[SOLVED] I Think I've Been Hacked; Weird Stuff Showing Up In /var/log/syslog
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I Think I've Been Hacked; Weird Stuff Showing Up In /var/log/syslog
I'm looking at my log files and I see two weird things:
1.) in Firestarter's active connections space, I see a port 443 (HTTPS) connection connection going to 63.76.73.177, which is basically Scottrade.com. I was there earlier today, but didn't sign up for anything.
Firestarter shows a port 443 (HTTPS) connection going to portfolio-director.com, an alias for portfoliodirector.com, where I didn't go today.
Why would this happen? Firestarter's events list doesn't show any outgoing stuff, only a lot of people trying UDP or Microsoft-ds type scans.
I'm not an expert at this stuff, I'm still learning. I looked up 121.120.53.77 using whois and it's an address in Malaysia.
I've run who and only I'm showing up; running nmap on my IP address only shows port 80 being up (which is true) because I turn off port 22.
** Addendum **
I just used GNOME Network Tools and portscanned my IP address. It said 80 was open (fine) and that 42052 and 50858 are open, service unknown. I'll investigate this further...
I've always applied my bug fixes and system updates as soon as I get the notifications, but I suppose even that doesn't keep crackers away.
I'd seriously appreciate any help ...
Last edited by rolandjdc; 02-15-2010 at 02:13 AM.
Reason: Removed my ip address.
Clean up /tmp, & ~/ close any port you don't know about and tighten up on permissions everywhere. Having only one user robs things of security, because he's almost as good as root. Can he sudo? Very bad if you're online.Are you Running X? Get serious, and tighten up.
In the medium term, consider switching to D.J.Bernstein's servers http://cr.yp.to
The man is mad imho, and hugely conceited, documentation is poor, but they are extremely secure. He can replace inetd, bind, sendmail, and possibly others with weirdo tools in strange places that have excellent security, and typically do things as weird users with shells like /bin/true. Throughput is achieved by three or four of these weirdo processes in a 'Mexican wave', appearing & disappearing for nearly instantly.
Clean up /tmp, & ~/ close any port you don't know about and tighten up on permissions everywhere. Having only one user robs things of security, because he's almost as good as root. Can he sudo? Very bad if you're online.Are you Running X? Get serious, and tighten up.
In the medium term, consider switching to D.J.Bernstein's servers http://cr.yp.to
The man is mad imho, and hugely conceited, documentation is poor, but they are extremely secure. He can replace inetd, bind, sendmail, and possibly others with weirdo tools in strange places that have excellent security, and typically do things as weird users with shells like /bin/true. Throughput is achieved by three or four of these weirdo processes in a 'Mexican wave', appearing & disappearing for nearly instantly.
Hi business_kid,
Thank you for writing back!
By cleaning up /tmp, do you mean just blowing away everything in there and letting the system processes redo what's needed, or ...?
I ran nmap on localhost and found 3 open ports: www, mysql (3306) and 631, which is ipp, Internet printing protocol. I don't print, so I may as well uninstall CUPS. I'll close up mysql and edit Apache to refuse any exterior connection. I'll also permanently disable sshd, at least til such times that I can manage it effectively.
I am running X, because this is my main machine. I've unplugged the network cable and changed my password.
If someone else is using the machine while it's networked, what's the best way to tell if the intruder can sudo, one of the log files? And if he could, would his actions necessarily show up in the files?
Lets get sensible about this. At this point, you've presented nothing that indicates an attack has occurred, much less a successful breach. So before going off and messing with a ton of stuff, lets get an idea if we have a problem to begin with. First, if you're concerned about unauthorized access, cut it all off. You can either pull the network plug or put up a firewall that only allows SSH access from a trusted IP. Nothing else. Second, lets see if anything unusual is listening, not just open. Please post the output of:
lsof -Pwn
netstat -pane
ps -axfwwwe
What we're looking for out of these commands is something that you don't know about. Unknown servers, new users, that sort of thing. It would also be a good thing if we knew what you were serving up with Apache.
Lets get sensible about this. At this point, you've presented nothing that indicates an attack has occurred, much less a successful breach. So before going off and messing with a ton of stuff, lets get an idea if we have a problem to begin with. First, if you're concerned about unauthorized access, cut it all off. You can either pull the network plug or put up a firewall that only allows SSH access from a trusted IP. Nothing else. Second, lets see if anything unusual is listening, not just open. Please post the output of:
lsof -Pwn
netstat -pane
ps -axfwwwe
What we're looking for out of these commands is something that you don't know about. Unknown servers, new users, that sort of thing. It would also be a good thing if we knew what you were serving up with Apache.
The only thing I was serving with Apache was the index page, in the last couple of days, some FLAC files for a buddy to grab. I've seen deleted them from Apache
Note that lsof -Pwn is truncated. LQ is only letting me upload 3 files. The netstat file was done as sudo and without the Ethernet cable plugged in and no wifi hooked up.
Last edited by rolandjdc; 02-15-2010 at 08:23 AM.
Reason: Ethernet was still up, just unplugged.
I'll ping one of the more experienced handlers here to check my conclusions, but to be honest, I'm not seeing anything to get excited/worried about. Your netstat dump didn't show anything unusual listening on TCP, provided you know you're running Apache, CUPS, MySQL and KDE. If one of those is a surprise to you, then maybe we worry a bit more. Similarly, your ps output seems to be consistent with running KDE and a fairly normal complement of Linux stuff. I'm afraid the lsof file is of somewhat limited use as it is only the processes running under your user. If Apache was the vector of attack, the bad guys would have gotten that user as their access point and potentially escalated to root. Or created an entirely different user.
I'm not familiar with firestarter, so I don't know how much stock to put in its logs. However, firewall logs typically just show traffic, they can't really tell if there is something on your machine that is actively listening for a connection. The syslog entry you posted looks like normal traffic. One of the realities of connecting directly to the internet is that you are going to get scanned and scanned hard. It happens to everyone running a server.
I guess if I were in your shoes, I'd just keep an eye on the machine for odd behavior or traffic. You also might want to check the installed packages for integrity. I think the debsums program might do that, but I've never used it.
as hangdog stated there is nothing running that seems out of the ord. If you know you that apache, cups, mysql and kde are running then it looks fine. If you visit a page and it has an add in it then your system will normally reach out to that site to pull the add rather than the site you visited pull the link in it just says go "here" to get the info.
Personally, I don't see anything that indicates you've been compromised. I wouldn't worry about the outbound connection to portfolio-director.com. Chances are you went to a website that had an image or whatever that linked back to portfolio-director.com. You may of not gone there explicitly, but your browser downloaded something from that site, which would explain that log record.
As far as the firewall log record, that's probably just one of the many records that represents port sweeps or scans that happens all the time. With the way your network is apparently set up, you probably have a lot of log records like that.
Even if I only had one computer on my network, I would still use the common home router for extra protection instead of connecting my PC directly to the modem. Getting one of those routers, you won't see inbound connections like that unless you enabled port forwarding on the router.
as hangdog stated there is nothing running that seems out of the ord. If you know you that apache, cups, mysql and kde are running then it looks fine. If you visit a page and it has an add in it then your system will normally reach out to that site to pull the add rather than the site you visited pull the link in it just says go "here" to get the info.
@ Hangdog42 and slimm609,
Yes, I knew I was running Apache, KDE, MySQL and CUPS. I noticed when I hooked the system back up the 'Net, it felt more sluggish, but I think that might be an issue with Wicd; the Network Manager was too painful to fight with, it didn't want to keep a static IP address, stuff like that.
I haven't noticed any weird web pages being set up. I'm taking a gander at files created in the last couple of weeks. So far, nothing out of the ordinary - at least once I've Googled what they are ... some of then are pretty deep in the system.
Firestarter is a firewall generally used under Ubuntu. I don't mind being portscanned; I know that's part of online life.
I did a brief Wireshark capture last night. Brief is all my knowledge would allow. I noticed the only time it recorded activity on eth1 was when pointed my browser to a few test sites.
I think what got me so hysterical was my own ignorance and a lot of caffeine ;-) I don't know how to expertly read /var/log/syslog, so what might be a mere scan, I automatically interpreted as an intrusion.
I've been meaning to install and learn Snort or somthing similar. Now's the time.
I'll set the machine to doing its sums.
Is the LQ limit on posted files a per user limit, or per thread? I didn't want to create a gigantic page from the lsof data; the file was 596 KB, and LQ doesn't take archives. Should I post the other two parts directly into the page?
@ anyone: If someone would be so kind as to break down the /var/log/syslog posting, or point to a good tutorial, I'd appreciate it.
Just my 2 cents here but if you look through the source of the scottstrade website you will see that they make calls to a few other domains. Also looking through portfolio-director.com looks to be that they have a partnership with scottstrade
Here is a quick snipit from portfolio-director.com
Code:
<div id="right-content" class="yui-b">
<div class="box1">
<h2>Looking for a custodian?<br>
Think Scottrade Advisor Services.</h2>
<div class="button">
<div class="button1"><a target="_blank" href="http://advisor.scottrade.com" >Learn More ></a></div>
</div>
</div>
This just shows you that they are partnering together. So I agree with the others. I would not think too much into it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.