Re: Got hacked?

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ signature.asc (application/pgp-signature)
+ (text/plain)
Delete this message
Reply to this message
Author: Jon M. Hanson
Date:  
To: Main PLUG discussion list
Subject: Re: Got hacked?
Darrin Chandler wrote:
> On Thu, Feb 22, 2007 at 09:15:27PM -0700, Jim wrote:
>
>> Last night I came home from work and sat down at the computer. I
>> noticed the lights on the DSL router were blinking very rapidly. I have
>> an ftp server running on my linux box (Slackware 10.2). So I thought
>> someone might have been uploading something.
>>
>> Ftpwho showed no users logged in. I checked the incoming directory and
>> saw nothing there.
>>
>> Tcpdump showed me that they were sending something using ssh.
>>
>> I used find to look for anything they might have been uploading, but
>> found nothing.
>>
>> /var/log/syslog contained the following over and over for about 4 hours
>> before I got home
>>
>> Feb 22 20:43:56 ladmo smbd[6375]: [2007/02/22 20:43:56, 0]
>> printing/print_cups.c:cups_cache_reload(85)
>> Feb 22 20:43:56 ladmo smbd[6375]: Unable to connect to CUPS server
>> localhost - Connection refused
>>
>> Then I found in /var/log/syslog this over and over
>>
>> Feb 21 22:11:14 ladmo sshd[26255]: error: Could not get shadow
>> information for NOUSER
>>
>> I stopped sshd and edited /etc/sshd_config by adding the following:
>> AllowUsers root jim
>> AllowGroups root
>>
>> To test the change, I tried to log into the server via ssh and using
>> another account. It wouldn't let me log in using that other account via
>> ssh.
>>
>> I also tried
>> find / -mmin 1200 -size +100k
>> and without the size option, but found nothing from the time this was
>> going on.
>>
>> After all this I tried to send an email, but sendmail wasn't working. I
>> backed up my sendmail config files, uninstalled sendmail, reinstalled it
>> and restored the config files. Sendmail worked after that.
>>
>> Is there anything else I should do?
>>
>
> Look for root kits. Reinstall?
>
> Stop all services that you don't actively use. For the remainder,
> consider restricting them to your local network (CUPS, etc).
>
> If you have a home network, consider plugging your DSL modem directly
> into one PC and using that as a firewall machine. Yes, you can also use
> it as a desktop if you need.
>
> Is there a compelling reason you need password authentication for ssh?
> It's very easy to generate public keys and use those. You can even keep
> one on a thumb drive to use if you have to. Then turn OFF password
> authentication (PasswordAuthentication no) in your sshd_config.
>
>

    I'm guessing they got in through some kind of guest account you have
setup (but maybe didn't know about) or another common account name with
a weak password. I constantly watch my system logs and several times a
week I'll get a ton of attempts to try to brute force passwords to
various accounts through SSH.


-- 
Jon M. Hanson (N7ZVJ)
Homepage:  http://the-hansons-az.net
Weblog:    http://the-hansons-az.net/wordpress
Jabber IM: 


---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss