Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Debian Jessie, FreeBSD 10.1 anything *nix to get my fix
Posts: 329
Original Poster
Rep:
i could not sleep so i had to just wipe my computers and reinstall the operating sytems (i know i should have saved the logs first but i could not wait) + i at least changed my password for the router. If anyone feels like trying to guess it with a password craker - good luck to them.
Thanks everyone for your help.
i will have to build my systems up again to be bullet proof. I was not aware of the importance of this issue. My isp never stressed it at all - and no one told me - so i guess i take a George W Bush approach to this issue:
"You fool me once, shame on you, You fool me twice, shame on me".
i could not sleep so i had to just wipe my computers and reinstall the operating sytems (i know i should have saved the logs first but i could not wait) + i at least changed my password for the router. If anyone feels like trying to guess it with a password craker - good luck to them.
Well, you still haven't confirmed to us that the web interface on the router is indeed accessible from the outside. If it's not, then an attacker would need to exploit one of your internal machines before being able to try and crack your router's password.
Distribution: Debian Jessie, FreeBSD 10.1 anything *nix to get my fix
Posts: 329
Original Poster
Rep:
it was accessable from a outside portscan - ports 23 telnet and port 80. i disabled remote login and set the router firewall to disallow all connection from outside. i set Very very difficult 'passwords' for telnet + web logon - if someone got that far.
Distribution: Debian Jessie, FreeBSD 10.1 anything *nix to get my fix
Posts: 329
Original Poster
Rep:
my whole account has been compromised for several months. i never noticed someones (lame) attempt to route my traffic to some ip until yesterday though..this was a bigger issue than having no firewall if you ask me - and its not even made public by anyone so people can avoid this problem.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Are you really sure it allowed connections from the outside to the admin interface though? The default setting is to disable remote administration. Did you check the settings page to confirm that? If it is allowing remote administration, you should disable it.
I think you're quite possibly overreacting due to not completely understanding how to interpret the information you have.
What method were they using to redirect your traffic to an outside IP? If your router was compromised, did you reset the firmware to ensure no back doors were left in it? Did you find logs substantiating that it had been compromised for "several months"?
Distribution: Debian Jessie, FreeBSD 10.1 anything *nix to get my fix
Posts: 329
Original Poster
Rep:
The logs on the router was clear. The sonofabitch that hacked me probably cleared the logs to cover his tracks.
Isnt it illegal for people to do that? Cant i complain to the police and my internet service provider to catch the people who did this?
The logs on the router was clear. The sonofabitch that hacked me probably cleared the logs to cover his tracks.
Isnt it illegal for people to do that? Cant i complain to the police and my internet service provider to catch the people who did this?
Depends on the laws where you live. But generally speaking, the authorities would require some kind of evidence in order for an investigation to start (that is, assuming they consider your case merits one in the first place). So far, it doesn't look like you have any evidence at all. That's why some of us are not so sure about what happened here.
so i guess i take a George W Bush approach to this issue:
"You fool me once, shame on you, You fool me twice, shame on me".
Actually I think the saying from G-dub was:
"Fool me once...shame on...shame on you. You fooled me. You can't fool me again." http://www.youtube.com/watch?v=eKgPY1adc0A
The logs on the router was clear. The sonofabitch that hacked me probably cleared the logs to cover his tracks.
Isnt it illegal for people to do that? Cant i complain to the police and my internet service provider to catch the people who did this?
Yes, highly illegal. But without logs, there's no evidence to show that anything illegal happened, let alone determine who is responsible for it.
it was accessable from a outside portscan - ports 23 telnet and port 80.
How did you check it!? That's what win32sux and chort asked.
Quote:
my whole account has been compromised for several months.
Quote:
i know i should have saved the logs first but i could not wait
Right, if you've been compromised for months, then one or two days wouldn't have changed that much.. at least we would have something to discuss about.
Quote:
The IP number was on the page for my LAN set up. In addition, ive been looking at my firewall logs and it says i have 'active connections' to a particular host in the USA- on another box in my lan.
Where, which IP, which port.
Quote:
and its not even made public by anyone so people can avoid this problem.
It's public, in the manual that comes with your device.
But still, your conclusions:
Quote:
Im CERTAIN ive been infiltrated.
Quote:
i never noticed someones (lame) attempt to route my traffic to some ip until yesterday though..
You might have heard about SSL. Technically they can not snoop on every kind of traffic without you getting a big fat warning on your screen.
You might have heard about SSL. Technically they can not snoop on every kind of traffic without you getting a big fat warning on your screen.
not necessarily so... it's unlikely, but if his box was indeed owned, there are trusted store manipulations and MITM techniques that allow the transparent interception and decryption of SSL sessions.
not necessarily so... it's unlikely, but if his box was indeed owned, there are trusted store manipulations and MITM techniques that allow the transparent interception and decryption of SSL sessions.
What box are you talking about? The PC or the router? Also, please try to be specific and provide links/references whenever you make claims like this. What you've posted could be interpreted in many different ways. Yes, if his PC was owned then the bad guy could sniff his SSL traffic before it's encrypted and after it's decrypted. If the bad guy owns the router and wishes to sniff there instead, then he could also create a MITM attack by making the PC accept his digital certificate (either through social engineering or manually if he owns the PC too). But neither of these attacks would involve the decryption of the kosher SSL sessions, which is what it kinda sounds like your implying would.
What box are you talking about? The PC or the router? Also, please try to be specific and provide links/references whenever you make claims like this. What you've posted could be interpreted in many different ways. Yes, if his PC was owned then the bad guy could sniff his SSL traffic before it's encrypted and after it's decrypted. If the bad guy owns the router and wishes to sniff there instead, then he could also create a MITM attack by making the PC accept his digital certificate (either through social engineering or manually if he owns the PC too). But neither of these attacks would involve the decryption of the kosher SSL sessions, which is what it kinda sounds like your implying would.
I'm talking about both the router and the dude's workstation.
An even greater risk is posed by unprotected systems where an attacker can preload his/her own trusted root authority certificates. In public environments such as libraries and computer labs, there is little to prevent such an attack from taking place. Casual observation of such places indicates that an attacker would see them as low-risk, high-opportunity environments.
An even greater risk is posed by unprotected systems where an attacker can preload his/her own trusted root authority certificates. In public environments such as libraries and computer labs, there is little to prevent such an attack from taking place. Casual observation of such places indicates that an attacker would see them as low-risk, high-opportunity environments
For this attack to work it would require the PC to be owned. The attacker is simply pre-accepting the bogus certificate prior to the MITM attack. No decryption of kosher SSL sessions is happening, the victim is simply starting a bogus SSL session with the attacker. This kind of attack can be carried out without needing to own the router.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.