Does Slackware by default set an expiration date on root's password?
Also, is there, by default a user named 'badboy'?

No, and no. Why, are you trying to hack into a Slackware server? Good luck, you won't succeed :-)

Eric

Uh, actually, when I got home yesterday, I found my root password changed and a random entry in /etc/passwd. Whoever 'badboy' is didn't bother setting up a /home directory. I'm not hugely worried because I'm probably going to reinstall when 11 comes out, and afaik there's no sensitive anything on there.

Well that sounds you were hacked. I would be worried if I were you, if you have no idea where the hacker came from and what he or she used to creak in.
If this is a computer that is exposed to the Internet, check all services that are accessible and verify whether the versions you run have known vulnerabilities.

Eric

You _should_ be worried more than that, in case "badboy" uses your machine for something illegal. You'd be more than embarrased in case it's used to send spam or to swap pornography. If I were you, I'd try to watch very closely what he's doing, without him noticing and without locking him out at first.

I would format that machine NOW. There may be a root kit in there.

Are you sure that nobody has been able to get to the keyboard?

Most 10.2 patches are of the denial of service category.
The only ones that could obviously give a hole in are openssh, apache and php.
10.2 or current are not exactly easy targets for hacking.

I have a handful of housemates who could've, but I seriously doubt that anybody here has heard of linux, much less could have set up an account and change the root password. Besides, /var/log/messages shows somebody using ssh.

I've only been using slackware for a couple of days now, I'm a convert from Mandriva, and so I'm in a learning curve again.

According to netstat, the only port in use is my own connection, but on the other hand, I could be using a rooted computer. I realised too late today to do anything about it, but what ought I do as far as prevention and cleanup and whatnot? I used chkrootkit and rkhunter both of which turned up clean, but I've not been able to slave the hard drive or use a live cd to scan yet.

I've got an ip address, somewhere in Korea, but I have a feeling that there's a pretty good chance that this is probably not the locale from which the hacker is hacking. Guidance, O Great Linux Gurus?

Unplug the computer from internet and start checking what he did.
First thing to be up again would be to disable sshd, if you're not using it, never activate it. Then check permissions, files owned or that can be used by "badboy".

Reset the root password by using Slackware CD 1, you can chroot and change
the password using passwd or edit /etc/shadow to set a empty password.

Take a look at running processes, where they're started, etc.

As you already know, you can never trust binary files on a compromised computer, they can be easily replaced by modified ones.

Checking a hacked machine is a good learning excercise

Might it be a good idea to sit and monitor to see what he does? I'll unplug while I'm away, of course, but have /var/log/messages always monitored. This way I'll maybe get some idea as to what he's doing which would make troubleshooting easier. Is there any way to monitor or log an ssh user's commands? I figure that .bash_history is too easily changed.

As far as I can tell, all he did was to create a user with UID 0 and change the root password. He didn't create a home directory; there's not even a default shell in /etc/passwd. Nothing seems to have randomly changed; portscanning turns up nothing; could this be somebody running a script for later, or perhaps running a script the found somewhere online?

He doesn't seem to be a regular customer, as /var/log/messages shows no activity for 'badboy' and only two logins for root, five hours and one second apart. Is there any reason not to try to crack his password with john the ripper?

Why bother, exactly?

Trying to monitor this person, and cracking his password, just seem like silly wastes of time, when you should be more worried about getting the machine back to a trustworthy state, and properly securing it this time.

As the machine is non-critical and about to be reinstalled anyway, it's a unique opportunity to improve one's knowledge about hacking and thus to improve one's knowledge about protecting a machine.

I sure would bother a lot and find the time well spent.

If he wants to learn, then he should buy a book.

Meddling with somebody who is much more skilled then yourself is only asking for trouble.

Not to mention that any machine connected to the internet is critical. The world doesn't need more zombie servers and spam relays. We are all sharing the same global network, and any computer being used for illicit purposes can have a direct effect on any of us.

Sorry, but that's silly. And illogical - how do those who write books know? Chicken and egg, you see.

So you advocate helping the cracker out by not trying to track him down and helping him to stay anonymous? How does that make the Internet any more secure? What about judging if he's a real bad guy or not, and eventually hand him over to the police? Wouldn't that be more useful?

He has tracked the cracker down to Korea, which is probably a zombie anyway and it is almost impossible to trace the real offender. I would format and reinstall, followed by updating to latest 10.2 stable.
10.2 out of the box does have a ssh vulnerability, so disable the service.

Use nmap to find out what ports are listening, a workstation machine does not need much open.
Make sure that root has a strong password

Okay, let's all stop being silly.

1) The computer is compromised. Don't do ANYTHING on it, don't plug it into the internet, it's quite simple. Even being online for an hour, it can do significant damage (Spam, DDOS, proxying illegal downloads for the hacker etc.). Everything he does is going to be on YOUR connection via YOUR ISP and cost YOU money if they decide to charge you (don't think they won't if you use over your allocated bandwidth etc.). And what happens if he sells your address as a remote proxy for people to use for something which is a lot more damaging, e.g. downloading stuff that will get YOU arrested?

Every time you take it online, you are *potentially* damaging other people's computers, network infrastructure, sending spam or your IP is showing up on law enforcement computers as a source of illegal downloads etc. You just do not know what he is using it for, and a root-compromised computer probably goes for a tidy sum in certain IRC channels.

2) Not "seeing" any activity doesn't mean anything. The "hacker" has root access (UID 0) and therefore can do/hide anything he likes. He could easily be running a background irc service that is running arbitrary commands on your server without you even noticing (no files, no modifications, no log entries, not showing up in ps etc.). He could be using it as a jump-point to get to anything else connected in the house, or to other Internet servers. You just don't know without sticking a packet-analyser on the network cable.

3) "Watching" what the hacker does will not help you in any way, shape or form. We KNOW what he can do (absolutely anything) and it's of academic interest only how he got there (my guess would be a bad password somewhere [your fault] or that you have vulnerable software facing the Internet [your fault for not updating]). If you REALLY want to analyse his techniques, place the hard drive into a secured, offline computer and analyse it's contents (looking for hidden files, modified startups etc.) Don't let the computer remain online "just to see" if he pops back.

4) Because you don't know how he got there and what he's doing RIGHT NOW, there is no interest in trying to "recover" the computer. As has been pointed out, it'll be almost impossible to ensure it's clean without wiping the drive yourself. He has root access, he can hide files within the leftover bits of the disk, within unused inodes, modify any and all binaries to reinfect the machine if they are executed etc. He can mask anything and everything he wants to (and a lot of easily available rootkits will do this AUTOMATICALLY, so don't assume he has to be skilled to do it)

5) "Tracing" the hacker is of secondary concern. Chances are he is using other computers like yours to proxy through to ensure he's not caught. Even then, he's probably using some network like Tor or similar to ensure that his anonymity is guaranteed. Your primitive investigations will not be able to "find out" where or who he is.

Short of having the legal and technical resources of a computer-crime department and a black-box in most ISP's you WILL NOT FIND HIM. Also, by not reporting it to the police if you DO wish to trace him yourself, you run the risk of being arrested yourself should you be found to be tracing back connections through remote compromised machines. For example, if you nmap the "source" and then find an open telnet and then use it to execute commands to find the true source. How would anyone know that YOU'RE not the one who hacked in in the first place?

If you want to find him, contact your local computer-crime department, handing over your computer and all evidence you have. Give it about six months for them to analyse (if they are even interested in finding him) and maybe, just maybe, they may found out what country he is in or who he is. Even after all that prosecution is unlikely in at least half the world.


This person controls your entire machine. If you ever used the same passwords ANYWHERE else you should change them immediately. Your browser history and some basic MD5-cracking are trivial once you have access to a machine and it's the work of a moment to try every password found against every website visited until you hit a match. Ever bought anything online? Ever recieved an email from that company? Ever used any password which could be stored on that computer to log into that email?

Even if not, he's currently got root access to your network. That means raw packet logs of ANYTHING that goes over ANY cable in your network (including machines behind switches etc.). That could even mean (depending on your connection, supplier etc.) access to the cable internet for your street (re-flash a cable modem to recieve everyone's data is a simple job). That (usually) means any network shares are potentially compromised. The damage he COULD be causing is enormous and not just to you.

SWITCH IT OFF AND DO NOT SWITCH IT ON AGAIN.

If you really must, put the drive in another machine and MAKE SURE that code from that drive is never run.

Clean any data that you want to keep and don't have backups of (most data is non-executable but don't forget things like WMF's, JPG's, DOC's, etc. could all harbour executable code if loaded in the right application).

Reformat, reinstall, this time CHECKING that all externally visible ports have up-to-date software and strong passwords protecting them. On Linux, this takes about twenty seconds to "close" if you download any decent firewall script.

Don't be blasé about this. These sorts of machines are the source of almost ALL spam, almost ALL hack-attempts, almost ALL DDOS's and most virus distribution. Turning a hacked computer into an open FTP site for all to upload/download whatever the game/movie/music of the month is will be trivial with easily available "kiddie" tools.