Kubuntu

manishsingh4u · 04-28-2006, 02:50 AM

Hello Friends,
Although I don't really care about getting viruses or beign hacked as I don't have any such crucial data on my hard disk. I am a student with nothing else more than some isos, mp3s, movies, videos on my hard disk.
Anyway, there are things that sometimes bother me like what I am noticing since 3 days on my Kubuntu 5.10.
1) a user "era" with directory named "bandi" being created in /home daily.
1) a user "band3ras" with directory named "asd" being created in /home daily.
I don't know what these users and folders are for? The folders just remain empty. So are these users related to any software or there is some infection in my OS? Did anyone get such issues? Am I being hacked or it's just some program that's causing it?

acid_kewpie · 04-28-2006, 03:00 AM

sounds like intruders to me.... "asd" three random character in a row on a keyboard etc... check /var/log/secure to see who has logged in from where. ensure that your ssh server (if you have one) is only listening on the right interfaces etc... use a site like shieldsup to portscan you and check for issues.

manishsingh4u · 04-28-2006, 03:20 AM

Quote:

Originally Posted by acid_kewpie

sounds like intruders to me.... "asd" three random character in a row on a keyboard etc... check /var/log/secure to see who has logged in

Thanks for the quick reply. I don't have a file named /var/log/secure. Anyway, the files which I got are -

Code:

mann@Manish:~$ ls /var/log
aptitude                evms-engine.5.log  mail.warn
auth.log                evms-engine.6.log  messages
auth.log.0              evms-engine.7.log  messages.0
base-config.log         evms-engine.8.log  news
base-config-pkgsel.log  evms-engine.9.log  samba
base-config.timings     evms-engine.log    scrollkeeper.log
btmp                    faillog            syslog
cups                    fontconfig.log     syslog.0
daemon.log              gdm                syslog.1.gz
daemon.log.0            installer          syslog.2.gz
debian-installer        kdm.log            user.log
debug                   kdm.log.1          user.log.0
debug.0                 kern.log           uucp.log
dmesg                   kern.log.0         vsftpd.log
dpkg.log                lastlog            wtmp
evms-engine.1.log       lpr.log            Xorg.0.log
evms-engine.2.log       mail.err           Xorg.0.log.old
evms-engine.3.log       mail.info
evms-engine.4.log       mail.log
mann@Manish:~$

And here are some recent lines from my /var/log/auth.log

Code:

Apr 28 09:33:38 localhost sshd[7144]: (pam_unix) check pass; user unknown
Apr 28 09:33:38 localhost sshd[7144]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=lit75-2-82-225-244-138.fbx.proxad.net 
Apr 28 09:33:41 localhost sshd[7144]: Failed password for invalid user ee from 82.225.244.138 port 20054 ssh2
Apr 28 09:33:43 localhost sshd[7146]: Invalid user ff from 82.225.244.138
Apr 28 09:33:43 localhost sshd[7146]: (pam_unix) check pass; user unknown
Apr 28 09:33:43 localhost sshd[7146]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=lit75-2-82-225-244-138.fbx.proxad.net 
Apr 28 09:33:45 localhost sshd[7146]: Failed password for invalid user ff from 82.225.244.138 port 20044 ssh2
Apr 28 10:17:01 localhost CRON[7154]: (pam_unix) session opened for user root by (uid=0)
Apr 28 10:17:01 localhost CRON[7154]: (pam_unix) session closed for user root
Apr 28 11:17:01 localhost CRON[7170]: (pam_unix) session opened for user root by (uid=0)
Apr 28 11:17:01 localhost CRON[7170]: (pam_unix) session closed for user root
Apr 28 11:20:34 localhost sshd[6710]: Received signal 15; terminating.
Apr 28 11:47:06 localhost sshd[6695]: Server listening on :: port 22.
Apr 28 11:48:19 localhost kdm: :0[6727]: (pam_unix) session opened for user mann by (uid=0)
Apr 28 12:09:28 localhost sshd[7019]: Accepted password for root from 89.34.20.174 port 1164 ssh2
Apr 28 12:09:29 localhost sshd[7021]: (pam_unix) session opened for user root by root(uid=0)
Apr 28 12:09:45 localhost passwd[7036]: (pam_unix) password changed for root
Apr 28 12:09:45 localhost passwd[7036]: (pam_unix) Password for root was changed
Apr 28 12:10:10 localhost groupadd[7041]: new group: name=bandi, gid=1002
Apr 28 12:10:10 localhost useradd[7042]: new user: name=bandi, uid=1002, gid=1002, home=/home/bandi, shell=/bin/bash
Apr 28 12:10:21 localhost passwd[7045]: (pam_unix) password changed for bandi
Apr 28 12:10:21 localhost passwd[7045]: (pam_unix) Password for bandi was changed
Apr 28 12:10:28 localhost chfn[7046]: changed user `bandi' information
Apr 28 12:10:35 localhost groupadd[7048]: new group: name=band3ras, gid=1003
Apr 28 12:10:35 localhost useradd[7049]: new user: name=band3ras, uid=1003, gid=1003, home=/home/band3ras, shell=/bin/bash
Apr 28 12:10:42 localhost passwd[7052]: (pam_unix) password changed for band3ras
Apr 28 12:10:42 localhost passwd[7052]: (pam_unix) Password for band3ras was changed

Now I am going to check for shieldsup. Will post after that again.

unSpawn · 04-28-2006, 03:48 AM

Now I am going to check for shieldsup.
No need to do that.

...and there it is:
Apr 28 12:09:28 localhost sshd[7019]: Accepted password for root from 89.34.20.174 port 1164 ssh2
(..)
Apr 28 12:10:10 localhost useradd[7042]: new user: name=bandi, uid=1002, gid=1002, home=/home/bandi, shell=/bin/bash
(..)
Apr 28 12:10:35 localhost useradd[7049]: new user: name=band3ras, uid=1003, gid=1003, home=/home/band3ras, shell=/bin/bash

Your box has been cracked, likely because you didn't harden your box since it still allows root login through ssh. The root account should NEVER be accessable over any network. He's changed the root pass and added a few users. For you: game over, and this is the procedure you will have to follow:
1. Backup your personal data (movies, music, documents),
2. Reinstall your O.S. from scratch and make sure you change all passwords for all accounts,
3. Reboot into runlevel 1 and stop all services that are accessable over the network that are not vital to operating the box (about any) and make the firewall deny inbound access before returning to runlevel 3 or higher,
4. Harden your box,
5. Remove any software you do not need *now*, then update SW.

More info on hardening your box you can find in the LQ FAQ: Security references post #1 which includes links to Debian-specific docs like the Debian Security HOWTO.

One final note, and this may sound a bit harsh, but this:

Quote:

Although I don't really care about getting viruses or beign hacked as I don't have any such crucial data on my hard disk.

is a rather selfish view when using a networked O.S. like Linux. You're part of the network and trouble originating from your machine may well affect others. Please take your responsabilities a bit more seriously. It's a small toll to pay for all the freedom you get.

manishsingh4u · 04-28-2006, 03:53 AM

Okay, it's all about ssh (port number 22). So, what would be the purpose of this new user on my PC? I also tried pinging and locating this IP address.

Code:

82.225.244.138

and

Code:

89.34.20.174

Both of them are located somewhere in France. Cool. How do they do it man? Should I try the same on them too..hahaha?

manishsingh4u · 04-28-2006, 03:57 AM

Quote:

Originally Posted by unSpawn

Reinstall your O.S. from scratch and make sure you change all passwords for all accounts,

Can't I just secure the ssh instead of a reinstall? I have changed my root password and deleted those new users which were created by the cracker. Can I do the same to him? I would love to if I can.

unSpawn · 04-28-2006, 03:59 AM

You're stalling.
Do what you need to do now, discuss later.
It's really of no use right now.

manishsingh4u · 04-28-2006, 04:11 AM

Quote:

Originally Posted by unSpawn

You're part of the network and trouble originating from your machine may well affect others. Please take your responsabilities a bit more seriously. It's a small toll to pay for all the freedom you get.

I will keep that in mind in future.
I am gonna watch it today. If he comes in again, I will go for a reinstall. Thanks for the help friends. Will post again tomorrow after securing my box.

unSpawn · 04-28-2006, 04:16 AM

Okay, it's all about ssh (port number 22).
No. That is just one detail, one way to get in. Look at the bigger picture.

So, what would be the purpose of this new user on my PC?
That's besides the point as well. Remember he changed the root password?

[i]I also tried pinging and locating this IP address.[i]
Nice. If he's alert and correllates your IP with his list of cracked hosts he now knows you've found him out.

Both of them are located somewhere in France.
No. The .*\.174 is from Romania. Does that ring a bell?

How do they do it man?
In this case most likely scanning a range for accessable ssh servers (where root account access is not blocked) and (automatically) bruteforce the resulting IP's.

[i]Should I try the same on them too..hahaha?[i]
Most likely the most futile waste of time after making the cracker aware already. Besides that he may just have used an intermediate, so the box you're trying to "counter-crack" may be a user just like yourself.

I am gonna watch it today. If he comes in again
Please perform the tasks laid out for you *now*.
Anything else is a waste of time.

unSpawn · 04-28-2006, 04:19 AM

Will post again tomorrow after securing my box.
Securing your box after a compromise but without reinstalling the O.S. from scratch should not be the procedure.
So one more time: Please perform the tasks laid out for you *now*. Anything else is a waste of time.

manishsingh4u · 04-28-2006, 04:23 AM

Quote:

Originally Posted by unSpawn

Please perform the tasks laid out for you *now*.

Okay, I will do it now.

unSpawn · 04-28-2006, 04:27 AM

Thanks. Looking ahead, if you have any questions left related to the tasks, now would be a good time to ask.

manishsingh4u · 04-28-2006, 04:31 AM

Okay, so how can I make my box secure? I haven't really paid any attention on the security side untill today as I didn't came across such a situation.
But now, I would love to learn. Can you help me do it?

unSpawn · 04-28-2006, 05:39 AM

Okay, so how can I make my box secure?
I said "any questions left related to the tasks", so I'll focus on that now. The rest will come later on, preferably after you've spend some time reading the LQ FAQ: Security references post #1 which includes links to Debian-specific docs like the Debian Security HOWTO. Lets split by phase: pre-install, install and post-install. I won't post stuff that doesn't apply to Debian-alike boxen.

Pre-installation phase
Since your box was cracked you should start by either bringing the box into a stable state if you need to work on it. The easiest way would be to boot a LiveCD like KNOPPIX and stop any networked services and raising the firewall to block inbound traffic to networked services. Else reboot the box into runlevel 1. Now your box should be in a state where you can save authentication data, logs and make backups. Do not save binaries or data (with the intent of using it for recovery) you can't read or do not have the means to verify integrity for. The final thing on this box would be to get the software you need in the post-installation phase, the security checklist from CERT and the Debian Security HOWTO. Reading and understanding steps the CERT security checklist and the Debian Security HOWTO offer are strongly suggested.

Installation phase
- do select to wipe the disks fully, repartition and reformat the filesystems,
- do not select packages (especially networked services) you do not need *immediately*
- do select to install (if available, else fetch it pre-install):
- - firewall, sudo, pam_passwdqc, logwatch, backup software,
- - a file integrity checker like Aide or Samhain or even tripwire,
- - a host-based IDS like Snort, Prelude, Bro or whatever else you're accustomed with,
- - hardening tools like Bastille-Linux,
- - auditing tools like Tiger, Chkrootkit and Rootkit Hunter,
- if the installer offers it, do:
- - customise the firewall to block all traffic to networked services,
- - make (an) unprivileged user account(s),
- - select using the strongest password hash,

Post-install phase
- do boot into runlevel 1 after completion and make sure that:
- - the firewall does block and log inbound traffic,
- - the firewall does accept and log inbound traffic with the "RELATED,ESTABLISHED" state,
- - all networked services are prohibited from starting (in the hardening, audit and update phase you won't need any),
- - the unprivileged user can perform root account tasks using sudo,
- - a baseline database is made using the file integrity checker. Now reboot into a higher runlevel of choice.
- If you're not familiar with applying security-enhancing measures manually, make a backup and run Bastille-Linux to harden the box,
- After this audit running Tiger. Go over the log to see if you need to perform more hardening tasks. If you do, rerun Tiger and recheck the logs until satisfied.
- At this point you should have a box that is sufficiently hardened to update kernel and software and continue hardening and auditing at an easier pace. Re-audit the box after updates and go over the security checklist from CERT and the essentials from the Debian Security HOWTO. Remember to read your log (reports) regularly. Do update automatically or have the discipline to check and run manually *as soon as updates are offered*. Do not enable networked services before you have properly configured an unprivileged user to run it, have denied privileged user network access to it and have restricted network access using and your firewall and TCP wrappers and any options in the services' conf (and in Xinetd if necessary). Do not run legacy services that are inheritantly unsafe to use like any R* services, telnet. Do not run services that are inheritantly unsafe to use before you know how to run them safely like any PHP-based applications or services that are marked experimental or for development only (like for instance XAMP).

I haven't really paid any attention on the security side untill today as I didn't came across such a situation.
Unfortunately that's the case for many Linux users. At least you're not alone ;-p

But now, I would love to learn. Can you help me do it?
We can certainly help you build your knowledge by giving you (pointers to) information.

unSpawn · 04-28-2006, 05:45 AM

BTW, the above isn't complete and it never will be. Security is not a "one off" but a continue process of auditing and adjusting. Also please do not be discouraged by the amount or volume of steps to take. If you read what's offered a bit you will see it's easier than it looks like at first glance. Take the time to read, make a checklist of steps, concentrate, check and re-check and pace yourself while working. It's not a race.

* You also might find it beneficial to keep a log of things you change and make regular backups (especially of /etc) during work for easy recovery in case of human errors.