Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: My 8.04 LTS box was hacked

  1. #1
    Join Date
    Jan 2006
    Beans
    59
    Distro
    Ubuntu 10.04 Lucid Lynx

    My 8.04 LTS box was hacked

    All,
    My Linux box was hacked in to on 9 May. The hacker (or bot-who knows) used ssh, and somehow got root access. From there, he or she deleted /home.
    Fortunatly, I don't have many users that log in to the computer. Additionally, I think the hacker moved the data to another drive, then deleted /home. Ethical hacker?
    Anyway, I would like to know the error of my ways that allowed him (or her) in.
    Here is my setup:
    I am running 8.04 LTS. In fact, I had upgraded 2 days beforehand. It is up to date.
    I have Firestarter firewall and fail2ban configured and enabled.
    There are 2 hard drives in the system. The main one has the OS and the second is mounted at boot. It only contains the /home folders of all of the users except me and one or two other trusted users.
    The hacker deleted /home on the second drive.

    My questions:
    What can I do to keep this from happening again?
    I thought root was disabled by default? When I go to Users and Groups, I see that root is enabled. I do not see an option to disable the account. If I try to delete it, Ubuntu says the OS will become unstable (understanibly).

    Any comments and/or suggestions would be appreciated.
    Thanks,
    -Shawn

    Here is auth.log an excerpt from auth.log:

    May 9 07:56:35 localhost sshd[27450]: Received signal 15; terminating.
    May 9 07:56:35 localhost sshd[20091]: Server listening on :: port 443.
    May 9 07:56:35 localhost sshd[20091]: error: Bind to port 443 on 0.0.0.0 failed: Address already in use.
    May 9 07:56:35 localhost sshd[20091]: Server listening on :: port 22.
    May 9 07:56:35 localhost sshd[20091]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
    May 9 08:03:29 localhost sg[21556]: user `root' switched to group `slocate'
    May 9 08:03:30 localhost sg[21556]: user `root' (login `???' on pts/1) switched to group `slocate'
    May 9 08:03:30 localhost sg[21556]: user `root' (login `???' on pts/1) returned to group `root'
    May 9 08:03:32 localhost groupadd[21567]: new group: name=mlocate, GID=126
    May 9 08:17:01 localhost CRON[306]: PAM unable to dlopen(/lib/security/pam_smbpass.so)
    May 9 08:17:02 localhost CRON[306]: PAM [error: /lib/security/pam_smbpass.so: cannot open shared object file: No such file or directory]
    May 9 08:17:02 localhost CRON[306]: PAM adding faulty module: /lib/security/pam_smbpass.so
    May 9 08:17:02 localhost CRON[306]: pam_unix(cron:session): session opened for user root by (uid=0)
    May 9 08:17:02 localhost CRON[306]: pam_unix(cron:session): session closed for user root
    May 9 08:21:44 celeron_633 groupadd[3299]: new group: name=polkituser, GID=127
    May 9 08:21:44 celeron_633 useradd[3300]: new user: name=polkituser, UID=118, GID=127, home=/var/run/PolicyKit, shell=/bin/false
    May 9 08:21:45 celeron_633 usermod[3301]: change user `polkituser' password
    May 9 08:21:45 celeron_633 chage[3302]: changed password expiry for polkituser
    May 9 08:21:45 celeron_633 chfn[3303]: PAM unable to dlopen(/lib/security/pam_smbpass.so)
    May 9 08:21:45 celeron_633 chfn[3303]: PAM [error: /lib/security/pam_smbpass.so: cannot open shared object file: No such file or directory]
    May 9 08:21:45 celeron_633 chfn[3303]: PAM adding faulty module: /lib/security/pam_smbpass.so
    May 9 08:21:45 celeron_633 chfn[3303]: changed user `polkituser' information
    May 9 08:36:13 celeron_633 sshd[5700]: Did not receive identification string from 75.147.113.234
    May 9 08:46:46 celeron_633 sshd[5701]: reverse mapping checking getaddrinfo for 75-147-113-234-philadelphia.hfc.comcastbusiness.net [75.147.113.234] failed - POSSIBLE BREAK-IN ATTEMPT!
    May 9 08:46:47 celeron_633 sshd[5701]: Invalid user staff from 75.147.113.234
    May 9 08:46:47 celeron_633 sshd[5701]: PAM unable to dlopen(/lib/security/pam_smbpass.so)
    May 9 08:46:47 celeron_633 sshd[5701]: PAM [error: /lib/security/pam_smbpass.so: cannot open shared object file: No such file or directory]
    May 9 08:46:47 celeron_633 sshd[5701]: PAM adding faulty module: /lib/security/pam_smbpass.so
    May 9 08:46:47 celeron_633 sshd[5701]: pam_unix(sshd:auth): check pass; user unknown
    May 9 08:46:47 celeron_633 sshd[5701]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=75.147.113.234
    May 9 08:46:49 celeron_633 sshd[5701]: Failed password for invalid user staff from 75.147.113.234 port 51798 ssh2
    May 9 09:17:01 celeron_633 CRON[5705]: PAM unable to dlopen(/lib/security/pam_smbpass.so)
    May 9 09:17:01 celeron_633 CRON[5705]: PAM [error: /lib/security/pam_smbpass.so: cannot open shared object file: No such file or directory]
    May 9 09:17:01 celeron_633 CRON[5705]: PAM adding faulty module: /lib/security/pam_smbpass.so
    May 9 09:17:01 celeron_633 CRON[5705]: pam_unix(cron:session): session opened for user root by (uid=0)
    May 9 09:17:02 celeron_633 CRON[5705]: pam_unix(cron:session): session closed for user root
    May 9 10:15:16 celeron_633 sshd[5708]: Did not receive identification string from 212.123.91.195
    May 9 10:17:01 celeron_633 CRON[5709]: PAM unable to dlopen(/lib/security/pam_smbpass.so)
    May 9 10:17:01 celeron_633 CRON[5709]: PAM [error: /lib/security/pam_smbpass.so: cannot open shared object file: No such file or directory]

  2. #2
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Beans
    1,393
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: My 8.04 LTS box was hacked

    The log snippet shows some failed attempts at connecting via ssh, but no successful login from a remote ip.

    If you are really interested in finding out what happened, you should probably read over the Forensics section of the "Ubuntu Security" sticky thread for this forum. Image it for further study, then rebuild from scratch. You can't trust the system any longer if it truly was compromised.

  3. #3
    Join Date
    Jun 2006
    Location
    Taiwan
    Beans
    447
    Distro
    Ubuntu

    Re: My 8.04 LTS box was hacked

    Agreed. Your logs show no intrusion, but they wouldn't if the guy knew how to clean up after himself.

    In Ubuntu, root doesn't have a usable password by default. You can't remove the user, but no one can log in as root. If there was a remote vulnerability, then the mad hatter could use that to get user-level access, then a local vulnerability to esclalate to root without a password. It's possible.

    I'm more inclined to believe that no one actually broke in and that your problem with /home is related to something else, but if you believe (or even suspect) that someone broke in, you need to wipe everything and restore from May 8 backups.

    I don't allow passwords on remote SSH. I use a non-default port. When I ran a web server in Korea a couple of years back, I got about 10,000 break-in attempts a day on Apache and SSH. You need to make sure that stuff is secure and updated. You need an IDS, too.

  4. #4
    Join Date
    Dec 2005
    Location
    High Desert of California
    Beans
    49
    Distro
    Ubuntu 7.10 Gutsy Gibbon

    Re: My 8.04 LTS box was hacked

    As Monicker said, I see attempts in what you posted, but no actual entries.

    Also, you say you think the hacker moved the data. Is the data still present but in another directory? And my big question is WHY would a hacker do that?

    There has to be another explanation.

  5. #5
    Join Date
    Jan 2007
    Location
    ~/PA/USA
    Beans
    1,983
    Distro
    Ubuntu 11.04 Natty Narwhal

  6. #6
    Join Date
    Nov 2006
    Location
    40.31996,-80.607213
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: My 8.04 LTS box was hacked

    I don't see anywhere where there was any successful root logins. By the way, how do you have SSH setup?

    If you really think it was an attacker, try checking around in some history files and see if you see anything. Most people forget about history, and might fail to clean it up.

    Dr Small
    "Security lies within the user of who runs the system. Think smart, live safe." - Dr Small
    Linux User #441960 | Wiki: DrSmall

  7. #7
    Join Date
    Apr 2007
    Location
    Munich, Germany
    Beans
    1,578

    Re: My 8.04 LTS box was hacked

    i just wanted to mention, there are a few known exploits for 2.6.24 kernels that let you jump permissions, so try googling those and seeing if they work on your system. Also, root is disabled by not supplying a password and preventing login from the system, the account does, however, exist.

    Also, some people might recommend upgrading to the new 2.6.25 kernel via git, since it's supposedly more secure, but i'm not sure how stable it is at this point in time.
    Last edited by lswest; May 12th, 2008 at 01:55 PM.

  8. #8
    Join Date
    Nov 2007
    Beans
    81

    Re: My 8.04 LTS box was hacked

    even though I don't believe this is relevant to the issue posted.
    I get the same messages in my log to this pam chick gets around and then the x-session gets stopped. does pam stand for pulse audio manager?
    Last edited by dsiembab; May 12th, 2008 at 02:41 PM.
    I troll, therefore I am

  9. #9
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Beans
    1,393
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: My 8.04 LTS box was hacked

    Quote Originally Posted by dsiembab View Post
    I get the same messages in my log to this pam chick gets around and then the x-server crashes
    The messages about pam_smbpass.so are a known issue in 8.04. I do not believe they are relevant to the issue of whether the OP's machine was hacked or not.

  10. #10
    Join Date
    Aug 2006
    Beans
    841

    Re: My 8.04 LTS box was hacked

    on defense of the not-a-hacker posture.
    something similar happened to me on my notebook, i was reviewing different photomanagers, and gthumb was it (i dont remember which one exactly) moved some folders around when it hung up on me, i didnt realized until i killed the app and couldnt find anything anymore.
    maybe something of this sort happened to you too.
    its a good idea to move ports around. or disable password logins and allow only rsa(name?) logins. but thats quite cumbersome.

    on my case, i cannot afford a different port than 22 since univ wont allow every port. rsa is a pain in the rearend, (i use it with my notebook, but allow password logins just in case i need it). so i just use really strong passwords. (and remember them ala rainman).
    having backups on an external drive is a good idea too although a hacker with root access will be able to delete that if he pleases. (and finds it).

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •