term be a clipboard issue? If you were logged in from the S3, could you inadvertently have pasted data from the S3 clipboard into the SSH session? I don't see how this could indicate that your PC has been compromised, unless the intruder also had access to your Galaxy S3.

Your router probably doesn't support advanced firewall rules, but a Linux system with iptables does. Here's one of several guides showing how the "recent" match criteria can be used to stop brute force attacks.
 
Old 12-29-2012, 09:38 PM   #5
towheedm
Member
 
Registered: Sep 2011
Location: Trinidad & Tobago
Distribution: Debian Squeeze
Posts: 585

Original Poster
Rep: Reputation: 119Reputation: 119
I've done some checking and realized that the search term was actually entered from my desktop. Duh...guess I went all screwy when I saw it on the console. Woe to me . . .

I've never quite got the whole iptables thing quite clear and so I think it's set to the default on my Debian Squeeze system. The router is Linux-based, so I guess it uses the iptables internally but the advanced features are certainly not exposed in the UI. I did at one point consider re-flashing with dd-wrt but realized it was not worth the risk of bricking it. I remember starting a thread on that a while back.

Well thanks for link, I'll be looking at the whole iptables thing again.
 
Old 01-02-2013, 09:45 AM   #6
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
If you expose an SSH server to the world, it WILL get probed for connections. If you expose an SSH server to the world, you have a responsibility to take steps to properly secure it and this security should be done in layers. The biggest thing, hands down, that you can do to secure your SSH server is use key based authentication and I can guarantee you that there is an SSH application for the Galaxy S3 that will use key based authentication as my several years old older Blackberry does.

There is nothing in the portion of the log indicating that the brute force attempts to gain entry were successful. If you see a line saying Accepted password, then you would be in trouble.

On top of that, you could take various steps like locking down the IP range from which you will accept connections, use fail2ban to limit brute force scans, etc. I would recommend reading the sticky thread on securing an SSH server for lots of additional hints.
 
Old 01-02-2013, 12:31 PM   #7
agentsteel
Member
 
Registered: Oct 2012
Location: France
Distribution: Debian / Fedora / Ubuntu / OpenBSD
Posts: 46

Rep: Reputation: Disabled
even changing the default port for ssh would help against the majority of brute forcing scripts
 
Old 01-02-2013, 01:10 PM   #8
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
Originally Posted by agentsteel View Post
even changing the default port for ssh would help against the majority of brute forcing scripts
Yes, but only the ones that you most likely don't really need to worry about anyway.
 
Old 01-02-2013, 01:17 PM   #9
agentsteel
Member
 
Registered: Oct 2012
Location: France
Distribution: Debian / Fedora / Ubuntu / OpenBSD
Posts: 46

Rep: Reputation: Disabled
Sure, the good thing is it would reduce the size of the log files
 
Old 01-02-2013, 03:26 PM   #10
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Rep: Reputation: 50
Thanks to Unspawn and Noway2, I was able to secure a server I having online against such brute force attacks by using iptables and fail2ban.

iptables basically allows you to make rules for any given port (ssh being port 22 typically) and accept or deny traffic from any IP address or subnet you like. Typically, you start by denying access to critical ports (like 22 for SSH) from *everyone* and then adding exceptions. E.g., you can say "always accept connections on port 22 from IP subnet 76.173.91.0/24" which might be useful for granting SSH access to some subnet from which you are likely to connect. Another example would be "allow port 80 connections from 0.0.0.0/0" which would allow the entire world IPv4 address space connect to an HTTP server. In your case, you might establish some DENY rules on your firewall/router to exclude any well-known sources of mischief. You might also set up an ALLOW rule for the IP space that your phone company allocates to its customers' phones.

fail2ban monitors various logs and creates iptables rules to DENY troublemakers. E.g., it might monitor your SSH log and ban remote address who repeatedly attempt logins and fail.
 
Old 01-07-2013, 06:15 PM   #11
LeoPap
Member
 
Registered: Jan 2013
Distribution: Centos
Posts: 97
Blog Entries: 1

Rep: Reputation: 10
Hello,
I would recommend using mapped ip addresses on your router. Also if you don't have hardware firewall, buy one!

Last edited by LeoPap; 01-07-2013 at 06:16 PM.
 
Old 01-07-2013, 06:58 PM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,813
Blog Entries: 54

Rep: Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989
Quote:
Originally Posted by LeoPap View Post
(..) mapped ip addresses (..) hardware firewall, buy one
Given that you've read this thread thoroughly and noticed it was solved ages ago (see post #5), what aspect of the problem the OP talked about would that solve?
 
Old 01-07-2013, 08:28 PM   #13
towheedm
Member
 
Registered: Sep 2011
Location: Trinidad & Tobago
Distribution: Debian Squeeze
Posts: 585

Original Poster
Rep: Reputation: 119Reputation: 119
Thanks to all for the recommendations. I will certainly implement the ssh keys and look at how I can set the router to accept connections only from anaaddress range.

Remember this is a home network.

Last edited by towheedm; 01-07-2013 at 08:29 PM.
 
Old 01-09-2013, 01:10 PM   #14
LeoPap
Member
 
Registered: Jan 2013
Distribution: Centos
Posts: 97
Blog Entries: 1

Rep: Reputation: 10
Wink

Quote:
Originally Posted by unSpawn View Post
Given that you've read this thread thoroughly and noticed it was solved ages ago (see post #5), what aspect of the problem the OP talked about would that solve?
I just wanted to say that this is a way to increase the security level! Not a solution at the OP problem!
 
Old 01-09-2013, 01:34 PM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,813
Blog Entries: 54

Rep: Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989
Sure MAC / IP mapping has its purpose but it deals with LAN-side ARP tricks or lease kidnapping. Given todays threatscape it IMHO wouldn't even come near the top 20 risks 'net users commonly need to guard against in SOHO environments.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Has my System been Compromised? dman777 Linux - Security 2 05-17-2011 09:07 PM
Has my system been compromised? foodhater Linux - Security 1 06-01-2006 07:51 PM
Has my system been compromised? Palula Linux - Security 2 02-03-2006 10:09 AM
Help! My system's been compromised.... DaVenom Linux - Security 1 11-12-2004 03:49 PM
System compromised BruceCadieux Linux - Security 20 09-29-2003 09:24 PM


All times are GMT -5. The time now is 08:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration