Page 4 of 4 FirstFirst ... 234
Results 31 to 40 of 40

Thread: "Jun" hack

  1. #31
    Join Date
    Nov 2013
    Location
    On the edge
    Beans
    872
    Distro
    Ubuntu

    Re: "Jun" hack

    and away they go. Lots of subsequent references to NT_STATUS_NO_SUCH_USER, Windows SSH Client, ... So, my bad I believe, I had SSH up but allowed password-based access.
    Let's call your attacker Jun. We know that Jun logged into your box on the 25th. You found him on the 27th. Jun had two days as root to do whatever he wanted on your computer, totally unimpeded. You found a couple processes he spawned. Odds are he did more than that.

    You never said what you use this box for. If it's anything sensitive or valuable then I would never trust that machine again until it is wiped and reimaged.
    Knock knock.
    Race condition.
    Who's there?

  2. #32
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: "Jun" hack

    Quote Originally Posted by marsanyi View Post
    Code:
    COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME .sshd   4794 root  txt    REG    8,1  1223123 8655397 /usr/bin/.sshd .sshd   4794 root    3uW  REG    8,1        4  262150 /tmp/moni.lod jun     4735 root    3uW  REG    8,1        4 262147 /tmp/gates.lod
    While names don't mean anything at this stage both .lod reminded me of BillGates botnet... See if you can find more anomalous files and check your logs as well (all log files). If you want to run Rootkit Hunter please run it from CVS as the current release doesn't have the new items you want to look for. Also, as foreign files were found with owner root, I agree the host should be isolated immediately while you investigate further. *BTW I would like a copy of the files. Could you please upload them here: http://sourceforge.net/p/rkhunter/support-requests/ ?

  3. #33
    Join Date
    Nov 2013
    Location
    On the edge
    Beans
    872
    Distro
    Ubuntu

    Re: "Jun" hack

    Quote Originally Posted by unspawn View Post
    While names don't mean anything at this stage both .lod reminded me of BillGates botnet... See if you can find more anomalous files and check your logs as well (all log files).
    Nice find! Now I want an image of this machine.
    Knock knock.
    Race condition.
    Who's there?

  4. #34
    Join Date
    Feb 2007
    Location
    West Hills CA
    Beans
    10,044
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: "Jun" hack

    There is a white-hat hacker culture in some countries where the goal is to simply break into machines and snoop around, but not do anything destructive. Sort of like catch-and-release fishing. It's possible that "jun" was such a hacker. He got into your machine, mucked around a bit, and then left. "Linux machine, not much fun here. I will move on to other boxes."

    It is quite unsettling to find droppings in your system though.

    A Haiku:

    White Hat Hackers blues?
    Ssh and weak password.
    Rat scat cleanup time.
    Last edited by tgalati4; October 3rd, 2014 at 06:13 AM.
    -------------------------------------
    Oooh Shiny: PopularPages

    Unumquodque potest reparantur. Patientia sit virtus.

  5. #35
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: "Jun" hack

    Quote Originally Posted by bashiergui View Post
    Nice find! Now I want an image of this machine.
    That indeed would be convenient eh? Getting access to all your fellow forum members data like /etc/shadow, SSH private keys, any correspondence, etc, etc... Are you in any way familiar with Privacy laws, practical forensics and NDAs? If not, what would the OP get out of you having a copy of his data? Just being curious, OK?

  6. #36
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: "Jun" hack

    Quote Originally Posted by tgalati4 View Post
    It's possible that "jun" was such a hacker. He got into your machine, mucked around a bit, and then left. "Linux machine, not much fun here. I will move on to other boxes."
    If that was a conclusion based on facts, meaning having reviewed events, time line and evidence, that would make sense. If you haven't, what purpose would speculating serve? How would it, with all due respect, help the OP?

  7. #37
    Join Date
    Feb 2007
    Location
    West Hills CA
    Beans
    10,044
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: "Jun" hack

    Lots of suggestions have been given, but few responses by the OP. No posting of the grepped auth.log as requested, no history file of root actions, no accurate timeline presented. So yes, you are correct, speculation is not helpful.
    -------------------------------------
    Oooh Shiny: PopularPages

    Unumquodque potest reparantur. Patientia sit virtus.

  8. #38
    Join Date
    Nov 2013
    Location
    On the edge
    Beans
    872
    Distro
    Ubuntu

    Re: "Jun" hack

    Quote Originally Posted by unspawn View Post
    That indeed would be convenient eh? Getting access to all your fellow forum members data like /etc/shadow, SSH private keys, any correspondence, etc, etc... Are you in any way familiar with Privacy laws, practical forensics and NDAs? If not, what would the OP get out of you having a copy of his data? Just being curious, OK?
    The OP's computer was compromised and I'm interested in finding details about the attack because of my selfish curiosity. It apparently needs to be said: don't give images of your computer to random people you encounter on the internet.

    From a much less selfish standpoint, I gave the OP a cheat sheet on investigating it himself, hopefully he does more of that if he doesn't reimage it.

    I suppose it's relevant to point out that Jun had unfettered access to that very same sensitive data for a few days. Which reminds me to say to the OP
    1. Change all your passwords
    2. Replace all your crypto keys
    Knock knock.
    Race condition.
    Who's there?

  9. #39
    Join Date
    Mar 2011
    Beans
    30

    Re: "Jun" hack

    Sorry, I've been away from my office for a few days so missed a bit of posting. I infer from this that I'm the "OP". My investigative efforts were posted as I went; of course, at the end of the process I wiped the system partition and reinstalled a virgin 12.04LTS image, and closed the SSH port, and re-did passwords, all before re-admitting the machine to the network. I was just interested in trying to divine a little more from looking at the traces left by the hack, and providing information to the Net about symptoms, before the nuclear option

    Thanks to you-all, I learned quite a bit from the effort. I hope the log extracts and descriptions help someone else.

    tgalati4: seems unlikely to me that this was benign. The tell-tale was unthrottled uploads from my system to IPs in China and the Philippines, something I can't imagine a white-hat would countenance, nor do I think the intrusion was particularly skilled from the logs.

    bashiergui: thanks to your suggestions more than any others, I found what I found. I appreciate your spending the time to give me a cheat-sheet that kickstarted my investigation.

    If there's anything else you-all think I need to do to carry on, now that I've closed off checking the infected system, I'd appreciate the suggestions. Thanks.

  10. #40
    Join Date
    Mar 2011
    Beans
    30

    Re: "Jun" hack

    Oh. Also: updated ssh settings to disallow password-based entry, disallow root login.

Page 4 of 4 FirstFirst ... 234

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •