Hi

I exposed a linux box on the net last night to do some testing, iptables locked pretty much everything down except ssh and an nfs mount which was more critical.

I forgot there was a user oracle/oracle (I know!) and obviously someone had a go - the connection was only there for 12 minutes and logs show me it was some sort of scan attempt because of all the other names being tried.

Looking up their IP address whois tells me it's
CHINA RAILWAY TELECOMMUNICATIONS CENTER

Is that likely to be spoofed?

I looked in .bash_history. There was no activity of any consequence and I recognize the activity.

I can't be totally certain nothing has been done to the server - though the account was not a member of any groups other than one for itself.

If a hacker gets in over ssh, what would be the first things they are going to do and what should I now look for on the system to see how far they have gone?

Many thanks

Kevin

If they managed to log in, then no. It's highly unlikely to be a spoofed address, as that would require TCP sequence number prediction, which should be a non-issue unless you are using a really old operating system. That said, the IP could very well be that of a compromised host, so the attacker could easily be anywhere else on the planet.

Maybe start looking into IDS in order to have better data to inspect next time?

There's really no way to predict what the attacker would do once non-root access has been obtained. A lot of factors come into play, starting by whether you were the victim of a random attack or a targeted one. The attacker's objective might have only required access to this account, or he may have intended to use this account as a starting point for privilege escalation. Seriously, there's no way to determine the intentions prior to the attack.

At this point, without an IDS, your best choice is probably to perform a thorough log file inspection to find anything out of the ordinary. Hopefully you've got a healthy amount of logging enabled. Also, if you've got a dedicated firewall in front of this box, after looking at the logs on it, keep an eye out for any suspicious connections. Before that, though, I recommend you get a snapshot of all running processes (ps) open files (lsof) and network connections (netstat) and save it on removable media for your investigation and records (assuming you haven't rebooted). Optimally, you'd wanna image the entire drive (using a live CD) after doing that too. But be warned, it's not easy to perform a decent post-incident analysis when no pre-emptive measures were taken. If you want a basic guide, have a look at the CERT Intruder Detection Checklist.

Thanks for this info. Very useful indeed.

I have one more question.

If the hacker has ssh then rsync would probably work (it does on this box).

Is it possible to transfer an executable file via rsync to the a mount which is actually on a Windohs box and somehow 'at' command and cause the execution of a Windows application on the windows file server? That has been a pretty unattended box for many months. I'm just going over it now for obvious reasons.

I have a nasty feeling it is possible but would like to ask for sure )

Thanks

Kevin

There are tons of ways to transfer a file if you have ssh access, the easiest of which would be scp.

It's not trivially easy to do this, although given enough motivation and resourcefulness it might be possible to make Windows RPC calls. The easier thing would probably be to tunnel RDP through the ssh connection and try weak passwords (or enumerate the share first with Samba, then use RDP). The most probable method of attack would be to simply run a pre-compiled exploit binary on Linux that is designed to attack Windows machines over the network.