LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-04-2005, 09:04 PM   #1
BrianK
Senior Member
 
Registered: Mar 2002
Location: Los Angeles, CA
Distribution: Debian, Ubuntu
Posts: 1,334

Rep: Reputation: 51
Someone hacked my machine - any recourse?


Someone hacked one of my machines. It all started when some people were partying in my office after hours, the next morning one of the windows machines had more viruses and spyware on it than I could even count... took days to get it to a useable state.

In any event, the user I created on my network for that machine's samba connection has logged into into my ssh machine (no one ever uses that username because I created it solely for Samba) & setup a mail relay. I noticed it when my internet connection was getting really slow, so I checked the ssh machine & saw hundreds of thousands(?) of mails had been sent over the last couple days (last week). I stopped sendmail, changed the password for that user on my NIS machine, changed the shell for that user to /sbin/nologin, removed sendmail from the startup services and everything appeared to be better.

well, in my logs on the ssh machine, I see that the user I created for samba has successfully logged in through ssh again! The ip appears to come from Japan. Furthermore, a second ip tried (unsuccessfully) to log into every generic username they could think of: cgi, www-data, guest, webmaster, etc.

I have the ips of both people. Is there anything I can do? I don't neccessarily mean malicious things, I just mean can I report this to someone?
 
Old 05-04-2005, 09:17 PM   #2
jailbait
Guru
 
Registered: Feb 2003
Location: Blue Ridge Mountain
Distribution: Debian Wheezy, Debian Jessie
Posts: 7,474

Rep: Reputation: 155Reputation: 155
"can I report this to someone?"

You can report it to the FBI.

http://www.ifccfbi.gov/index.asp

----------------------------
Steve Stites
 
Old 05-04-2005, 09:43 PM   #3
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 22,965
Blog Entries: 11

Rep: Reputation: 865Reputation: 865Reputation: 865Reputation: 865Reputation: 865Reputation: 865Reputation: 865
And it's safe to assume that you've been rooted.

Grab a liveCD with rootkit-hunter and chkrootkit,
boot the box off that and pray that clean removal
is possible. Whatever distro you're using, you need
to make sure that the MD5 sums of all executables
are the same as on the installation media. ...

That aside, this thread belongs in security, not general.


Cheers,
Tink
 
Old 05-04-2005, 09:47 PM   #4
BrianK
Senior Member
 
Registered: Mar 2002
Location: Los Angeles, CA
Distribution: Debian, Ubuntu
Posts: 1,334

Original Poster
Rep: Reputation: 51
Quote:
Originally posted by Tinkster
...
That aside, this thread belongs in security, not general.
oops. never noticed there was a security forum.

mods, feel free to move at will.

Thanks for the suggestions.
 
Old 05-04-2005, 09:48 PM   #5
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,061

Rep: Reputation: 295Reputation: 295Reputation: 295
If there was no major financial damage, the FBI may not want to devote a lot of resources to it (at least that's what I heard, but don't take my word for it--ask some of the experts in the security forum). But hopefully you learned that if an account is meant for SAMBA access only, don't give it a real login shell!

First step is to figure out if just that one account was compromised, or if the attacker got root. If you have any doubt at all, particularly since the attacker had physical access, assume the worst. The multiple failed logins sounds like one of the brute force attacks going around (see the stickied thread in the security forum) and is probably unrelated.

If the compromise was only in the local account, you may be OK just getting rid of the account and removing all its files (check /tmp, cronjobs, etc.). However, if it were me, I'd nuke the machine and reinstall from trusted media. A pain, but it's the only way to be 100% certain you've rid yourself of the attacker.
 
Old 05-04-2005, 10:20 PM   #6
masonm
Senior Member
 
Registered: Mar 2003
Location: Following the white rabbit
Distribution: Slackware64 13.37 Android 4.0
Posts: 2,248

Rep: Reputation: 46
I agree with btmiller, if there's any doubt at all about having been rooted, wipe it and start fresh just to be safe.

As far as those IPs, unless they're total morons they're likely of no use anyway.
 
Old 05-05-2005, 12:50 AM   #7
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Lubuntu
Posts: 19,174
Blog Entries: 4

Rep: Reputation: 428Reputation: 428Reputation: 428Reputation: 428Reputation: 428
Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.
 
Old 05-05-2005, 12:46 PM   #8
BrianK
Senior Member
 
Registered: Mar 2002
Location: Los Angeles, CA
Distribution: Debian, Ubuntu
Posts: 1,334

Original Poster
Rep: Reputation: 51
Thanks for the thread move.

I compiled and ran a chkrootkit & it claimed everything ok,

that said, now that I've double checked that the account uses /sbin/nologin as a shell, erased the account's home dir and mail account, I still see that it logged in last night, so I'm going to wipe the machine.

As luck would have it, I made an image of an identical machine a few days before this all happened, so I'll just pull it over. Unfortunately, they appear to have found some of the real accounts on the machine (that are NIS accounts & don't live in /etc/passwd) & attempted to log in through those as well.

What a headache.

.. starting my security research now.

Last edited by BrianK; 05-05-2005 at 12:52 PM.
 
Old 05-05-2005, 05:57 PM   #9
thorn168
Member
 
Registered: Oct 2004
Location: USA
Distribution: Vector Linux 5.1 Std., Vector Linux 5.8 Std., Win2k, XP, OS X (10.4 & 10.5)
Posts: 344

Rep: Reputation: 42
If these crackers are that persistant...I would deploy a honeypot or tarpit to slow them down and log their attacks on your organization.

Go to: http://honeynet.org/index.html

For more information on honeynet technology.

Goodluck,

Thorn
 
Old 05-09-2005, 09:43 AM   #10
matrixcubed
LQ Newbie
 
Registered: May 2004
Location: Gatineau, QC
Distribution: Ubuntu 6.10
Posts: 25

Rep: Reputation: 15
I would suggest, never delete anything done by someone who has comprimised your system... instead save them elsewhere only accessible by root. Then at least you can refer to what had taken place, in the event it happens again in the future. :-\
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sharing internet from a windows 98 machine to a Red Hat Linux machine ritwiksolutions Linux - Newbie 7 03-14-2006 10:20 AM
how to know if a machine is hacked rockwell_001 Linux - Security 6 05-04-2005 04:51 AM
help! machine was hacked and cannot reboot or shutdown. parv Linux - Security 16 04-03-2005 01:11 PM
How to know if a linux machine been hacked ? juanb Linux - Security 6 07-17-2004 04:44 AM
Linux Server Hacked, Bandwidth Eating Machine... zerofocus Linux - Security 2 02-07-2004 09:22 PM


All times are GMT -5. The time now is 10:20 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration