HELP! I've been had! Someone hacked into my Linux box. What now? - Security

This is a discussion on HELP! I've been had! Someone hacked into my Linux box. What now? - Security ; A few days ago I noticed my Linux box had been rebooted (typically runs 24/7.) Upon further investigating I found someone had attempted to login to my box (via ssh) close to 5000 times a few days earlier. As far ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 31

Thread: HELP! I've been had! Someone hacked into my Linux box. What now?

  1. HELP! I've been had! Someone hacked into my Linux box. What now?


    A few days ago I noticed my Linux box had been rebooted (typically runs
    24/7.) Upon further investigating I found someone had attempted to
    login to my box (via ssh) close to 5000 times a few days earlier. As
    far as I could tell, they had not been succesful. However, I have my
    doubts now. I have since closed my router's ssh virtual server's
    redirect to it. I have also closed all outgoing traffic from it
    (however, pings still get out, not sure why.)

    At any rate, since then, my box reboots every morning at 9:00 AM! Not
    sure how this is being done. crontab shows nothing. Does anyone have
    any ideas what I can do to find out which program is causing the
    rebooting? Anything I should be looking for?

    I'm guessing I'm going to have to assume worst case scenario here and
    reformat my entire system. (Which I have been meaning to do anyway to
    add some kind of RAID.)

    Also, what can I do in the future to prevent something like this from
    happening again? I thought my passwords were pretty secure... but I
    guess I was mistaken. I cannot really do a private/public key since I
    need access to my box from multiple locations. Also, is this more
    secure?

    Thanx to all who reply.

    jg


  2. Re: HELP! I've been had! Someone hacked into my Linux box. What now?


    I forgot to mention my setup...

    Box sits behind a Wireless Access Point with wep128 encryption. This
    AP acts as a firewall for all NAT'ed traffic (including my Linux box).
    I have the router redirect all SSH traffic to my Linux box. Other than
    that, all other ports are not redirected.

    [I am broadcasting my SSID but I have not used my laptop in about a
    month. Hence no traffic over the air, so I don't think anyone hacked
    in by reversing my WEP key.]

    I have Suze9.1 running on my Linux server. It is only a SAMBA server.
    It only has one NIC. I'm not using it as a firewall.

    Thanx again to all who help.

    jg

    jg wrote:
    > A few days ago I noticed my Linux box had been rebooted (typically runs
    > 24/7.) Upon further investigating I found someone had attempted to
    > login to my box (via ssh) close to 5000 times a few days earlier. As
    > far as I could tell, they had not been succesful. However, I have my
    > doubts now. I have since closed my router's ssh virtual server's
    > redirect to it. I have also closed all outgoing traffic from it
    > (however, pings still get out, not sure why.)
    >
    > At any rate, since then, my box reboots every morning at 9:00 AM! Not
    > sure how this is being done. crontab shows nothing. Does anyone have
    > any ideas what I can do to find out which program is causing the
    > rebooting? Anything I should be looking for?
    >
    > I'm guessing I'm going to have to assume worst case scenario here and
    > reformat my entire system. (Which I have been meaning to do anyway to
    > add some kind of RAID.)
    >
    > Also, what can I do in the future to prevent something like this from
    > happening again? I thought my passwords were pretty secure... but I
    > guess I was mistaken. I cannot really do a private/public key since I
    > need access to my box from multiple locations. Also, is this more
    > secure?
    >
    > Thanx to all who reply.
    >
    > jg



  3. Re: HELP! I've been had! Someone hacked into my Linux box. Whatnow?

    jg wrote:
    > A few days ago I noticed my Linux box had been rebooted (typically runs
    > 24/7.) Upon further investigating I found someone had attempted to
    > login to my box (via ssh) close to 5000 times a few days earlier. As
    > far as I could tell, they had not been succesful. However, I have my
    > doubts now. I have since closed my router's ssh virtual server's
    > redirect to it. I have also closed all outgoing traffic from it
    > (however, pings still get out, not sure why.)
    >
    > At any rate, since then, my box reboots every morning at 9:00 AM! Not
    > sure how this is being done. crontab shows nothing. Does anyone have
    > any ideas what I can do to find out which program is causing the
    > rebooting? Anything I should be looking for?


    Yes. Your installation CDs and backup tapes.

    Re-install from CD, update everything applicable, restore data
    from tape.

    >
    > I'm guessing I'm going to have to assume worst case scenario here and
    > reformat my entire system. (Which I have been meaning to do anyway to
    > add some kind of RAID.)
    >
    > Also, what can I do in the future to prevent something like this from
    > happening again? I thought my passwords were pretty secure... but I
    > guess I was mistaken. I cannot really do a private/public key since I
    > need access to my box from multiple locations. Also, is this more
    > secure?


    Install/activate tcpwrappers or a firewall to restrict access to
    an explicit list for ssh and whatever else you can.

    What you're seeing is pretty standard for anything with an internet
    connection.

  4. Re: HELP! I've been had! Someone hacked into my Linux box. What now?

    On 10 Nov 2006 11:57:01 -0800, "jg" wrote:
    >At any rate, since then, my box reboots every morning at 9:00 AM! Not
    >sure how this is being done. crontab shows nothing. Does anyone have
    >any ideas what I can do to find out which program is causing the
    >rebooting? Anything I should be looking for?


    Like the other poster, I think you should be preparing for the worst
    by considering a full wipe and reinstall. At any rate I would
    immediately disconnect it from the internet as you have no idea what
    the machine is being told to do, if it has been hijacked.

    For your own personal interest I'd install something like rkhunter
    (http://sourceforge.net/projects/rkhunter/) and look to see if it has
    been "rootkitted" (the standard way of hijacking a server). Rootkits
    are usually very devious and they cover their tracks - like showing
    you a ps list but without the processes associated with the rootkit!
    Even your check of crontab might have been intercepted and chances are
    you have been shown rubbish.

    So, before you trash it use this opportunity to learn from your
    mistake - find out how they got in and which kit they might have used.
    Also, try checking it with an anti-viral like antivir
    (http://www.free-av.com/). It won't fix anything but at least you
    might get a handle on what happened.

    If these products don't find anything you might be barking up the
    wrong tree ... but either way a reinstall might be on the cards.

    Good luck!
    Chris R.

  5. Re: HELP! I've been had! Someone hacked into my Linux box. What now?

    "jg" writes:


    >A few days ago I noticed my Linux box had been rebooted (typically runs
    >24/7.) Upon further investigating I found someone had attempted to
    >login to my box (via ssh) close to 5000 times a few days earlier. As
    >far as I could tell, they had not been succesful. However, I have my
    >doubts now. I have since closed my router's ssh virtual server's
    >redirect to it. I have also closed all outgoing traffic from it
    >(however, pings still get out, not sure why.)


    Not unusual. There are thousands of comprimised Windows machines within a
    mile of your house. Many are used to try to break in via ssh.


    >At any rate, since then, my box reboots every morning at 9:00 AM! Not
    >sure how this is being done. crontab shows nothing. Does anyone have
    >any ideas what I can do to find out which program is causing the
    >rebooting? Anything I should be looking for?


    crontab -l
    vi /etc/crontab
    vi /etc/crontab.*/*
    Look in /var/log/messages and /var/log/syslog to see what happens just
    before the reboot.


    >I'm guessing I'm going to have to assume worst case scenario here and
    >reformat my entire system. (Which I have been meaning to do anyway to
    >add some kind of RAID.)


    >Also, what can I do in the future to prevent something like this from
    >happening again? I thought my passwords were pretty secure... but I
    >guess I was mistaken. I cannot really do a private/public key since I
    >need access to my box from multiple locations. Also, is this more
    >secure?


    Well, I would do a bit more investigation.
    rpm -Va|grep '^..5'>/tmp/verify
    and look at those files to see if there is something suspicious ( eg
    /bin/ps or /bin/find occuring in that list means you have been comprimised
    definitely.)



    >Thanx to all who reply.


    >jg



  6. Re: HELP! I've been had! Someone hacked into my Linux box. What now?

    base60 writes:

    >jg wrote:
    >> A few days ago I noticed my Linux box had been rebooted (typically runs
    >> 24/7.) Upon further investigating I found someone had attempted to
    >> login to my box (via ssh) close to 5000 times a few days earlier. As
    >> far as I could tell, they had not been succesful. However, I have my
    >> doubts now. I have since closed my router's ssh virtual server's
    >> redirect to it. I have also closed all outgoing traffic from it
    >> (however, pings still get out, not sure why.)
    >>
    >> At any rate, since then, my box reboots every morning at 9:00 AM! Not
    >> sure how this is being done. crontab shows nothing. Does anyone have
    >> any ideas what I can do to find out which program is causing the
    >> rebooting? Anything I should be looking for?


    >Yes. Your installation CDs and backup tapes.


    >Re-install from CD, update everything applicable, restore data
    >from tape.


    >>
    >> I'm guessing I'm going to have to assume worst case scenario here and
    >> reformat my entire system. (Which I have been meaning to do anyway to
    >> add some kind of RAID.)
    >>
    >> Also, what can I do in the future to prevent something like this from
    >> happening again? I thought my passwords were pretty secure... but I
    >> guess I was mistaken. I cannot really do a private/public key since I
    >> need access to my box from multiple locations. Also, is this more
    >> secure?


    >Install/activate tcpwrappers or a firewall to restrict access to
    >an explicit list for ssh and whatever else you can.


    >What you're seeing is pretty standard for anything with an internet
    >connection.


    But the "breakin" is not standard.

    In fact I would suspect the windows machines on the same subnet using samba
    to subvert this machine.

    Reinstalling without definite evidence is in general a bad idea.



  7. Re: HELP! I've been had! Someone hacked into my Linux box. What now?

    >
    > crontab -l
    > vi /etc/crontab
    > vi /etc/crontab.*/*
    > Look in /var/log/messages and /var/log/syslog to see what happens just
    > before the reboot.


    I found nothing in crontab that might shed some light.

    > Well, I would do a bit more investigation.
    > rpm -Va|grep '^..5'>/tmp/verify
    > and look at those files to see if there is something suspicious ( eg
    > /bin/ps or /bin/find occuring in that list means you have been comprimised
    > definitely.)
    >


    Here's the output from the rpm command above... again, I found nothing
    that sheds light.

    S.5....T c /etc/vimrc
    SM5....T c /etc/crontab
    S.5....T c /etc/samba/smb.conf
    S.5....T c /etc/vsftpd.conf
    S.5....T c /etc/apache2/default-server.conf
    S.5....T c /etc/papersize
    S.5....T c /etc/ssh/sshd_config
    S.5....T /var/lib/susehelp/dochost
    S.5....T c /etc/mail/submit.cf
    S.5....T c /etc/sendmail.cf
    S.5....T c /etc/php.ini
    S.5....T c /etc/nsswitch.conf
    S.5....T c /etc/X11/qtrc
    S.5....T c /etc/samba/smbpasswd
    S.5....T c /etc/ntp.conf
    S.5....T c /etc/xinetd.d/tftp


  8. Re: HELP! I've been had! Someone hacked into my Linux box. What now?


    rkhunter found nothing out of the ordinary. Just got a couple of
    warning regarding
    /etc/.java
    /etc/.pwd.lock
    /dev/.udev.tdb

    To be on the safe side though, I'm taking this server off line and
    replacing it with another one for the time being until I figure out
    what is going on. As of now it is still rebooting at 9:00 AM.

    no@emails.thx wrote:
    > On 10 Nov 2006 11:57:01 -0800, "jg" wrote:
    > >At any rate, since then, my box reboots every morning at 9:00 AM! Not
    > >sure how this is being done. crontab shows nothing. Does anyone have
    > >any ideas what I can do to find out which program is causing the
    > >rebooting? Anything I should be looking for?

    >
    > Like the other poster, I think you should be preparing for the worst
    > by considering a full wipe and reinstall. At any rate I would
    > immediately disconnect it from the internet as you have no idea what
    > the machine is being told to do, if it has been hijacked.
    >
    > For your own personal interest I'd install something like rkhunter
    > (http://sourceforge.net/projects/rkhunter/) and look to see if it has
    > been "rootkitted" (the standard way of hijacking a server). Rootkits
    > are usually very devious and they cover their tracks - like showing
    > you a ps list but without the processes associated with the rootkit!
    > Even your check of crontab might have been intercepted and chances are
    > you have been shown rubbish.
    >
    > So, before you trash it use this opportunity to learn from your
    > mistake - find out how they got in and which kit they might have used.
    > Also, try checking it with an anti-viral like antivir
    > (http://www.free-av.com/). It won't fix anything but at least you
    > might get a handle on what happened.
    >
    > If these products don't find anything you might be barking up the
    > wrong tree ... but either way a reinstall might be on the cards.
    >
    > Good luck!
    > Chris R.



  9. Re: HELP! I've been had! Someone hacked into my Linux box. What now?

    Here's a bit of /var/messages from just before and after it reboots...

    Note that I logged in around 8:00 AM.

    Thanx to all who can help.

    jg

    Nov 10 06:44:18 sol2 smbd[4422]: write_socket: Error writing 5 bytes
    to socket 24: ERRNO = Connection reset by peer
    Nov 10 06:44:18 sol2 smbd[4422]: [2006/11/10 06:44:18, 0]
    lib/util_sock.c:send_smb(628)
    Nov 10 06:44:18 sol2 smbd[4422]: Error writing 5 bytes to client. -1.
    (Connection reset by peer)
    Nov 10 06:59:00 sol2 /USR/SBIN/CRON[4445]: (root) CMD ( rm -f
    /var/spool/cron/lastrun/cron.hourly)
    Nov 10 07:19:23 sol2 -- MARK --
    Nov 10 07:39:22 sol2 -- MARK --
    Nov 10 07:55:59 sol2 login[2557]: FAILED LOGIN 1 FROM /dev/tty1 FOR
    root, Authentication failure
    Nov 10 07:56:02 sol2 login[2557]: pam_unix2: bad username []
    Nov 10 07:56:02 sol2 login[2557]: FAILED LOGIN 2 FROM /dev/tty1 FOR
    UNKNOWN, User not known to the underlying authentication module
    Nov 10 07:59:00 sol2 /USR/SBIN/CRON[4558]: (root) CMD ( rm -f
    /var/spool/cron/lastrun/cron.hourly)
    Nov 10 08:02:56 sol2 sshd[4581]: Accepted keyboard-interactive/pam for
    [removed] from ::ffff:172.16.10.101 port 1042
    Nov 10 08:04:40 sol2 sshd[4635]: Accepted keyboard-interactive/pam for
    [removed] from ::ffff:172.16.10.101 port 1128
    Nov 10 08:19:22 sol2 -- MARK --
    Nov 10 08:39:22 sol2 -- MARK --
    Nov 10 08:59:23 sol2 syslogd 1.4.1: restart.
    Nov 10 08:59:27 sol2 sshd[1784]: Server listening on :: port 22.
    Nov 10 08:59:28 sol2 kernel: klogd 1.4.1, log source = /proc/kmsg
    started.
    Nov 10 08:59:28 sol2 kernel: Inspecting
    /boot/System.map-2.6.4-52-default
    Nov 10 08:59:28 sol2 kernel: Loaded 23439 symbols from
    /boot/System.map-2.6.4-52-default.
    Nov 10 08:59:28 sol2 kernel: Symbols match kernel version 2.6.4.
    Nov 10 08:59:28 sol2 kernel: No module symbols loaded - kernel modules
    not enabled.
    Nov 10 08:59:28 sol2 kernel: gameport: pci0000:00:08.1 speed 1169 kHz
    Nov 10 08:59:28 sol2 kernel: NET: Registered protocol family 23
    Nov 10 08:59:28 sol2 kernel: 3c59x: Donald Becker and others.
    www.scyld.com/network/vortex.html
    Nov 10 08:59:28 sol2 kernel: 0000:00:0b.0: 3Com PCI 3c905C Tornado at
    0xc800. Vers LK1.1.19
    Nov 10 08:59:28 sol2 kernel: drivers/usb/core/usb.c: registered new
    driver usbfs
    Nov 10 08:59:28 sol2 kernel: drivers/usb/core/usb.c: registered new
    driver hub
    Nov 10 08:59:28 sol2 kernel: Linux agpgart interface v0.100 (c) Dave
    Jones
    Nov 10 08:59:28 sol2 kernel: agpgart: Detected VIA KT266/KY266x/KT333
    chipset
    Nov 10 08:59:28 sol2 kernel: agpgart: Maximum main memory to use for
    agp memory: 203M
    Nov 10 08:59:28 sol2 kernel: agpgart: AGP aperture is 64M @ 0xe0000000
    Nov 10 08:59:28 sol2 kernel: USB Universal Host Controller Interface
    driver v2.2
    Nov 10 08:59:28 sol2 kernel: uhci_hcd 0000:00:11.2: UHCI Host
    Controller
    Nov 10 08:59:28 sol2 kernel: uhci_hcd 0000:00:11.2: irq 5, io base
    0000d000
    Nov 10 08:59:28 sol2 kernel: uhci_hcd 0000:00:11.2: new USB bus
    registered, assigned bus number 1
    Nov 10 08:59:28 sol2 kernel: usb usb1: Product: UHCI Host Controller
    Nov 10 08:59:28 sol2 kernel: usb usb1: Manufacturer: Linux
    2.6.4-52-default uhci_hcd
    Nov 10 08:59:28 sol2 kernel: usb usb1: SerialNumber: 0000:00:11.2
    Nov 10 08:59:28 sol2 kernel: hub 1-0:1.0: USB hub found
    Nov 10 08:59:28 sol2 kernel: hub 1-0:1.0: 2 ports detected
    Nov 10 08:59:28 sol2 kernel: uhci_hcd 0000:00:11.3: UHCI Host
    Controller
    Nov 10 08:59:28 sol2 kernel: uhci_hcd 0000:00:11.3: irq 5, io base
    0000d400


  10. Re: HELP! I've been had! Someone hacked into my Linux box. What now?

    jg wrote:

    > A few days ago I noticed my Linux box had been rebooted (typically runs
    > 24/7.) Upon further investigating I found someone had attempted to login
    > to my box (via ssh) close to 5000 times a few days earlier. As far as I
    > could tell, they had not been succesful. However, I have my doubts now.
    > I have since closed my router's ssh virtual server's redirect to it. I
    > have also closed all outgoing traffic from it (however, pings still get
    > out, not sure why.)
    >
    > At any rate, since then, my box reboots every morning at 9:00 AM! Not
    > sure how this is being done. crontab shows nothing. Does anyone have any
    > ideas what I can do to find out which program is causing the rebooting?
    > Anything I should be looking for?
    >
    > I'm guessing I'm going to have to assume worst case scenario here and
    > reformat my entire system. (Which I have been meaning to do anyway to add
    > some kind of RAID.)
    >
    > Also, what can I do in the future to prevent something like this from
    > happening again? I thought my passwords were pretty secure... but I guess
    > I was mistaken. I cannot really do a private/public key since I need
    > access to my box from multiple locations. Also, is this more secure?


    First, if you are able, buy a "new" box to replace this one. Does not
    need to be "new" new, just new. Used functional boxen are inexpensive and
    readily available. You can do your forensics on the hacked box later.

    Get a (two or three are better, and also available) live CD distro to use
    for your forensics. If your box was hacked then no binary on it can be
    trusted. Run the live CD's whose binaries cannot have been tampered with,
    to find what you are looking for.

    Obviously (hopefully _very_ obviously), disconnect the hacked box from the
    public network. Maybe you are fortunate enough to have an isolated
    private network with which to examine the cracked box. Most do not.

    If you can find how they came in, you will have your best pointers on how
    to prevent it in the future. If you find it then it is valuable to all to
    post it publicly, as in right here.

    Best wishes and thanks in advance.

  11. Re: HELP! I've been had! Someone hacked into my Linux box. What now?

    On 10 Nov 2006 21:34:25 -0800, "jg" wrote:
    >rkhunter found nothing out of the ordinary. Just got a couple of
    >warning regarding
    >/etc/.java
    >/etc/.pwd.lock
    >/dev/.udev.tdb


    That's reassuring ... ir doesn't mean that it wasn't hacked in some
    way but, like you I'd be thinking that there is some other reason why
    it has been rebooting. The ssh script attacks are fairly normal on a
    server that is using a default sshd configuration.

    If nothing else you should have learned that your sshd should be
    protected a bit better that it has been. For starters just change
    sshd.conf to: move the listening port to something non-standard and
    deny direct root access; then investigate how to use the 'recent'
    iptables module to block IPs that connet more than 3 times in 60
    seconds. Those measures will be easy to instigate and will cut your
    chances of being scripted in the future.

    >To be on the safe side though, I'm taking this server off line and
    >replacing it with another one for the time being until I figure out
    >what is going on. As of now it is still rebooting at 9:00 AM.


    That's a good precaution anyway. One of the first things I'd try is to
    set the time of the server back by 1 hour and see if it reboots next
    time at the real 09:00 or the server's 09:00... then you will know if
    it is something being triggered on the server of an external force,
    perhaps linked to the power supply etc.

    Chris R.

    >no@emails.thx wrote:
    >> On 10 Nov 2006 11:57:01 -0800, "jg" wrote:
    >> >At any rate, since then, my box reboots every morning at 9:00 AM! Not
    >> >sure how this is being done. crontab shows nothing. Does anyone have
    >> >any ideas what I can do to find out which program is causing the
    >> >rebooting? Anything I should be looking for?

    >>
    >> Like the other poster, I think you should be preparing for the worst
    >> by considering a full wipe and reinstall. At any rate I would
    >> immediately disconnect it from the internet as you have no idea what
    >> the machine is being told to do, if it has been hijacked.
    >>
    >> For your own personal interest I'd install something like rkhunter
    >> (http://sourceforge.net/projects/rkhunter/) and look to see if it has
    >> been "rootkitted" (the standard way of hijacking a server). Rootkits
    >> are usually very devious and they cover their tracks - like showing
    >> you a ps list but without the processes associated with the rootkit!
    >> Even your check of crontab might have been intercepted and chances are
    >> you have been shown rubbish.
    >>
    >> So, before you trash it use this opportunity to learn from your
    >> mistake - find out how they got in and which kit they might have used.
    >> Also, try checking it with an anti-viral like antivir
    >> (http://www.free-av.com/). It won't fix anything but at least you
    >> might get a handle on what happened.
    >>
    >> If these products don't find anything you might be barking up the
    >> wrong tree ... but either way a reinstall might be on the cards.
    >>
    >> Good luck!
    >> Chris R.


  12. Re: HELP! I've been had! Someone hacked into my Linux box. What now?

    Unruh wrote:
    > base60 writes:
    >
    >> jg wrote:
    >>> A few days ago I noticed my Linux box had been rebooted (typically runs
    >>> 24/7.) Upon further investigating I found someone had attempted to
    >>> login to my box (via ssh) close to 5000 times a few days earlier. As
    >>> far as I could tell, they had not been succesful. However, I have my
    >>> doubts now. I have since closed my router's ssh virtual server's
    >>> redirect to it. I have also closed all outgoing traffic from it
    >>> (however, pings still get out, not sure why.)
    >>>
    >>> At any rate, since then, my box reboots every morning at 9:00 AM! Not
    >>> sure how this is being done. crontab shows nothing. Does anyone have
    >>> any ideas what I can do to find out which program is causing the
    >>> rebooting? Anything I should be looking for?

    >
    >> Yes. Your installation CDs and backup tapes.

    >
    >> Re-install from CD, update everything applicable, restore data
    >>from tape.

    >
    >>> I'm guessing I'm going to have to assume worst case scenario here and
    >>> reformat my entire system. (Which I have been meaning to do anyway to
    >>> add some kind of RAID.)
    >>>
    >>> Also, what can I do in the future to prevent something like this from
    >>> happening again? I thought my passwords were pretty secure... but I
    >>> guess I was mistaken. I cannot really do a private/public key since I
    >>> need access to my box from multiple locations. Also, is this more
    >>> secure?

    >
    >> Install/activate tcpwrappers or a firewall to restrict access to
    >> an explicit list for ssh and whatever else you can.

    >
    >> What you're seeing is pretty standard for anything with an internet
    >> connection.

    >
    > But the "breakin" is not standard.


    Given the number of bots around, some would argue

    >
    > In fact I would suspect the windows machines on the same subnet using samba
    > to subvert this machine.
    >
    > Reinstalling without definite evidence is in general a bad idea.


    In general, yes... but when your systems start rebooting by itself
    at a specific time, you're into something more than a bit dodgey.

    Better safe than sorry.

  13. Re: HELP! I've been had! Someone hacked into my Linux box. Whatnow?

    On Fri, 10 Nov 2006 11:57:01 -0800, jg wrote:

    > A few days ago I noticed my Linux box had been rebooted (typically runs
    > 24/7.) Upon further investigating I found someone had attempted to
    > login to my box (via ssh) close to 5000 times a few days earlier. As
    > far as I could tell, they had not been succesful. However, I have my
    > doubts now. I have since closed my router's ssh virtual server's
    > redirect to it. I have also closed all outgoing traffic from it
    > (however, pings still get out, not sure why.)
    >
    > At any rate, since then, my box reboots every morning at 9:00 AM! Not
    > sure how this is being done. crontab shows nothing. Does anyone have
    > any ideas what I can do to find out which program is causing the
    > rebooting? Anything I should be looking for?
    >
    > I'm guessing I'm going to have to assume worst case scenario here and
    > reformat my entire system. (Which I have been meaning to do anyway to
    > add some kind of RAID.)
    >
    > Also, what can I do in the future to prevent something like this from
    > happening again? I thought my passwords were pretty secure... but I
    > guess I was mistaken. I cannot really do a private/public key since I
    > need access to my box from multiple locations. Also, is this more
    > secure?
    >
    > Thanx to all who reply.
    >
    > jg



    It sounds like your only "evidence" that your machine has been compromised
    is that you saw 5000 login attempts... and I'd suggest you get used to that
    till you make ssh/telnet less available. I can see how it would make you
    nervous the first time you saw this.

    .... and your machine reboots everyday at 9am (for a few days?)
    Ok, kind of suspicious, but not evidence of much, and if that's why you
    looked at the system messages and see 5000 login attempts then I could see
    you being more nervous... but that's not much to go on.

    It's good to check out your machine anyway. It could just as easily be
    hardware, or power. Any clocks blinking in your area... do you have a
    UPS? If you have lots of time, and not much to loose in reloading, sure,
    go for it. If nothing else it's a good learning experience and you can
    upgrade your machine too.

    I would not surprise me if your machine was compromised,
    and it would not surprise me if you reloaded it and it still reboots
    everyday anyway.

    .... what if you boot a "live" distro, or a rescue disk and left it running
    on that at 9am... would it still reboot?

  14. Re: HELP! I've been had! Someone hacked into my Linux box. What now?

    I hope you are doing your investigating with a live CD and not trusting
    anything on your target machine. If you have been rooted then nothing on
    that machine can be trusted.

    jg wrote:
    > rkhunter found nothing out of the ordinary. Just got a couple of
    > warning regarding
    > /etc/.java
    > /etc/.pwd.lock
    > /dev/.udev.tdb
    >
    > To be on the safe side though, I'm taking this server off line and
    > replacing it with another one for the time being until I figure out
    > what is going on. As of now it is still rebooting at 9:00 AM.
    >
    > no@emails.thx wrote:
    >> On 10 Nov 2006 11:57:01 -0800, "jg" wrote:
    >>> At any rate, since then, my box reboots every morning at 9:00 AM! Not
    >>> sure how this is being done. crontab shows nothing. Does anyone have
    >>> any ideas what I can do to find out which program is causing the
    >>> rebooting? Anything I should be looking for?

    >> Like the other poster, I think you should be preparing for the worst
    >> by considering a full wipe and reinstall. At any rate I would
    >> immediately disconnect it from the internet as you have no idea what
    >> the machine is being told to do, if it has been hijacked.
    >>
    >> For your own personal interest I'd install something like rkhunter
    >> (http://sourceforge.net/projects/rkhunter/) and look to see if it has
    >> been "rootkitted" (the standard way of hijacking a server). Rootkits
    >> are usually very devious and they cover their tracks - like showing
    >> you a ps list but without the processes associated with the rootkit!
    >> Even your check of crontab might have been intercepted and chances are
    >> you have been shown rubbish.
    >>
    >> So, before you trash it use this opportunity to learn from your
    >> mistake - find out how they got in and which kit they might have used.
    >> Also, try checking it with an anti-viral like antivir
    >> (http://www.free-av.com/). It won't fix anything but at least you
    >> might get a handle on what happened.
    >>
    >> If these products don't find anything you might be barking up the
    >> wrong tree ... but either way a reinstall might be on the cards.
    >>
    >> Good luck!
    >> Chris R.

    >


    --
    ----------------
    Barton L. Phillips
    Applied Technology Resources, Inc.
    Tel: (818)652-9850
    Web: http://www.applitec.com

  15. Re: HELP! I've been had! Someone hacked into my Linux box. What now?


    I like your cheer. Is it the real thing or mocked up? One that I use
    a lot is,

    "That which is waste matter of organic origin is about to collide with
    the winged air displacing apparatus"

    jg

    Bill Marcum wrote:
    > On 10 Nov 2006 11:57:01 -0800, jg
    > wrote:
    > >
    > > Also, what can I do in the future to prevent something like this from
    > > happening again? I thought my passwords were pretty secure... but I
    > > guess I was mistaken. I cannot really do a private/public key since I
    > > need access to my box from multiple locations. Also, is this more
    > > secure?
    > >

    > You could keep your public key on a USB drive. Run sshd on a port
    > other than 22, maybe with port knocking. Don't allow root login via
    > ssh; login as a regular user and use sudo or su.
    >
    >
    > --
    > Repel them. Repel them. Induce them to relinquish the spheroid.
    > -- Indiana University football cheer



  16. Re: HELP! I've been had! Someone hacked into my Linux box. What now?

    On Sat, 11 Nov 2006 11:29:28 GMT, no@emails.thx wrote:
    > On 10 Nov 2006 21:34:25 -0800, "jg" wrote:
    >>To be on the safe side though, I'm taking this server off line and
    >>replacing it with another one for the time being until I figure out
    >>what is going on. As of now it is still rebooting at 9:00 AM.

    >
    > That's a good precaution anyway. One of the first things I'd try is to
    > set the time of the server back by 1 hour and see if it reboots next
    > time at the real 09:00 or the server's 09:00... then you will know if
    > it is something being triggered on the server of an external force,
    > perhaps linked to the power supply etc.


    Cute suggestion.

    My guess is that when winter arrived, JG turned on his
    heating system. At 9AM, the heat pump kicks on so that his
    kitchen will have time to get nice and warm by the time he
    gets out of bed, and the startup transient in the compressor
    motor creates a half-second brownout that triggers a
    power-failure reaction in his PC.

    --
    To email me, substitute nowhere->spamcop, invalid->net.

  17. Re: HELP! I've been had! Someone hacked into my Linux box. What now?


    Here's a bit of troubling evidence... Even though I have blocked all
    incoming and outgoing traffic from that host, (using the routers tools)
    I unplugged the modem just to see if it would reboot this AM. On top
    of that, I logged in as root on console around 8:55 AM just to see the
    whole thing go down. Well, it never did.

    Soooo, what does this mean?

    A) My router is a piece of crap and is letting traffic in/out. And
    this traffic is somehow triggering the reboot.

    OR

    B) I have a hardware trigger that somehow did not trip this AM.

    I do have it on a UPS but I doubt this would be the cause as it is
    time-ignorant.


    Mike Anonymous Coward wrote:
    > On Fri, 10 Nov 2006 11:57:01 -0800, jg wrote:
    >
    > > A few days ago I noticed my Linux box had been rebooted (typically runs
    > > 24/7.) Upon further investigating I found someone had attempted to
    > > login to my box (via ssh) close to 5000 times a few days earlier. As
    > > far as I could tell, they had not been succesful. However, I have my
    > > doubts now. I have since closed my router's ssh virtual server's
    > > redirect to it. I have also closed all outgoing traffic from it
    > > (however, pings still get out, not sure why.)
    > >
    > > At any rate, since then, my box reboots every morning at 9:00 AM! Not
    > > sure how this is being done. crontab shows nothing. Does anyone have
    > > any ideas what I can do to find out which program is causing the
    > > rebooting? Anything I should be looking for?
    > >
    > > I'm guessing I'm going to have to assume worst case scenario here and
    > > reformat my entire system. (Which I have been meaning to do anyway to
    > > add some kind of RAID.)
    > >
    > > Also, what can I do in the future to prevent something like this from
    > > happening again? I thought my passwords were pretty secure... but I
    > > guess I was mistaken. I cannot really do a private/public key since I
    > > need access to my box from multiple locations. Also, is this more
    > > secure?
    > >
    > > Thanx to all who reply.
    > >
    > > jg

    >
    >
    > It sounds like your only "evidence" that your machine has been compromised
    > is that you saw 5000 login attempts... and I'd suggest you get used to that
    > till you make ssh/telnet less available. I can see how it would make you
    > nervous the first time you saw this.
    >
    > ... and your machine reboots everyday at 9am (for a few days?)
    > Ok, kind of suspicious, but not evidence of much, and if that's why you
    > looked at the system messages and see 5000 login attempts then I could see
    > you being more nervous... but that's not much to go on.
    >
    > It's good to check out your machine anyway. It could just as easily be
    > hardware, or power. Any clocks blinking in your area... do you have a
    > UPS? If you have lots of time, and not much to loose in reloading, sure,
    > go for it. If nothing else it's a good learning experience and you can
    > upgrade your machine too.
    >
    > I would not surprise me if your machine was compromised,
    > and it would not surprise me if you reloaded it and it still reboots
    > everyday anyway.
    >
    > ... what if you boot a "live" distro, or a rescue disk and left it running
    > on that at 9am... would it still reboot?



  18. Re: HELP! I've been had! Someone hacked into my Linux box. What now?

    On Sat, 11 Nov 2006 19:20:31 GMT, Peter Pearson
    wrote:

    >On Sat, 11 Nov 2006 11:29:28 GMT, no@emails.thx wrote:
    >> On 10 Nov 2006 21:34:25 -0800, "jg" wrote:
    >>>To be on the safe side though, I'm taking this server off line and
    >>>replacing it with another one for the time being until I figure out
    >>>what is going on. As of now it is still rebooting at 9:00 AM.

    >>
    >> That's a good precaution anyway. One of the first things I'd try is to
    >> set the time of the server back by 1 hour and see if it reboots next
    >> time at the real 09:00 or the server's 09:00... then you will know if
    >> it is something being triggered on the server of an external force,
    >> perhaps linked to the power supply etc.

    >
    >Cute suggestion.
    >
    >My guess is that when winter arrived, JG turned on his
    >heating system. At 9AM, the heat pump kicks on so that his
    >kitchen will have time to get nice and warm by the time he
    >gets out of bed, and the startup transient in the compressor
    >motor creates a half-second brownout that triggers a
    >power-failure reaction in his PC.


    Yeah - some external force seems logical. I had a similar situation
    with a client whose server rebooted in the late afternoon ..
    coincidentally about the same time as the delivery van turned up and
    they hit the rusty old knife-switch to open the shutter doors! ;o) A
    decent UPS fixed the problem.

    Chris R.

  19. Re: HELP! I've been had! Someone hacked into my Linux box. What now?


    no@emails.thx wrote:
    > On Sat, 11 Nov 2006 19:20:31 GMT, Peter Pearson
    > wrote:
    >
    > >On Sat, 11 Nov 2006 11:29:28 GMT, no@emails.thx wrote:
    > >> On 10 Nov 2006 21:34:25 -0800, "jg" wrote:
    > >>>To be on the safe side though, I'm taking this server off line and
    > >>>replacing it with another one for the time being until I figure out
    > >>>what is going on. As of now it is still rebooting at 9:00 AM.
    > >>
    > >> That's a good precaution anyway. One of the first things I'd try is to
    > >> set the time of the server back by 1 hour and see if it reboots next
    > >> time at the real 09:00 or the server's 09:00... then you will know if
    > >> it is something being triggered on the server of an external force,
    > >> perhaps linked to the power supply etc.

    > >
    > >Cute suggestion.
    > >
    > >My guess is that when winter arrived, JG turned on his
    > >heating system. At 9AM, the heat pump kicks on so that his
    > >kitchen will have time to get nice and warm by the time he
    > >gets out of bed, and the startup transient in the compressor
    > >motor creates a half-second brownout that triggers a
    > >power-failure reaction in his PC.

    >
    > Yeah - some external force seems logical. I had a similar situation
    > with a client whose server rebooted in the late afternoon ..
    > coincidentally about the same time as the delivery van turned up and
    > they hit the rusty old knife-switch to open the shutter doors! ;o) A
    > decent UPS fixed the problem.
    >
    > Chris R.


    That would be hilarious... However, as far as I can recall, there is
    no power surge at my place at 9:00 AM. Granted I'm typically not home
    at 9:00 AM. (Except for the one day that it did not reboot... hmmm?
    Coincidence?) Maybe I should have a talk with the wife!


  20. Re: HELP! I've been had! Someone hacked into my Linux box. Whatnow?

    "jg" (06-11-10 11:57:01):

    > Also, what can I do in the future to prevent something like this from
    > happening again? I thought my passwords were pretty secure... but I
    > guess I was mistaken. I cannot really do a private/public key since I
    > need access to my box from multiple locations. Also, is this more
    > secure?


    All other questions have been answered, so I'd like to answer this last
    one. Yes, public key authentication is much more secure than password
    authentication. People need your private key to be able to authenticate
    themselves. Why is this a problem for the attacker?

    Firstly, the people have to know your public key to be able to recover
    your private key at all. If they don't know it, they've lost. However,
    the whole sense between public key cryptography is that your public key
    _is_ known to the public. So obviously, even with the knowledge of your
    public key, it is hard to recover your private key; much harder than
    guessing a password with 30 random characters.

    The fact that your public key may be published without worries, and
    since the server really only needs to know your public key to
    authenticate you, brings one major advantage: You can use the same key
    to authenticate to arbitrarily many servers. You don't need a separate
    key for every server.

    In other words: It's not only more secure, it's even much easier. Just
    take your private key with you. Place it on a USB stick and carry that
    one on your key-chain. You'll still want to encrypt it (in easier
    words: protect it by a passphrase), in case you lose it. The key
    generator (ssh-keygen) asks for a passphrase anyway, so you don't just
    press Return.


    Regards,
    E.S.

+ Reply to Thread
Page 1 of 2 1 2 LastLast