HELP! I've been had! Someone hacked into my Linux box. What now? - Security

This is a discussion on HELP! I've been had! Someone hacked into my Linux box. What now? - Security ; On Sat, 11 Nov 2006 23:29:05 -0800, jg wrote: [putolin] > That would be hilarious... However, as far as I can recall, there is > no power surge at my place at 9:00 AM. Granted I'm typically not home > ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 31 of 31

Thread: HELP! I've been had! Someone hacked into my Linux box. What now?

  1. Re: HELP! I've been had! Someone hacked into my Linux box. What now?

    On Sat, 11 Nov 2006 23:29:05 -0800, jg wrote:

    [putolin]

    > That would be hilarious... However, as far as I can recall, there is
    > no power surge at my place at 9:00 AM. Granted I'm typically not home
    > at 9:00 AM. (Except for the one day that it did not reboot... hmmm?
    > Coincidence?) Maybe I should have a talk with the wife!


    Just be careful

    --
    Dancin' in the ruins tonight
    Tayo'y Mga Pinoy



  2. Re: HELP! I've been had! Someone hacked into my Linux box. What now?

    base60 wrote:

    > Unruh wrote:
    >> base60 writes:
    >>
    >>> jg wrote:
    >>>> A few days ago I noticed my Linux box had been rebooted (typically
    >>>> runs 24/7.) Upon further investigating I found someone had attempted
    >>>> to login to my box (via ssh) close to 5000 times a few days earlier.


    [...]

    >>> What you're seeing is pretty standard for anything with an internet
    >>> connection.

    >>
    >> But the "breakin" is not standard.

    >
    > Given the number of bots around, some would argue


    So why. please, if you think so, should having such a large number of bots
    around be acceptable or "standard" ?

    > Better safe than sorry.


    If you are attributing "standard" breakins to widespread botnets, would
    not the botnets be legitimate targets for elimination ?

    If you suggest we should be safe rather than sorry, we (all, even if not
    you specifically) should eliminate botnets. This is _not_ an impossible
    goal. Disconnect every compromised system.

    Agreed ? Or not agreed ?



  3. Re: HELP! I've been had! Someone hacked into my Linux box. What now?

    On Mon, 13 Nov 2006 04:29:38 -0500, responder wrote:

    >base60 wrote:
    >
    >> Unruh wrote:
    >>> base60 writes:
    >>>
    >>>> jg wrote:
    >>>>> A few days ago I noticed my Linux box had been rebooted (typically
    >>>>> runs 24/7.) Upon further investigating I found someone had attempted
    >>>>> to login to my box (via ssh) close to 5000 times a few days earlier.

    >
    >[...]
    >
    >>>> What you're seeing is pretty standard for anything with an internet
    >>>> connection.
    >>>
    >>> But the "breakin" is not standard.

    >>
    >> Given the number of bots around, some would argue

    >
    >So why. please, if you think so, should having such a large number of bots
    >around be acceptable or "standard" ?


    I can't see anyone arguing that botnets are a desirable 'feature' of
    the internet. But sadly they are a fact of life at the moment ... no
    doubt in the future the internet will adapt and change and other
    hacking issues will take the fore.

    >> Better safe than sorry.

    >
    >If you are attributing "standard" breakins to widespread botnets, would
    >not the botnets be legitimate targets for elimination ?


    Absolutely - and to paraphrase GW Bush - "I'm open to suggestions -
    answers on a postcard to ..." LOL

    Personally, I'd like to see the TARPIT function built into all new
    Linux kernels as standard. Then perhaps we can all "gum" them up a
    bit. But until then we just have to use a bit of logic to frustrate
    them a bit.

    One of the biggest problem is that 'botnets' are usually made up from
    lots of ordinary PCs compromised by a virus or worm. The user probably
    doesn't know they are even causing the problem. So, it would have to
    be a duty of all internet providers around the world to monitor their
    client's traffic and block any that transmit suspicious data and then
    inform the client that they have to get fixed before they can come
    online again. But can you really see that happening very soon
    (thinking of the biggest growth countries ... Korea, China, India...)?
    p

    >If you suggest we should be safe rather than sorry, we (all, even if not
    >you specifically) should eliminate botnets. This is _not_ an impossible
    >goal. Disconnect every compromised system.
    >
    >Agreed ? Or not agreed ?
    >
    >


  4. Re: HELP! I've been had! Someone hacked into my Linux box. What now?

    no wrote:

    > On Mon, 13 Nov 2006 04:29:38 -0500, responder wrote:
    >
    >>base60 wrote:
    >>
    >>> Unruh wrote:
    >>>> base60 writes:
    >>>>
    >>>>> jg wrote:
    >>>>>> A few days ago I noticed my Linux box had been rebooted (typically
    >>>>>> runs 24/7.) Upon further investigating I found someone had
    >>>>>> attempted to login to my box (via ssh) close to 5000 times a few
    >>>>>> days earlier.

    >>
    >>[...]
    >>
    >>>>> What you're seeing is pretty standard for anything with an internet
    >>>>> connection.
    >>>>
    >>>> But the "breakin" is not standard.
    >>>
    >>> Given the number of bots around, some would argue

    >>
    >>So why. please, if you think so, should having such a large number of
    >>bots around be acceptable or "standard" ?

    >
    > I can't see anyone arguing that botnets are a desirable 'feature' of the
    > internet. But sadly they are a fact of life at the moment ... no doubt in
    > the future the internet will adapt and change and other hacking issues
    > will take the fore.


    Yes, I understand your point. And mine is simply that we are not serving
    ourselves or others well by being sanguine or accepting of this or other
    kinds of abuse.

    >>> Better safe than sorry.

    >>
    >>If you are attributing "standard" breakins to widespread botnets, would
    >>not the botnets be legitimate targets for elimination ?

    >
    > Absolutely - and to paraphrase GW Bush - "I'm open to suggestions -
    > answers on a postcard to ..." LOL


    I'll do much better than that, but am not at that point in my plans quite
    yet. Hopefully in a few weeks I will try to affiliate with one or more
    public University systems to (explore the possibility, feasibility) set up
    a pilot program. If successful, results will be public. But you all
    don't need to wait for me. -- You all can jump in on this any time.

    > Personally, I'd like to see the TARPIT function built into all new Linux
    > kernels as standard. Then perhaps we can all "gum" them up a bit. But
    > until then we just have to use a bit of logic to frustrate them a bit.


    This is surely one of many approaches of possible value. I'm not sure of
    the advisability of pushing the burden onto individual users, but
    appreciate the suggestion.

    > One of the biggest problem is that 'botnets' are usually made up from lots
    > of ordinary PCs compromised by a virus or worm. The user probably doesn't
    > know they are even causing the problem. So, it would have to be a duty of
    > all internet providers around the world to monitor their client's traffic
    > and block any that transmit suspicious data and then inform the client
    > that they have to get fixed before they can come online again. But can you
    > really see that happening very soon (thinking of the biggest growth
    > countries ... Korea, China, India...)?
    > p


    I cannot pretend to have advance detailed understanding of many
    complications in various jurisdictions, but that does not mean I think the
    attempts are worthless or should not be undertaken. It is generally quite
    simple for any individual user or admin to identify sources of (TCP) abuse
    on any given day. UDP abuse needs to be detected close to the actual
    source. It seems the existing log aggregation services (dshield, etc.)
    are quite effective in identifying sources and offenders. Among the many
    possible difficulties, I do not see detection (other than UDP abuse) as
    any particular problem or burden on any ISP. Thanks for constructive
    comments.

    Defending, hardening and protecting our own individual systems is all well
    and good and I support that. But we do not need to accept or tolerate the
    real, ongoing and obvious threats to our collective security from botnets.

    (And, yes. Even these Asian countries may see it in their own enlightened
    self interests to control botnets once they are shown it is possible, and
    how it can easily be done. They are not stupid people.)

    >>If you suggest we should be safe rather than sorry, we (all, even if not
    >>you specifically) should eliminate botnets. This is _not_ an impossible
    >>goal. Disconnect every compromised system.
    >>
    >>Agreed ? Or not agreed ?
    >>
    >>


  5. Re: HELP! I've been had! Someone hacked into my Linux box. What now?

    responder wrote:
    > base60 wrote:
    >
    >> Unruh wrote:
    >>> base60 writes:
    >>>
    >>>> jg wrote:
    >>>>> A few days ago I noticed my Linux box had been rebooted (typically
    >>>>> runs 24/7.) Upon further investigating I found someone had attempted
    >>>>> to login to my box (via ssh) close to 5000 times a few days earlier.

    >
    > [...]
    >
    >>>> What you're seeing is pretty standard for anything with an internet
    >>>> connection.
    >>> But the "breakin" is not standard.

    >> Given the number of bots around, some would argue

    >
    > So why. please, if you think so, should having such a large number of bots
    > around be acceptable or "standard" ?


    If you wish to ask stupid questions based upon stupid assumptions
    etc., find someone stupid to play with.


    >
    >> Better safe than sorry.

    >
    > If you are attributing "standard" breakins to widespread botnets, would
    > not the botnets be legitimate targets for elimination ?
    >
    > If you suggest we should be safe rather than sorry, we (all, even if not
    > you specifically) should eliminate botnets. This is _not_ an impossible
    > goal. Disconnect every compromised system.
    >
    > Agreed ? Or not agreed ?
    >
    >


  6. Re: HELP! I've been had! Someone hacked into my Linux box. What now?

    base60 wrote:

    > responder wrote:
    >> base60 wrote:
    >>
    >>> Unruh wrote:
    >>>> base60 writes:
    >>>>
    >>>>> jg wrote:
    >>>>>> A few days ago I noticed my Linux box had been rebooted (typically
    >>>>>> runs 24/7.) Upon further investigating I found someone had
    >>>>>> attempted to login to my box (via ssh) close to 5000 times a few
    >>>>>> days earlier.

    >>
    >> [...]
    >>
    >>>>> What you're seeing is pretty standard for anything with an internet
    >>>>> connection.
    >>>> But the "breakin" is not standard.
    >>> Given the number of bots around, some would argue

    >>
    >> So why. please, if you think so, should having such a large number of
    >> bots around be acceptable or "standard" ?

    >
    > If you wish to ask stupid questions based upon stupid assumptions etc.,
    > find someone stupid to play with.


    "base60":
    You didn't write anything substantive to answer. Looks like hate mail to
    me. I don't think you are stupid and I don't think there were any stupid
    questions. But if you think there were "stupid assumptions etc.", please
    tell what assumptions you think were wrong or "stupid" (and why would any
    assumption that was wrong not just be named wrong rather than "stupid ??),
    and that might be something substantive and on topic to answer. You must
    know there is nothing else substantive in your message to answer, don't
    you ?

    Thank you.

  7. Re: HELP! I've been had! Someone hacked into my Linux box. What now?

    jg schrieb:
    > I forgot to mention my setup...
    >
    > Box sits behind a Wireless Access Point with wep128 encryption. This
    > AP acts as a firewall for all NAT'ed traffic (including my Linux box).
    > I have the router redirect all SSH traffic to my Linux box. Other than
    > that, all other ports are not redirected.
    >


    Do you know about insecurities in wep128? 'bout 3h and a knowledgable
    neighbour is in. Use WPA if possible.

    Martin

  8. Re: HELP! I've been had! Someone hacked into my Linux box. What now?

    On Fri, 10 Nov 2006 21:04:36 +0000, no inscribed to the world:

    > For your own personal interest I'd install something like rkhunter
    > (http://sourceforge.net/projects/rkhunter/) and look to see if it has
    > been "rootkitted" (the standard way of hijacking a server)....


    Nice link, thank you. I just installd and ran rkhunter on my Mandriva
    system, very nice application.


  9. Re: HELP! I've been had! Someone hacked into my Linux box. What now?

    I wrote an article on this very subject in Linux Journal this time last
    year... its now on-line at http://www.linuxjournal.com/article/8338

    ....sorry, I'm not typically one for self-promotion, just thought it was
    applicable.

    Cheers,
    -C

    Ertugrul Soeylemez wrote:
    > "jg" (06-11-10 11:57:01):
    >
    > > Also, what can I do in the future to prevent something like this from
    > > happening again? I thought my passwords were pretty secure... but I
    > > guess I was mistaken. I cannot really do a private/public key since I
    > > need access to my box from multiple locations. Also, is this more
    > > secure?

    >
    > All other questions have been answered, so I'd like to answer this last
    > one. Yes, public key authentication is much more secure than password
    > authentication. People need your private key to be able to authenticate
    > themselves. Why is this a problem for the attacker?
    >
    > Firstly, the people have to know your public key to be able to recover
    > your private key at all. If they don't know it, they've lost. However,
    > the whole sense between public key cryptography is that your public key
    > _is_ known to the public. So obviously, even with the knowledge of your
    > public key, it is hard to recover your private key; much harder than
    > guessing a password with 30 random characters.
    >
    > The fact that your public key may be published without worries, and
    > since the server really only needs to know your public key to
    > authenticate you, brings one major advantage: You can use the same key
    > to authenticate to arbitrarily many servers. You don't need a separate
    > key for every server.
    >
    > In other words: It's not only more secure, it's even much easier. Just
    > take your private key with you. Place it on a USB stick and carry that
    > one on your key-chain. You'll still want to encrypt it (in easier
    > words: protect it by a passphrase), in case you lose it. The key
    > generator (ssh-keygen) asks for a passphrase anyway, so you don't just
    > press Return.
    >
    >
    > Regards,
    > E.S.



  10. Re: HELP! I've been had! Someone hacked into my Linux box. What now?


    Thanx to all who helped. The problem turned out to not be related to
    my server at all. I configured a temporary server while I reinstalled
    and beefed up my main one. Well, the temp server started rebooting at
    9:00 AM as well. So I moved it to a different location/with different
    hook ups and it never rebooted again. I have not thouroughly tested
    the UPS but I'm thinking that is the problem now.

    At any rate, I've learned a lot from this. At the very least, I've
    beefed up my security.

    Thanx again.


  11. Re: HELP! I've been had! Someone hacked into my Linux box. What now?

    On 19 Dec 2006, in the Usenet newsgroup comp.os.linux.security, in article
    <1166560273.670893.48700@a3g2000cwd.googlegroups.co m>, jg wrote:

    >Thanx to all who helped. The problem turned out to not be related to
    >my server at all. I configured a temporary server while I reinstalled
    >and beefed up my main one. Well, the temp server started rebooting at
    >9:00 AM as well.


    How did the temporary server differ from the main one? Were you still
    using SuSE 9.x on it (i.e. you changed the hardware but not the software)?

    Some one had suggested changing the system's clock by an hour, to see
    if the reboot occurred at 9:00 AM real time or server time. Did you
    ever try that?

    >So I moved it to a different location/with different hook ups and it
    >never rebooted again. I have not thouroughly tested the UPS but I'm
    >thinking that is the problem now.


    Your UPS knows what time it is? Not very many do.

    >At any rate, I've learned a lot from this. At the very least, I've
    >beefed up my security.


    The thread had some good ideas posted, and some not so good. Trying to
    use a windoze wannabe malware detector like 'rkhunter' or 'chkrootkit'
    is not one of the better ideas, as a search at google.groups would
    show. I have yet to hear of either "tool" finding a real rootkit, but
    the number of false alarms (where either kit reports a problem, which
    is actually normal and is the result of shoddy programming in the toy
    detector programs) is VERY high.

    Old guy

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2