Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Looks like I got rootkitted!!! Best I can tell from my analysis below it happened on Mar 27, 2009 at about 15:19 CDT.
This is actually my parents computer, and I am ssh'ing into it remotely (I live a two day drive away). I will be there in about two weeks to reinstall the OS from scratch, but in the meantime I'd like to do what cleanup I can remotely. Their ISP will be shutting off service within 24 hours if I don't clear up the outgoing ssh connection abuse. I'd like to have my parents computer running safely, hobbling along, until I can get there to to do a bare-metal install. No other way to 100% for sure recover from a rootkit.
I have no idea how this happened. Ubuntu 8.10 (whatever the "Ibis" version is) standard install. sshd listening, but only allows three specific userids in, and mandates pubkey authentication - no passwords. The only other server running that I'm suspicious of is vino, which I use in combination with FreeNX to get into their GUI when that need arises.
My initial guess at quick-pseudo-cleanup is to kill that new crontab that was created by the rootkit and rm -rf "/var/tmp/ /" and tell them NOT to reboot until I get there. Maybe add an iptables entry denying all outgoing ssh.
I got rootkitted ... here's the breakin ... why did SSH allow this?
Here it is, straight from /var/log/auth.log:
Code:
May 27 15:16:09 doris sshd[9202]: reverse mapping checking getaddrinfo for 189-109-33-18.customer.tdatabrasil.net.br [189.109.33.18] failed - POSSIBLE BREAK-IN ATTEMPT!
May 27 15:16:11 doris sshd[9202]: Accepted password for doris from 189.109.33.18 port 41638 ssh2
May 27 15:16:35 doris passwd[9224]: pam_unix(passwd:chauthtok): password changed for doris
My question is WHY did sshd allow password authentication? My config should have ruled out this authentication method. I believed I had things configured for sshd to ONLY allow pubkey authentication, no passwords under any circumstance. What did I do wrong in the config below?
[edit]
p.s. - Another interesting thing... the IP address that succesfully hacked in as userid 'doris' apparently guessed this userid on it's first attempt, since the above auth.log lists the ONLY entries for the hackers IP address in the logs. The hacker guessed the correct userid on the first try?! You can see in my config below that only three userids are allowed to ssh into the server, 'doris' being one of those. 'doris' is not exactly a common userid that I would expect to be guessed on the first try, but that's what my auth.log appears to show. [/edit]
Code:
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
AllowUsers david doris nx
RSAAuthentication noPubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication noHostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM no
Last edited by haertig; 05-28-2009 at 10:58 PM.
Reason: Added additional comments
I've merged your other post into this thread, in order to keep the discussion in one place.
OK. That's fine with me! :-)
I initially made two different threads because I thought of these as two separate questions: (1) How do I recover from a rootkitting, and (2) How do I configure sshd to not allow password authentication. True, in my case, (2) is what led to (1) and I should not have made the two thread titles so similar. I initially thought I'd get in more trouble for combining two topics in one thread, so I decided to go for two. Man I just can't win! ;-)
I believe PasswordAurthentication defaults to yes...
Oh man, what happened to my PasswordAuthentication line in sshd_config?! I must have accidently deleted that during some editing session. Yeah - you spotted it. I was so busy looking at what WAS in the config file, that I missed that important part that WAS NOT in there! I hate stupid mistakes on my part. Thanks!
With regards to the title "recommendations for recovery" and your current findings, I'd say no. The machines security appears to be compromised but no evidence of a rootkit is shown (file listing shows "XH", a process hider, and the regular layout of IRC mech/SSH scan tools you would find in most situations where a machine got compromised by crackers looking for easy preys) and therefore there is no valid, compelling reason to keep it running. So the end goal must be a complete version of the three R's: reformat, repartition and reinstall from scratch plus proper host hardening. Investigation is optional and can be done later on if you made a bit-by-bit disk backup. Since you're not able to deal with it right now and if the machine must be used what you could do is (have them) save detailed process, network and open files listings, is prep an USB stick and let them boot a Live CD/USB for the time being, reading configuration files from and saving their data on the stick.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.