All,
My Linux box was hacked in to on 9 May. The hacker (or bot-who knows) used ssh, and somehow got root access. From there, he or she deleted /home.
Fortunatly, I don't have many users that log in to the computer. Additionally, I think the hacker moved the data to another drive, then deleted /home. Ethical hacker?
Anyway, I would like to know the error of my ways that allowed him (or her) in.
Here is my setup:
I am running 8.04 LTS. In fact, I had upgraded 2 days beforehand. It is up to date.
I have Firestarter firewall and fail2ban configured and enabled.
There are 2 hard drives in the system. The main one has the OS and the second is mounted at boot. It only contains the /home folders of all of the users except me and one or two other trusted users.
The hacker deleted /home on the second drive.
My questions:
What can I do to keep this from happening again?
I thought root was disabled by default? When I go to Users and Groups, I see that root is enabled. I do not see an option to disable the account. If I try to delete it, Ubuntu says the OS will become unstable (understanibly).
Any comments and/or suggestions would be appreciated.
Thanks,
-Shawn
Here is auth.log an excerpt from auth.log:
May 9 07:56:35 localhost sshd[27450]: Received signal 15; terminating.
May 9 07:56:35 localhost sshd[20091]: Server listening on :: port 443.
May 9 07:56:35 localhost sshd[20091]: error: Bind to port 443 on 0.0.0.0 failed: Address already in use.
May 9 07:56:35 localhost sshd[20091]: Server listening on :: port 22.
May 9 07:56:35 localhost sshd[20091]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
May 9 08:03:29 localhost sg[21556]: user `root' switched to group `slocate'
May 9 08:03:30 localhost sg[21556]: user `root' (login `???' on pts/1) switched to group `slocate'
May 9 08:03:30 localhost sg[21556]: user `root' (login `???' on pts/1) returned to group `root'
May 9 08:03:32 localhost groupadd[21567]: new group: name=mlocate, GID=126
May 9 08:17:01 localhost CRON[306]: PAM unable to dlopen(/lib/security/pam_smbpass.so)
May 9 08:17:02 localhost CRON[306]: PAM [error: /lib/security/pam_smbpass.so: cannot open shared object file: No such file or directory]
May 9 08:17:02 localhost CRON[306]: PAM adding faulty module: /lib/security/pam_smbpass.so
May 9 08:17:02 localhost CRON[306]: pam_unix(cron:session): session opened for user root by (uid=0)
May 9 08:17:02 localhost CRON[306]: pam_unix(cron:session): session closed for user root
May 9 08:21:44 celeron_633 groupadd[3299]: new group: name=polkituser, GID=127
May 9 08:21:44 celeron_633 useradd[3300]: new user: name=polkituser, UID=118, GID=127, home=/var/run/PolicyKit, shell=/bin/false
May 9 08:21:45 celeron_633 usermod[3301]: change user `polkituser' password
May 9 08:21:45 celeron_633 chage[3302]: changed password expiry for polkituser
May 9 08:21:45 celeron_633 chfn[3303]: PAM unable to dlopen(/lib/security/pam_smbpass.so)
May 9 08:21:45 celeron_633 chfn[3303]: PAM [error: /lib/security/pam_smbpass.so: cannot open shared object file: No such file or directory]
May 9 08:21:45 celeron_633 chfn[3303]: PAM adding faulty module: /lib/security/pam_smbpass.so
May 9 08:21:45 celeron_633 chfn[3303]: changed user `polkituser' information
May 9 08:36:13 celeron_633 sshd[5700]: Did not receive identification string from 75.147.113.234
May 9 08:46:46 celeron_633 sshd[5701]: reverse mapping checking getaddrinfo for 75-147-113-234-philadelphia.hfc.comcastbusiness.net [75.147.113.234] failed - POSSIBLE BREAK-IN ATTEMPT!
May 9 08:46:47 celeron_633 sshd[5701]: Invalid user staff from 75.147.113.234
May 9 08:46:47 celeron_633 sshd[5701]: PAM unable to dlopen(/lib/security/pam_smbpass.so)
May 9 08:46:47 celeron_633 sshd[5701]: PAM [error: /lib/security/pam_smbpass.so: cannot open shared object file: No such file or directory]
May 9 08:46:47 celeron_633 sshd[5701]: PAM adding faulty module: /lib/security/pam_smbpass.so
May 9 08:46:47 celeron_633 sshd[5701]: pam_unix(sshd:auth): check pass; user unknown
May 9 08:46:47 celeron_633 sshd[5701]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=75.147.113.234
May 9 08:46:49 celeron_633 sshd[5701]: Failed password for invalid user staff from 75.147.113.234 port 51798 ssh2
May 9 09:17:01 celeron_633 CRON[5705]: PAM unable to dlopen(/lib/security/pam_smbpass.so)
May 9 09:17:01 celeron_633 CRON[5705]: PAM [error: /lib/security/pam_smbpass.so: cannot open shared object file: No such file or directory]
May 9 09:17:01 celeron_633 CRON[5705]: PAM adding faulty module: /lib/security/pam_smbpass.so
May 9 09:17:01 celeron_633 CRON[5705]: pam_unix(cron:session): session opened for user root by (uid=0)
May 9 09:17:02 celeron_633 CRON[5705]: pam_unix(cron:session): session closed for user root
May 9 10:15:16 celeron_633 sshd[5708]: Did not receive identification string from 212.123.91.195
May 9 10:17:01 celeron_633 CRON[5709]: PAM unable to dlopen(/lib/security/pam_smbpass.so)
May 9 10:17:01 celeron_633 CRON[5709]: PAM [error: /lib/security/pam_smbpass.so: cannot open shared object file: No such file or directory]
Bookmarks