Gah! I think I've been cracked!


Results 1 to 15 of 15

Thread: Gah! I think I've been cracked!

  1. #1
    Join Date
    Dec 2003
    Posts
    87

    Exclamation Gah! I think I've been cracked!

    Hi all,

    I just setup Denyhosts on my linux box and I noticed a quite few weird lines in my auth.log:

    Code:
    Jun  7 14:14:34 server groupadd[10088]: new group: name=messagebus, GID=109
    Jun  7 14:14:34 server useradd[10091]: new user: name=messagebus, UID=100, GID=109, home=/var/run/dbus, shell=/bin/false
    Jun  7 14:14:34 server chage[10092]: changed password expiry for messagebus
    Jun  7 14:14:46 server groupadd[10304]: new group: name=haldaemon, GID=110
    Jun  7 14:14:46 server useradd[10305]: new user: name=haldaemon, UID=110, GID=110, home=/var/run/hal, shell=/bin/false
    Jun  7 14:14:46 server chage[10306]: changed password expiry for haldaemon
    Jun  7 14:14:47 server chfn[10307]: changed user `haldaemon' information
    Jun  7 14:14:47 server gpasswd[10309]: set members of floppy to greg,haldaemon
    Jun  7 14:14:47 server gpasswd[10311]: set members of cdrom to greg,haldaemon
    Jun  7 14:14:48 server gpasswd[10314]: set members of plugdev to greg,haldaemon
    Jun  7 14:17:01 server CRON[12606]: (pam_unix) session opened for user root by (uid=0)
    Jun  7 14:17:01 server CRON[12606]: (pam_unix) session closed for user root
    Jun  7 14:20:17 server groupadd[13326]: new group: name=gdm, GID=111
    Jun  7 14:20:17 server useradd[13329]: new user: name=gdm, UID=104, GID=111, home=/var/lib/gdm, shell=/bin/false
    Jun  7 14:20:17 server chage[13330]: changed password expiry for gdm
    Jun  7 14:20:17 server usermod[13333]: change user `gdm' GID from `111' to `111'
    Jun  7 14:20:17 server usermod[13334]: change user `gdm' shell from `/bin/false' to `/bin/false'
    ... [this happens 5 or 6 times at varying times, but nothing seems to come of it]
    Jun 20 06:25:03 server su[6020]: + ??? root:nobody
    Jun 20 06:25:03 server su[6020]: (pam_unix) session opened for user nobody by (uid=0)
    Jun 20 06:25:03 server su[6020]: (pam_unix) session closed for user nobody
    Jun 20 06:25:03 server su[6024]: + ??? root:nobody
    Jun 20 06:25:03 server su[6024]: (pam_unix) session opened for user nobody by (uid=0)
    Jun 20 06:25:03 server su[6024]: (pam_unix) session closed for user nobody
    Jun 20 06:25:03 server su[6026]: + ??? root:nobody
    Jun 20 06:25:03 server su[6026]: (pam_unix) session opened for user nobody by (uid=0)
    Jun 20 06:25:43 server su[6026]: (pam_unix) session closed for user nobody
    ... [the next section repeats a whole bunch of times with varying usernames]
    Jun 29 06:42:16 server sshd[7682]: Did not receive identification string from 202.106.213.29
    Jun 29 06:45:20 server sshd[7683]: Invalid user lpd from 202.106.213.29
    Jun 29 06:45:20 server sshd[7683]: reverse mapping checking getaddrinfo for bt-213-029.bta.net.cn failed - POSSIBLE BREAKIN ATTEMPT!
    Jun 29 06:45:20 server sshd[7683]: (pam_unix) check pass; user unknown
    Jun 29 06:45:20 server sshd[7683]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.106.213.29 
    Jun 29 06:45:23 server sshd[7683]: Failed password for invalid user lpd from 202.106.213.29 port 44073 ssh2
    First off, I've disabled the port forwarding that was letting SSH at the box, so it should be safe enough. Then again, since I forgot to install a protection system like Tripwire, and wasn't checking my logs I wouldn't take my word for it

    I believe the first set of entries happened because I installed gdm, which created the users and changed their parameters during its install, but I just want to make sure.

    The next set is what set me off - AFAIK nobody should be able to login to the nobody account. And yet in /etc/passwd the nobody account had /bin/sh as it's shell, and a shadow password... I'm still learning which users are important and which aren't, but in the meantime I've disabled that account. Has someone broken into this account?

    Last but not least, the third section I see a lot. I know everyone see this, but is there anything I can do about it? Some of the servers appear to be legit webservers.

  2. #2
    Join Date
    Mar 2005
    Location
    Singapore
    Posts
    246
    I would say there was a high likelyhood that your box was broken into based on the logs .

    [the next section repeats a whole bunch of times with varying usernames]
    That would be the final nail in the coffin for me . Usually , attackers once they have gained access , try to break into all the accounts which they can .

    But dont take completely take my word as law . Im not a computer security professional . Merely , an interested student .

    #98 +(5627)- [X]
    <ikkenai> i don't have hard drives. i just keep 30 chinese teenagers in my basement and force them to memorize numbers
    Courtesy of bash.org

  3. #3
    Join Date
    Sep 2003
    Location
    Rochester, MN
    Posts
    3,607
    I would tend to disagree. The third section is an attempt to break in, but it was rejected.

    As far as the second section goes (working backwards I guess), I checked my SSH server's logs and it has the same thing. I notice that they coincide with a CRON entry, so I suspect they're nothing to worry about, although I wouldn't mind if someone could confirm that for me.

    Don't know much about GDM, but it certainly looks like the first section is related to that.

  4. #4
    Join Date
    Aug 2005
    Posts
    4
    Have you set up SSH to use keys instead of passwords? That increases the difficulty an attacker faces by a good deal. Most automated attacks try to hit port 22, so consider running on a different port, if only to keep tons of login attempts from flooding your logs.

  5. #5
    Join Date
    Dec 2003
    Posts
    87
    There are only two users (one, if you don't count root) on this system. As far as I can see, not one of the login attempts had the correct username. Of course, if they got in and got root then they could have altered the logs.

    Yes, the server is setup with keys in place, but passwords are still enabled because I like to login with my PDA to shut the system down and it doesn't do keys I think I will change the port, just for fun.

    I suppose I should metion that I'm running Ubuntu 6.06, in case that makes a difference.

  6. #6
    Join Date
    Sep 2002
    Location
    San Antonio, TX
    Posts
    2,610
    All I see is a failed attempt. Uninstall GDM then re-install while tailing the logs
    tail -f /var/log/messages
    Edit
    or auth.log
    /Edit

    That will tell you if the first part is nothing to be concerned about. I suspect it is standard set up for GDM. For "nobody", on my system, root spawns updatedb as user nobody, and I will see user nobody running in a top session when updatedb is running.

    Install chrootkit, always a good idea. I am sure it is included in a repository somewhere, very important application.

    http://www.chkrootkit.org/ for details

    Install a firewall front end (I like firestarter), then visit
    http://scan.sygate.com/

    you are looking for complete stealth. You can use firestarter to allow a specific IP or subnet access to port 22 if desired, but better is to put ssh running on port 16309 (random number chosen from thin air) and then allow a specific IP or subnet access to ssh on that port. Disallow root SSH login, then once you get in using ssh, you can

    su - root

    if needed.

    hlrguy
    Last edited by hlrguy; 07-10-2006 at 02:46 PM.
    Were you a Windows expert the VERY first time you looked at a computer with Windows, or did it take a little time.....
    My Linux Blog
    Linux Native Replacements for Windows Programs
    Mandriva One on a "Vista Home Barely" T3640 E-Machine runs great.

  7. #7
    Join Date
    Sep 2002
    Location
    Denver
    Posts
    198

    Change your port

    Change your SSH port in the /etc/ssh/ssh.conf file to something other than 22. I used to see this same thing, but then I change the port to something else and 85% of the port scanning and random login attempts stopped. Everyone tries to login on ports 21 (FTP) and 22 (SSH) since they are the most common.
    Breath Deep and Smile!

  8. #8
    Join Date
    Dec 2003
    Posts
    87
    Installed chkrootkit .46a (in the repo!), it didn't find anything.

    I've changed the port on the SSH server, haven't seen too much of a drop, but I didnt' see many attempts before either, time will tell. Root login is disabled by default, not that I'd do that anyway - it's far too easy to 'rm -rf /' by accident

    The machine is behind a Linksys router so it probably doesn't need a firewall because there are only 3 machines on the network, all of which are secure (except for my stupidity of course :/).

    Well, since everyone here seems to think I'm ok I think I'll let this drop. Thanks for your help

  9. #9
    Join Date
    Dec 2002
    Posts
    638
    I think as long as you setup a good ssh config you should be fine.

    Disable root login, use ssh version protocol 2, and set AllowUsers in your file. You get a lot of hits... but rejects them all
    Gentoo
    folding@home: 36480

  10. #10
    Join Date
    Dec 2005
    Location
    Sydney, Australia
    Posts
    87
    Gudday Wurm,
    For host-based intrusion detection have a look at AIDE - it's a very nice tool, and simpler than tripwire.
    For general Linux hardening see www.cisecurity.com - there are Linux security scoring tools for Red Hat / FC and Mandrake, and accompanying documentation which would be largely applicable to any Linux flavour.
    I would personally set up firewalls on all your servers - if one is compromised this could help to protect the others, and it's a small amount of effort for the peace of mind that 'defence in depth' brings ;-)

    Regards,
    Hugh
    You can choose from any of a number of operating systems, or you can use Windows.

    Let he who has coded without bugs cast the first stone.

  11. #11
    Join Date
    Mar 2005
    Location
    Singapore
    Posts
    246
    Sorry for the false alarm then =)

    Make sure your rules on your router are bullet-proof . Also , there is no harm having more protection on your PCs . Firestarter is a good app , easy to configure from my previous experiences .

    Cheers ,

    X

    #98 +(5627)- [X]
    <ikkenai> i don't have hard drives. i just keep 30 chinese teenagers in my basement and force them to memorize numbers
    Courtesy of bash.org

  12. #12
    Join Date
    Dec 2003
    Posts
    87
    The rules should be ok, the firwall blocks everything except for what I specify through a simple GUI interface that's difficult to screw up. And then I can check it through the router's internal SSH key-only server.

    I'll take a look at that URL too, looks interesting.

    Thanks guys!

  13. #13
    Join Date
    Mar 2005
    Posts
    183
    Just found this HOWTO on Intrusion Detection With BASE And Snort, might help you.

  14. #14
    Join Date
    Oct 2001
    Location
    /canada/ont/windsor
    Posts
    1,499
    One of the things I do with every new Linux box is install logwatch which emails you a synapsis of all of your major logs every day via a cron job. Not good for prevention but priceless in detection. Most of the systems I set up at work get hammered daily.

    http://www2.logwatch.org:8080/

    The next thing I do is to make use of the AllowUsers directive in sshd_config (SSH server config file). Once you use that directive, only users listed after it can SSH in. Also, you can designate specific shells for users (handy if the server is an SFTP site and you restrict users to just SFTP access) I forget which file you edit but its under /etc. Anyone remember the filename offhand? Its been a which since I edited it.
    Where are we going and why am I in this handbasket?
    (No trees were killed in posting this message. However, a large number of electrons were seriously inconvenienced.)
    ----------------------------------
    Debian user since Potato
    Syngin: Web Portfolio

  15. #15
    Join Date
    Sep 2003
    Location
    Rochester, MN
    Posts
    3,607
    I think that would be /etc/passwd.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •