Hacked, now trying to disinfect

Discussion in 'Linux Networking' started by joe t., Aug 1, 2007.

  1. joe t.

    Randy Yates Guest

    Are there some good (linux) security sites that can be read/studied to
    identify and characterize the most common hacks on linux and take
    appropriate defensive action?
    % Randy Yates % "Though you ride on the wheels of tomorrow,
    %% Fuquay-Varina, NC % you still wander the fields of your
    %%% 919-577-9882 % sorrow."
    %%%% <> % '21st Century Man', *Time*, ELO
    Randy Yates, Aug 2, 2007
    1. Advertisements

  2. joe t.

    Dave Uhring Guest

    There is *no* dictionary attack required for the root account and the
    ease of cracking root's password is the same as for a user. Now how
    difficult is that to understand?

    Have you ever examined the logs of some of those ssh attacks?
    Dave Uhring, Aug 2, 2007
    1. Advertisements

  3. joe t.

    Unruh Guest

    A) Make sure that you keep your system up to date with all of the security
    updates for all programs on your system. Linux is a moving target becase
    once security holes are found they are closed. But that is only if you keep
    up to date.
    b) make sure that everyone has good passwords. Use the libcrypt checker.
    Make sure your users realise the importance of strong passwords.
    Unruh, Aug 2, 2007
  4. joe t.

    Unruh Guest

    Eitehr you are very confused or you express yourself badly.
    Dictionary attacks are always the first choice of the attacker. People tend
    to choose words as passwords, and any cracker would be an idiot to launch a
    full scale brute force without doing dictionary first.
    And users are more likely to use easy words simply because they are not as
    security concious.
    Unruh, Aug 2, 2007
  5. joe t.

    Randy Yates Guest

    What you say is absolutely true, just like it is true that the
    distance from JFK to my sister-in-law's house in Bangalore,
    India, is greater than the distance from JFK to the Bangalore

    However, the DIFFERENCE between the two is relatively small.
    % Randy Yates % "So now it's getting late,
    %% Fuquay-Varina, NC % and those who hesitate
    %%% 919-577-9882 % got no one..."
    %%%% <> % 'Waterfall', *Face The Music*, ELO
    Randy Yates, Aug 2, 2007
  6. joe t.

    Dave Uhring Guest

    I was discussing the attack against user account *names* there. No
    attack can succeed even against a user account unless the attacker can
    first guess a valid account name. The root name requires no guessing.

    In *every* attack recorded in my log the root account was attacked first.
    And no, I cannot post the log since it was rotated out long ago. In
    addition to disabling root login I also have enabled tcpwrappers on sshd
    to limit, indeed put an end to, the ssh attacks.
    Again, the usernames must be guessed, at least those which have shells.
    After failure to attack root the typical attack goes after usual system
    accounts, which gets them nowhere without a shell. Next they go after
    common names in what one might describe as a dictionary attack against
    user account names.

    Your order of attack is bass ackwards from reality.

    The question applies also to you, Bill.
    Dave Uhring, Aug 2, 2007
  7. joe t.

    Andy Furniss Guest

    There is something called port knocking, where your ssh port is closed
    by iptables until you try the correct sequence of other ports first.

    Andy Furniss, Aug 3, 2007
  8. joe t.

    Unruh Guest

    Well, that is not true in my logs. They try a whole bunch of user type
    accounts first, and then do a determined attack on root.
    tcpwrapper helps not at all if you need to log onto your system from all
    over the world.

    Sure, And I have seen it happen in th eopposite order as well.

    Depends on whose bass we are talking about.

    Unruh, Aug 3, 2007
  9. joe t.

    Dave Uhring Guest

    With your own system you can more easily enforce good passwords on
    yourself. It's somewhat more difficult with a system with many users, at
    least not without accusations of being a dictatorial bastard.
    Regardless of the order in which it occurs, an attack against a user
    account, at least one with a good password is more difficult than an
    attack against root. The attacker has to guess the user's name; he
    already knows "root".
    How many times was the account 'bunruh' or whatever you use actually
    guessed and attacked?
    Dave Uhring, Aug 3, 2007
  10. joe t.

    Randy Yates Guest

    The point I was making earlier about the difference being quite small
    could be valid or invalid depending on the operation of sshd.

    If the sshd provides a method to determine when an invalid username is
    issued independent of the password (for example, if it immediately
    rejects the login attempt if an invalid username is entered), then the
    worst-case time to crack is (Nu + Np)*T, where Nu is the number of
    username combinations, Np is the total number of password
    combinations, and T is the time to query.

    However, if the username and password are required together
    simultaneously, then the worst-case time to crack is Nu*Np*T.

    I think most authentication systems these days do the latter, so
    the difference between cracking root and cracking an general
    username is significant.
    % Randy Yates % "The dreamer, the unwoken fool -
    %% Fuquay-Varina, NC % in dreams, no pain will kiss the brow..."
    %%% 919-577-9882 %
    %%%% <> % 'Eldorado Overture', *Eldorado*, ELO
    Randy Yates, Aug 3, 2007
  11. joe t.

    Dave Uhring Guest

    The improper login is rejected -after- both username and password are
    Which is the reason IME that root always gets attacked first.
    Dave Uhring, Aug 3, 2007
  12. joe t.

    joe t. Guest

    In my case, it was none of the above. A friend secured the system,
    disabling root ssh access, the root password once you are in as a
    regular user was strong, and only SSH2 was available for connections.
    it's possible they might have guessed the low-level account
    credentials, but i haven't seen evidence of that. 7-character
    password, mix of letters, numbers, and punctuation, no dictionary
    variants. Anyway, it only happened after SELinux was disabled to test
    qmail for reasons why our email distribution aliases weren't working.
    It was left disabled (not me!) and within days was hacked. i don't
    know point of entry in this case.
    joe t., Aug 3, 2007
  13. joe t.

    Chris Davies Guest

    It appears to knock out a significant number of automated probes, so I'd
    still recommend it as a first line of defence. (Port knocking may help,
    too, if you really need open ssh.)

    Chris Davies, Aug 3, 2007
  14. why don't you just use RSA-Keys for SSH?
    Joern Bredereck, Aug 3, 2007
  15. joe t.

    Unruh Guest

    "My own system" has loads of users who all need to log in from all over the

    User's names are usually easy to discover or sniff.

    With x ( a large number) of users, finding one of them is not that hard.

    And since for most people their email address on a linux system is also
    their username, it is not very hard to find the usernames.
    Unruh, Aug 3, 2007
  16. joe t.

    Guest Guest

    | The www and mail servers are running FC6 and Cent4.4, respectively,
    | and the other is running Slack 10. Suggesting a different distro for
    | the Slackware box isn't an option at this point. The software that
    | runs on it is 20+ years old and barely runs even on that OS. The
    | others seem to work fine aside from the password logger and any other,
    | more subtle infections present.

    My general suggestion without knowing the details of your setup, which
    I won't know unless I am on-site and examining things, is to save all
    the data and applications and re-install from scratch after wiping out
    the disks. You can keep the same distribution. All that you have used,
    when installed and configured properly, with a few package upgrades, are
    safe and secure at least from outsiders.

    | i've been looking around, and can't find any references to "/etc/
    | host" (most links refer to the valid "/etc/hosts" or "host.conf" or
    | "host.allow/deny" ... Does anyone have any info on this type of
    | logger? It's clear enough that whoever is doing this is managing to
    | catch other credentials beyond just the ssh sessions, and the worst
    | actual damage we've seen has been creating phishing pages. We're
    | trying to beef up security, but now it's an even steeper uphill battle
    | with the enemy already inside.

    They could have completely infected the daemons and libraries. Available
    root kits are next to impossible to remove when accessing via programs
    that are already infected, or even in general. Wipe off and re-install
    is the only sure answer, for any OS.
    Guest, Aug 8, 2007
  17. joe t.

    Guest Guest

    | Unruh wrote:
    |>> On Wed, 01 Aug 2007 21:07:45 +0000, joe t. wrote:
    |>>> Yeah, i know, it can't happen in Linux. But it has been happening to our
    |>>> work servers for several months.
    |>> Sure it can. Most, probably all, Linux distros are shipped with *root*
    |>> login enabled in sshd. If you expose such a system to the Internet you
    |>> are almost certain to get successfully attacked.
    |> Now that is nonesense. You will get attacked, but with a proper password,
    |> the guessing can go on forever.
    | Not forever. I had a "strong password" on a system I installed. The
    | sysadmin failed to notice an attack that started on a Friday afternoon;
    | by Sunday the system had been compromised. The attack used a
    | coordinated approach from compromised machines in Romania and Korea, mostly.

    Password not strong enough? What was its complexity level?

    | Unfortunately the sysadmin also removed the local firewall on that
    | machine as they had just installed a new hardware firewall, which did
    | not include a rate-limiter for ssh connections.
    | *Any* machine can be compromised, given slack enough security in other
    | areas, even with a strong password, if your pipe is big enough, your CPU
    | fast enough, and you don't rate-limit new connections.

    And hackers dedicated enough.

    I do turn mine off, but more so the logs don't get flooded.
    Guest, Aug 8, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.