Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Someone hacked one of my machines. It all started when some people were partying in my office after hours, the next morning one of the windows machines had more viruses and spyware on it than I could even count... took days to get it to a useable state.
In any event, the user I created on my network for that machine's samba connection has logged into into my ssh machine (no one ever uses that username because I created it solely for Samba) & setup a mail relay. I noticed it when my internet connection was getting really slow, so I checked the ssh machine & saw hundreds of thousands(?) of mails had been sent over the last couple days (last week). I stopped sendmail, changed the password for that user on my NIS machine, changed the shell for that user to /sbin/nologin, removed sendmail from the startup services and everything appeared to be better.
well, in my logs on the ssh machine, I see that the user I created for samba has successfully logged in through ssh again! The ip appears to come from Japan. Furthermore, a second ip tried (unsuccessfully) to log into every generic username they could think of: cgi, www-data, guest, webmaster, etc.
I have the ips of both people. Is there anything I can do? I don't neccessarily mean malicious things, I just mean can I report this to someone?
Grab a liveCD with rootkit-hunter and chkrootkit,
boot the box off that and pray that clean removal
is possible. Whatever distro you're using, you need
to make sure that the MD5 sums of all executables
are the same as on the installation media. ...
That aside, this thread belongs in security, not general.
If there was no major financial damage, the FBI may not want to devote a lot of resources to it (at least that's what I heard, but don't take my word for it--ask some of the experts in the security forum). But hopefully you learned that if an account is meant for SAMBA access only, don't give it a real login shell!
First step is to figure out if just that one account was compromised, or if the attacker got root. If you have any doubt at all, particularly since the attacker had physical access, assume the worst. The multiple failed logins sounds like one of the brute force attacks going around (see the stickied thread in the security forum) and is probably unrelated.
If the compromise was only in the local account, you may be OK just getting rid of the account and removing all its files (check /tmp, cronjobs, etc.). However, if it were me, I'd nuke the machine and reinstall from trusted media. A pain, but it's the only way to be 100% certain you've rid yourself of the attacker.
I compiled and ran a chkrootkit & it claimed everything ok,
that said, now that I've double checked that the account uses /sbin/nologin as a shell, erased the account's home dir and mail account, I still see that it logged in last night, so I'm going to wipe the machine.
As luck would have it, I made an image of an identical machine a few days before this all happened, so I'll just pull it over. Unfortunately, they appear to have found some of the real accounts on the machine (that are NIS accounts & don't live in /etc/passwd) & attempted to log in through those as well.
I would suggest, never delete anything done by someone who has comprimised your system... instead save them elsewhere only accessible by root. Then at least you can refer to what had taken place, in the event it happens again in the future. :-\
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.