Hacked !!

[tarun.winlin]

Hi Guys,

Sorry for bothering you, coz I don't really enjoy asking questions. I rather love to look for answers myself. But I am in a state of bother at this time & really need your help.

I have a ubuntu hardy box that I was using as a web & a ftp server. I also had another port 11176 opened.

I used to SSH into it remotely from my office & do stuff like downloading things etc...

Today when I reached the office, I logged in as usual & everything was working fine. After like 2 hours or so I had to go away from my workstation for some time, when I came back I saw that the putty session had timed out so I tried to log in again & now when I enter using my root username & password - it tells me that its invalid.

Also, my wife told me that when she logged in physically - there was all sort of porn stuff on my desktop.

I was sure that someone had hacked into my box, changed the root password & doing all that stuff.

I asked her to switch off the PC.

I am in a fix now, how can I log onto my linux box without the root password, or may be how can I reset the password.

Also, immediately, after this happenned I tried to access my website - the website was not working, even more proof that some one hacked in.

I use as normal broadband connection, I used service from 'dyndns' to resolve to my dynamic IP.

Was using Apache webserver & proftpd as my ftp server.

Any help would be highly appreciated.

[jerome1232]

Well this could be alot of things, first thing I would do is, unplug it from the network and log in localy.

If you can't login localy then yeah I'd say someone brute forced your password via ssh, time to reinstall no telling if they kited it or what.

Assuming you can login locally check your ssh logs

Code:

grep sshd /var/log/auth.log | cat > sshlog
less sshlog

Go through that you should see all attempts to have logged in etc... if you see anything that catches your eye maybe post it here. But once again if somebody did crack your password they may have kited it and it can wipe all traces of what they did, if you really think it was cracked I'd just reinstall.

Next time chose a good strong password, semi-pronouncable and long is good. Maybe implement something like deny hosts that allows attackers only 5 or so attempts at logging in.

[tarun.winlin]

Is that really that easy to brute force into a linux box running SSH ?

I thought I did not needed any firewall on a linux box. It is supposed to be so secure.

Just in case I do have to reinstall my linux box, what about all my data in the linux partition & all my updates, is there anyway to retrieve them ?

[cdenley]

Hi Guys,

Sorry for bothering you, coz I don't really enjoy asking questions. I rather love to look for answers myself. But I am in a state of bother at this time & really need your help.

I have a ubuntu hardy box that I was using as a web & a ftp server. I also had another port 11176 opened.

I used to SSH into it remotely from my office & do stuff like downloading things etc...

Today when I reached the office, I logged in as usual & everything was working fine. After like 2 hours or so I had to go away from my workstation for some time, when I came back I saw that the putty session had timed out so I tried to log in again & now when I enter using my root username & password - it tells me that its invalid.

Also, my wife told me that when she logged in physically - there was all sort of porn stuff on my desktop.

I was sure that someone had hacked into my box, changed the root password & doing all that stuff.

I asked her to switch off the PC.

I am in a fix now, how can I log onto my linux box without the root password, or may be how can I reset the password.

Also, immediately, after this happenned I tried to access my website - the website was not working, even more proof that some one hacked in.

I use as normal broadband connection, I used service from 'dyndns' to resolve to my dynamic IP.

Was using Apache webserver & proftpd as my ftp server.

Any help would be highly appreciated.

You really enabled root? Or are you referring to your admin user? If you want to reset your password, you can do so by booting into "recovery mode" from the grub menu. However, you cannot trust your system, and you should start over with a fresh install.

You can check your logs, but the attacker could have erased or edited them. It doesn't sound like they were trying to cover their tracks, though. Are you sure someone didn't break into it locally?

If someone got root remotely, then your ssh server probably got brute forced. This is a lot more likely if you enabled root, used a weak password, or haven't been installing security updates.

[cb951303]

from your post I get that you login with root account? if that's the case I recommend creating a non-privileged user for ssh (you should make it a member of ssh group) for the same reasons why there is no default root user in ubuntu

[tarun.winlin]

Considering the fact that I use a 'dyndns' service for resolving my hostname to IP, & then my host is behind a linksys router which obviously has only the 3 ports 80, 21, & 1176 open, I am amazed at that person who could hack into it so quickly.

My password too is around 7 letters including a digit, it couldn't have been that easy for someone to hack in.

I don;t know I am completely confused, but yeah my notion that there are a lot less hackers for linux than windows, is starting to change. I was using windows for about 9 years but never had such a big problem. I have been running this linux box only for the last 3 days & here I am.

[tarun.winlin]

Yeah I had root enabled so I actually logged in using the 'root' username.

No one can break into it locally. I had my wife at home all the time & no one came or left, even she noticed that after I call her because I was unable to login & she switched on the monitor which remains switched off usually & saw all that stuff on the screen.

Can you explain what do you mean 'got root remotely' ?
I have been installing all the security updates.
As I mentioned password does not seems to be that weak, but thats always relative.

Thats a very hard way to learn things , I had my website going on & everything, all my post & everything is gone so easily.

What should I install next time when I do a fresh install - as I said 90% of the guys I talk to tell me there is not firewall/antivirus required in linux.

[jerome1232]

The ssh protocol is very secure, the password is what is weak. No amount of firewalls would make it more secure (after all they are all going to configured to allow traffic on port 22

7 letters and 1 digit (especially at the end) is a weak password.

j@c0bj!ngleHeimer-sm!t, I would consider that a pretty good password, you can even pronounce it.

It's not hard to add to a dictionary all numbers up to x number at the end of each word.

If you enabled root you lost half the battle, thats what every bot and it's dog tries to crack. At least make them guess what your user name is.

A user name of admin or admin1 or administrator also is weak, use something like... pangea

If you really want to secure ssh use key authentication only, it's not really susceptible to the "weak passphrase" thing.

ssh is probably the most commonly used service on the internet to admin a box remotely. Linux is pretty dominant in the server realm.

[tarun.winlin]

Is there anyway to get my data back from the linux partition?

[cdenley]

Is that really that easy to brute force into a linux box running SSH ?

I thought I did not needed any firewall on a linux box. It is supposed to be so secure.

Just in case I do have to reinstall my linux box, what about all my data in the linux partition & all my updates, is there anyway to retrieve them ?

An attacker can write a script to attempt logging in to your ssh server very easily. Of course, guessing your password takes a while. It is very common for attackers to guess commonly used passwords. If you use a commonly used password for any service, it can be compromised. Of course, they would have to determine your user name, also. That is why most brute force attempts try root. This is why enabling root makes your server much more insecure.

Of course there are applications like denyhosts and fail2ban which will stop attackers from attempting to authenticate after an unacceptable number of unsuccessful attempts. This will almost eliminate brute force attacks.

What would you expect a firewall to do. You enabled the service, and wanted it accessible from the internet. Do you understand what a firewall does?

You can retrieve your files by resetting your password, booting to a livecd, or connecting your hard drive to another linux computer.

Considering the fact that I use a 'dyndns' service for resolving my hostname to IP, & then my host is behind a linksys router which obviously has only the 3 ports 80, 21, & 1176 open, I am amazed at that person who could hack into it so quickly.

My password too is around 7 letters including a digit, it couldn't have been that easy for someone to hack in.

I don;t know I am completely confused, but yeah my notion that there are a lot less hackers for linux than windows, is starting to change. I was using windows for about 9 years but never had such a big problem. I have been running this linux box only for the last 3 days & here I am.

Using dyndns doesn't make your server more secure. If anything, it makes it less secure, since only a server would need a DNS record, which would help distinguish it from most IP's which have no server. It doesn't matter how many ports you have servers listening on, you still have to make sure the servers are secure.

Most brute forcing attempts are from scripts which target IP addresses at random. SSH brute-forcing is very common. You need to be security conscience whenever you run a server, regardless of the OS.

There is more to password security than length and numbers. There are some passwords which people think are cleverly simple yet secure, but end up being common and weak because of their simplicity. For example, the password "!@#!@#!@#" is very weak.
https://cdenley.yi.org:444/pwstrength/ajax.php
Also, if you had a weak SSH key, I don't think the password strength would have mattered. I think regular security updates would have protected you from the weak SSH keys that were discovered, though.

I guess a good analogy would be even if you live in a safe neighborhood you shouldn't leave the kitchen window open at night. When you allow root to login through ssh, that's like leaving the front door open. The system can only be as secure as you make it.