Gah! I think I've been cracked!

[Wurm]

Hi all,

I just setup Denyhosts on my linux box and I noticed a quite few weird lines in my auth.log:

Code:

Jun  7 14:14:34 server groupadd[10088]: new group: name=messagebus, GID=109
Jun  7 14:14:34 server useradd[10091]: new user: name=messagebus, UID=100, GID=109, home=/var/run/dbus, shell=/bin/false
Jun  7 14:14:34 server chage[10092]: changed password expiry for messagebus
Jun  7 14:14:46 server groupadd[10304]: new group: name=haldaemon, GID=110
Jun  7 14:14:46 server useradd[10305]: new user: name=haldaemon, UID=110, GID=110, home=/var/run/hal, shell=/bin/false
Jun  7 14:14:46 server chage[10306]: changed password expiry for haldaemon
Jun  7 14:14:47 server chfn[10307]: changed user `haldaemon' information
Jun  7 14:14:47 server gpasswd[10309]: set members of floppy to greg,haldaemon
Jun  7 14:14:47 server gpasswd[10311]: set members of cdrom to greg,haldaemon
Jun  7 14:14:48 server gpasswd[10314]: set members of plugdev to greg,haldaemon
Jun  7 14:17:01 server CRON[12606]: (pam_unix) session opened for user root by (uid=0)
Jun  7 14:17:01 server CRON[12606]: (pam_unix) session closed for user root
Jun  7 14:20:17 server groupadd[13326]: new group: name=gdm, GID=111
Jun  7 14:20:17 server useradd[13329]: new user: name=gdm, UID=104, GID=111, home=/var/lib/gdm, shell=/bin/false
Jun  7 14:20:17 server chage[13330]: changed password expiry for gdm
Jun  7 14:20:17 server usermod[13333]: change user `gdm' GID from `111' to `111'
Jun  7 14:20:17 server usermod[13334]: change user `gdm' shell from `/bin/false' to `/bin/false'
... [this happens 5 or 6 times at varying times, but nothing seems to come of it]
Jun 20 06:25:03 server su[6020]: + ??? root:nobody
Jun 20 06:25:03 server su[6020]: (pam_unix) session opened for user nobody by (uid=0)
Jun 20 06:25:03 server su[6020]: (pam_unix) session closed for user nobody
Jun 20 06:25:03 server su[6024]: + ??? root:nobody
Jun 20 06:25:03 server su[6024]: (pam_unix) session opened for user nobody by (uid=0)
Jun 20 06:25:03 server su[6024]: (pam_unix) session closed for user nobody
Jun 20 06:25:03 server su[6026]: + ??? root:nobody
Jun 20 06:25:03 server su[6026]: (pam_unix) session opened for user nobody by (uid=0)
Jun 20 06:25:43 server su[6026]: (pam_unix) session closed for user nobody
... [the next section repeats a whole bunch of times with varying usernames]
Jun 29 06:42:16 server sshd[7682]: Did not receive identification string from 202.106.213.29
Jun 29 06:45:20 server sshd[7683]: Invalid user lpd from 202.106.213.29
Jun 29 06:45:20 server sshd[7683]: reverse mapping checking getaddrinfo for bt-213-029.bta.net.cn failed - POSSIBLE BREAKIN ATTEMPT!
Jun 29 06:45:20 server sshd[7683]: (pam_unix) check pass; user unknown
Jun 29 06:45:20 server sshd[7683]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.106.213.29 
Jun 29 06:45:23 server sshd[7683]: Failed password for invalid user lpd from 202.106.213.29 port 44073 ssh2

First off, I've disabled the port forwarding that was letting SSH at the box, so it should be safe enough. Then again, since I forgot to install a protection system like Tripwire, and wasn't checking my logs I wouldn't take my word for it

I believe the first set of entries happened because I installed gdm, which created the users and changed their parameters during its install, but I just want to make sure.

The next set is what set me off - AFAIK nobody should be able to login to the nobody account. And yet in /etc/passwd the nobody account had /bin/sh as it's shell, and a shadow password... I'm still learning which users are important and which aren't, but in the meantime I've disabled that account. Has someone broken into this account?

Last but not least, the third section I see a lot. I know everyone see this, but is there anything I can do about it? Some of the servers appear to be legit webservers.

[XbaxeSysAdmin]

I would say there was a high likelyhood that your box was broken into based on the logs .

[the next section repeats a whole bunch of times with varying usernames]

That would be the final nail in the coffin for me . Usually , attackers once they have gained access , try to break into all the accounts which they can .

But dont take completely take my word as law . Im not a computer security professional . Merely , an interested student .

[cybertron]

I would tend to disagree. The third section is an attempt to break in, but it was rejected.

As far as the second section goes (working backwards I guess), I checked my SSH server's logs and it has the same thing. I notice that they coincide with a CRON entry, so I suspect they're nothing to worry about, although I wouldn't mind if someone could confirm that for me.

Don't know much about GDM, but it certainly looks like the first section is related to that.

[DarthMandeep]

Have you set up SSH to use keys instead of passwords? That increases the difficulty an attacker faces by a good deal. Most automated attacks try to hit port 22, so consider running on a different port, if only to keep tons of login attempts from flooding your logs.

[Wurm]

There are only two users (one, if you don't count root) on this system. As far as I can see, not one of the login attempts had the correct username. Of course, if they got in and got root then they could have altered the logs.

Yes, the server is setup with keys in place, but passwords are still enabled because I like to login with my PDA to shut the system down and it doesn't do keys I think I will change the port, just for fun.

I suppose I should metion that I'm running Ubuntu 6.06, in case that makes a difference.

[hlrguy]

All I see is a failed attempt. Uninstall GDM then re-install while tailing the logs
tail -f /var/log/messages
Edit
or auth.log
/Edit

That will tell you if the first part is nothing to be concerned about. I suspect it is standard set up for GDM. For "nobody", on my system, root spawns updatedb as user nobody, and I will see user nobody running in a top session when updatedb is running.

Install chrootkit, always a good idea. I am sure it is included in a repository somewhere, very important application.

http://www.chkrootkit.org/ for details

Install a firewall front end (I like firestarter), then visit
http://scan.sygate.com/

you are looking for complete stealth. You can use firestarter to allow a specific IP or subnet access to port 22 if desired, but better is to put ssh running on port 16309 (random number chosen from thin air) and then allow a specific IP or subnet access to ssh on that port. Disallow root SSH login, then once you get in using ssh, you can

su - root

if needed.

hlrguy

[sparkles43]

Change your SSH port in the /etc/ssh/ssh.conf file to something other than 22. I used to see this same thing, but then I change the port to something else and 85% of the port scanning and random login attempts stopped. Everyone tries to login on ports 21 (FTP) and 22 (SSH) since they are the most common.

[Wurm]

Installed chkrootkit .46a (in the repo!), it didn't find anything.

I've changed the port on the SSH server, haven't seen too much of a drop, but I didnt' see many attempts before either, time will tell. Root login is disabled by default, not that I'd do that anyway - it's far too easy to 'rm -rf /' by accident

The machine is behind a Linksys router so it probably doesn't need a firewall because there are only 3 machines on the network, all of which are secure (except for my stupidity of course :/).

Well, since everyone here seems to think I'm ok I think I'll let this drop. Thanks for your help

[pezplaya]

I think as long as you setup a good ssh config you should be fine.

Disable root login, use ssh version protocol 2, and set AllowUsers in your file. You get a lot of hits... but rejects them all

[HughA]

Gudday Wurm,
For host-based intrusion detection have a look at AIDE - it's a very nice tool, and simpler than tripwire.
For general Linux hardening see www.cisecurity.com - there are Linux security scoring tools for Red Hat / FC and Mandrake, and accompanying documentation which would be largely applicable to any Linux flavour.
I would personally set up firewalls on all your servers - if one is compromised this could help to protect the others, and it's a small amount of effort for the peace of mind that 'defence in depth' brings ;-)

Regards,
Hugh

[XbaxeSysAdmin]

Sorry for the false alarm then =)

Make sure your rules on your router are bullet-proof . Also , there is no harm having more protection on your PCs . Firestarter is a good app , easy to configure from my previous experiences .

Cheers ,

X

[Wurm]

The rules should be ok, the firwall blocks everything except for what I specify through a simple GUI interface that's difficult to screw up. And then I can check it through the router's internal SSH key-only server.

I'll take a look at that URL too, looks interesting.

Thanks guys!

[eskaypey]

Just found this HOWTO on Intrusion Detection With BASE And Snort, might help you.

[Syngin]

One of the things I do with every new Linux box is install logwatch which emails you a synapsis of all of your major logs every day via a cron job. Not good for prevention but priceless in detection. Most of the systems I set up at work get hammered daily.

http://www2.logwatch.org:8080/

The next thing I do is to make use of the AllowUsers directive in sshd_config (SSH server config file). Once you use that directive, only users listed after it can SSH in. Also, you can designate specific shells for users (handy if the server is an SFTP site and you restrict users to just SFTP access) I forget which file you edit but its under /etc. Anyone remember the filename offhand? Its been a which since I edited it.

[cybertron]

I think that would be /etc/passwd.