Hacked, now trying to disinfect

Discussion in 'Linux Networking' started by joe t., Aug 1, 2007.

  1. joe t.

    joe t. Guest

    Yeah, i know, it can't happen in Linux. But it has been happening to
    our work servers for several months.

    Due to poor security practices of the past catching up to us, three of
    our servers (www,mail, and internal business software) got hacked
    into, and now there's some bug installed that monitors and logs ssh
    logins. It writes login information to /etc/host.

    The www and mail servers are running FC6 and Cent4.4, respectively,
    and the other is running Slack 10. Suggesting a different distro for
    the Slackware box isn't an option at this point. The software that
    runs on it is 20+ years old and barely runs even on that OS. The
    others seem to work fine aside from the password logger and any other,
    more subtle infections present.

    i've been looking around, and can't find any references to "/etc/
    host" (most links refer to the valid "/etc/hosts" or "host.conf" or
    "host.allow/deny" ... Does anyone have any info on this type of
    logger? It's clear enough that whoever is doing this is managing to
    catch other credentials beyond just the ssh sessions, and the worst
    actual damage we've seen has been creating phishing pages. We're
    trying to beef up security, but now it's an even steeper uphill battle
    with the enemy already inside.

    Any help or info on this type of attack would be appreciated.
    -joe t.
     
    joe t., Aug 1, 2007
    #1
    1. Advertisements

  2. joe t.

    Dave Uhring Guest

    Sure it can. Most, probably all, Linux distros are shipped with *root*
    login enabled in sshd. If you expose such a system to the Internet you
    are almost certain to get successfully attacked.
    Any of that effort is futile. Backup what good data you have and
    reinstall, this time blocking root ssh login.
     
    Dave Uhring, Aug 1, 2007
    #2
    1. Advertisements

  3. joe t.

    Unruh Guest

    Of course it can happen. The usual way is for your password to get hacked
    from one of your users. There are password bots out there whcih try to
    attack ssh with a guessing attack.
    Yup. The best thing to do now is to a) backup your data, b) do a complete
    reformat and reinstall, and c) Do a scan of all of the backups looking for
    suid programs.d( change all passwords.ALL.
    The hacker knows them all . And once you have done that only then let the
    machines back on the net.


    No they will just grab filenames that look innocuous. Mine had a
    /tmp/banana, /dev/cron, and various other files as suid root shells.
    (I got broken into because I used telnet and some of my users were in Korea
    and got sniffed)
    If you want make a system backup that you can study, but first get things
    back on track.
     
    Unruh, Aug 2, 2007
    #3
  4. joe t.

    Unruh Guest

    Now that is nonesense. You will get attacked, but with a proper password,
    the guessing can go on forever.
     
    Unruh, Aug 2, 2007
    #4
  5. joe t.

    CptDondo Guest

    Not forever. I had a "strong password" on a system I installed. The
    sysadmin failed to notice an attack that started on a Friday afternoon;
    by Sunday the system had been compromised. The attack used a
    coordinated approach from compromised machines in Romania and Korea, mostly.

    Unfortunately the sysadmin also removed the local firewall on that
    machine as they had just installed a new hardware firewall, which did
    not include a rate-limiter for ssh connections.

    *Any* machine can be compromised, given slack enough security in other
    areas, even with a strong password, if your pipe is big enough, your CPU
    fast enough, and you don't rate-limit new connections.
     
    CptDondo, Aug 2, 2007
    #5
  6. joe t.

    Randy Yates Guest

    Either they got lucky or your password wasn't that strong.
    Here's how I calculated it.

    A strong password should be immunune to dictionary attacks. In such a
    case, the number of possibilities in an exhaustive search assuming an
    8-character password is (52+10+10)^8 = 7.2.E14 password guesses,
    assuming 10 symbols are available in addition to 52 letters and 10 numbers.

    Now let's assume the machine had a 100 Mbit/sec connection to the internet,
    and let's assume that it takes 10 bytes to query and 10 bytes to respond
    to the sshd server with a username/password. That means you can make
    100E6 / (20*8) = 625000 username/password attempts per second.

    Assume the password is guessed in 1/100 of the total possible
    attempts. Then it would take

    (7.22E14 / 100) [password guesses] * 1 sec / (625000 [password guesses])
    = 133 days

    to guess.

    Have I reasoned something incorrectly? If anything, I think I erred
    on the side of the hacker.
    --
    % Randy Yates % "Midnight, on the water...
    %% Fuquay-Varina, NC % I saw... the ocean's daughter."
    %%% 919-577-9882 % 'Can't Get It Out Of My Head'
    %%%% <> % *El Dorado*, Electric Light Orchestra
    http://home.earthlink.net/~yatescr
     
    Randy Yates, Aug 2, 2007
    #6
  7. joe t.

    Unruh Guest

    I am sorry, but you can only try about 2 passwords per second. Two days is
    4x10^5 trials. That is very small even of a 8 character password ( andall
    current systems allow an arbitrary length). even at only 40 character, that
    is about 10^13 passwords. A strong one would be a random selection so in 2
    days the chances of breaking it is 10^-8. Ie, you should consider entering
    the lottery.

    The ssh daemon/pam daemon is not that fast.
    10^8 trials per second means you have a terabit network connection to
    Romania and Korea. Pretty good.
     
    Unruh, Aug 2, 2007
    #7
  8. joe t.

    Axel Werner Guest

    do not disinfect. save/rescue any important data and configurations (no
    binaries!!!!! ASCII configs only, no scripts neither!) and better
    reinstall the whole system. the chance to get back a clean system from a
    hacked one is small and sometimes nearly impossible.

    it usualy is easier , safer and faster to reinstall the whole system
    with TRUSTED Installation-Media, Sources and with higher security policies.

    then also install and maintenance a host based IDS or some programm that
    tracks changes to important system areas and files in there.. like
    tripwire and similar.

    thats just my recommentations.
     
    Axel Werner, Aug 2, 2007
    #8
  9. joe t.

    joe t. Guest

    That's what i thought would end up being the case. i appreciate
    everyone's responses. Looks like a long weekend ahead.
    -joe t.
     
    joe t., Aug 2, 2007
    #9
  10. V Wed, 01 Aug 2007 23:39:58 -0400, Randy Yates napsal(a):
    Well,they got lucky. The password was *not* a dictionary password, and
    was composed of upper and lower case letters. Not entirely random, but
    still pretty strong.

    My point is, don't bet security on luck.....

    That's the only time a system I've worked on got hacked. Multiple layers,
    multiple defenses - but I learned and now disable root logins by default
    on any exposed system. What I really would like to see is a two-password
    option for root, with a timeout for entering the second password and a
    timed lockout if multiple attemps fail.

    I actually tested that password with JtR and it came up as pretty good....

    --Yan
     
    Captain Dondo, Aug 2, 2007
    #10
  11. If you can, don't use a password at all. Configure the ssh server to
    allow only public key authentication.

    Scott
     
    Scott Hemphill, Aug 2, 2007
    #11
  12. joe t.

    Randy Yates Guest

    It's all a matter of luck - the question is, to what degree?

    Hey, thanks for sharing your incident. ANY source of information
    I get on linux hacks is worth gold to me. Thanks again.
    --
    % Randy Yates % "Midnight, on the water...
    %% Fuquay-Varina, NC % I saw... the ocean's daughter."
    %%% 919-577-9882 % 'Can't Get It Out Of My Head'
    %%%% <> % *El Dorado*, Electric Light Orchestra
    http://home.earthlink.net/~yatescr
     
    Randy Yates, Aug 2, 2007
    #12
  13. joe t.

    CptDondo Guest

    It sucks to get hacked, especially since I spent hours with them and
    their ISP on the phone and via email dealing with it - then they
    canceled their support contract...

    So now I'm a lot more careful. I like my beer money. :)

    --Yan
     
    CptDondo, Aug 2, 2007
    #13
  14. joe t.

    Randy Yates Guest

    So that I can ensure I learn from your lesson the easy way, would you
    say that the root (no pun intended) cause is that your password was
    too short? Or would you say that it is because you left root ssh
    access open?

    Even if you closed up root ssh access, I don't see what would stop
    someone from gaining user-level ssh access, and once they had user-level
    ssh access, they could download a root password guesser that would run
    MUCH more quickly on the machine itself (as the user). No? What's to
    keep this from happening?
    --
    % Randy Yates % "Bird, on the wing,
    %% Fuquay-Varina, NC % goes floating by
    %%% 919-577-9882 % but there's a teardrop in his eye..."
    %%%% <> % 'One Summer Dream', *Face The Music*, ELO
    http://home.earthlink.net/~yatescr
     
    Randy Yates, Aug 2, 2007
    #14
  15. joe t.

    Dave Uhring Guest

    The difficulty of guessing a user's password is the same as guessing
    root's and with a lesser reward for success. In addition the attacker
    must also guess a legitimate username whereas the name root is always
    there - well, almost always.
     
    Dave Uhring, Aug 2, 2007
    #15
  16. joe t.

    Randy Yates Guest

    Right. Those things are fairly obvious, but once he gains user access,
    then isn't it MUCH easier to get access to root?

    Also, the OP's lesson leads me to believe that assigning ssh to a
    different port number is not worth too much security-wise. If the
    access rate to the machine is fast enough, all 65536 ports could be
    scanned first for a hot ssh connection in a matter of minutes or even
    seconds, no?
    --
    % Randy Yates % "With time with what you've learned,
    %% Fuquay-Varina, NC % they'll kiss the ground you walk
    %%% 919-577-9882 % upon."
    %%%% <> % '21st Century Man', *Time*, ELO
    http://home.earthlink.net/~yatescr
     
    Randy Yates, Aug 2, 2007
    #16
  17. joe t.

    Randy Yates Guest

    Also, it's much more likely that the username will susceptible to
    a dictionary attack.
    --
    % Randy Yates % "Bird, on the wing,
    %% Fuquay-Varina, NC % goes floating by
    %%% 919-577-9882 % but there's a teardrop in his eye..."
    %%%% <> % 'One Summer Dream', *Face The Music*, ELO
    http://home.earthlink.net/~yatescr
     
    Randy Yates, Aug 2, 2007
    #17
  18. joe t.

    Unruh Guest

    And I strongly suspect it was NOT brute forcing the root password that got
    them in. Probably some sniffed password of a user got them in, and then
    they went up to root from there.
    I would bet secutity on a 1/100000000 chance anyday.

    VEry bad idea. That opens you up to a DOS attack so suddenly you can no
    longer log on as root at all. This they do after they have gotten in, so it
    is impossible for you to rescue the system.

    ??? As I said, I suspect is was NOT password brute forcing.
     
    Unruh, Aug 2, 2007
    #18
  19. joe t.

    Unruh Guest

    who is "they"? This was a remote machine? Owned by someone else? Then I
    suspect it was via them that the hackers got in.
     
    Unruh, Aug 2, 2007
    #19
  20. joe t.

    Unruh Guest

    I do not believe it was either or those, but there is not enough info to
    tell me what it was.

    Once the cracker gets onto the machine, the probability of a root break
    goes way way up. You must keep them out first of all.
     
    Unruh, Aug 2, 2007
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.