Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I exposed a linux box on the net last night to do some testing, iptables locked pretty much everything down except ssh and an nfs mount which was more critical.
I forgot there was a user oracle/oracle (I know!) and obviously someone had a go - the connection was only there for 12 minutes and logs show me it was some sort of scan attempt because of all the other names being tried.
Looking up their IP address whois tells me it's
CHINA RAILWAY TELECOMMUNICATIONS CENTER
Is that likely to be spoofed?
I looked in .bash_history. There was no activity of any consequence and I recognize the activity.
I can't be totally certain nothing has been done to the server - though the account was not a member of any groups other than one for itself.
If a hacker gets in over ssh, what would be the first things they are going to do and what should I now look for on the system to see how far they have gone?
I exposed a linux box on the net last night to do some testing, iptables locked pretty much everything down except ssh and an nfs mount which was more critical.
I forgot there was a user oracle/oracle (I know!) and obviously someone had a go - the connection was only there for 12 minutes and logs show me it was some sort of scan attempt because of all the other names being tried.
Looking up their IP address whois tells me it's
CHINA RAILWAY TELECOMMUNICATIONS CENTER
Is that likely to be spoofed?
If they managed to log in, then no. It's highly unlikely to be a spoofed address, as that would require TCP sequence number prediction, which should be a non-issue unless you are using a really old operating system. That said, the IP could very well be that of a compromised host, so the attacker could easily be anywhere else on the planet.
Quote:
I looked in .bash_history. There was no activity of any consequence and I recognize the activity.
I can't be totally certain nothing has been done to the server - though the account was not a member of any groups other than one for itself.
Maybe start looking into IDS in order to have better data to inspect next time?
Quote:
If a hacker gets in over ssh, what would be the first things they are going to do and what should I now look for on the system to see how far they have gone?
There's really no way to predict what the attacker would do once non-root access has been obtained. A lot of factors come into play, starting by whether you were the victim of a random attack or a targeted one. The attacker's objective might have only required access to this account, or he may have intended to use this account as a starting point for privilege escalation. Seriously, there's no way to determine the intentions prior to the attack.
At this point, without an IDS, your best choice is probably to perform a thorough log file inspection to find anything out of the ordinary. Hopefully you've got a healthy amount of logging enabled. Also, if you've got a dedicated firewall in front of this box, after looking at the logs on it, keep an eye out for any suspicious connections. Before that, though, I recommend you get a snapshot of all running processes (ps) open files (lsof) and network connections (netstat) and save it on removable media for your investigation and records (assuming you haven't rebooted). Optimally, you'd wanna image the entire drive (using a live CD) after doing that too. But be warned, it's not easy to perform a decent post-incident analysis when no pre-emptive measures were taken. If you want a basic guide, have a look at the CERT Intruder Detection Checklist.
If the hacker has ssh then rsync would probably work (it does on this box).
Is it possible to transfer an executable file via rsync to the a mount which is actually on a Windohs box and somehow 'at' command and cause the execution of a Windows application on the windows file server? That has been a pretty unattended box for many months. I'm just going over it now for obvious reasons.
I have a nasty feeling it is possible but would like to ask for sure )
Thanks
Kevin
Quote:
Originally Posted by win32sux
If they managed to log in, then no. It's highly unlikely to be a spoofed address, as that would require TCP sequence number prediction, which should be a non-issue unless you are using a really old operating system. That said, the IP could very well be that of a compromised host, so the attacker could easily be anywhere else on the planet.
Maybe start looking into IDS in order to have better data to inspect next time?
There's really no way to predict what the attacker would do once non-root access has been obtained. A lot of factors come into play, starting by whether you were the victim of a random attack or a targeted one. The attacker's objective might have only required access to this account, or he may have intended to use this account as a starting point for privilege escalation. Seriously, there's no way to determine the intentions prior to the attack.
At this point, without an IDS, your best choice is probably to perform a thorough log file inspection to find anything out of the ordinary. Hopefully you've got a healthy amount of logging enabled. Also, if you've got a dedicated firewall in front of this box, after looking at the logs on it, keep an eye out for any suspicious connections. Before that, though, I recommend you get a snapshot of all running processes (ps) open files (lsof) and network connections (netstat) and save it on removable media for your investigation and records (assuming you haven't rebooted). Optimally, you'd wanna image the entire drive (using a live CD) after doing that too. But be warned, it's not easy to perform a decent post-incident analysis when no pre-emptive measures were taken. If you want a basic guide, have a look at the CERT Intruder Detection Checklist.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Quote:
Originally Posted by kevinyeandel
Thanks for this info. Very useful indeed.
I have one more question.
If the hacker has ssh then rsync would probably work (it does on this box).
Is it possible to transfer an executable file via rsync to the a mount which is actually on a Windohs box
There are tons of ways to transfer a file if you have ssh access, the easiest of which would be scp.
Quote:
and somehow 'at' command and cause the execution of a Windows application on the windows file server?
It's not trivially easy to do this, although given enough motivation and resourcefulness it might be possible to make Windows RPC calls. The easier thing would probably be to tunnel RDP through the ssh connection and try weak passwords (or enumerate the share first with Samba, then use RDP). The most probable method of attack would be to simply run a pre-compiled exploit binary on Linux that is designed to attack Windows machines over the network.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.