Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 26

Thread: Xubuntu 12.04/64, OpenSSH Server Hacked

  1. #11
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    Quote Originally Posted by mbogevik View Post
    Yes, large number of login attempts in /var/log/auth.log...

    But the thing is I do not have port 22 open on router (DSL), only Teamspeak 3 server and my kids Minecraft server is open to the world.

    I think that I first need to find how this person got access, wipe and reinstall may not help if it is through a Windows 7 computer or any other "box" on my LAN, like Xbox 360, Raspberry Pi, VU++ satellite tuner, Popcorn media player or even the Synology DS213j NAS. But in the end I think the six computers with Windows 7 is the largest gift to a hacker.

    I check the netstat command when back from work
    You could also try posting a chunk of the auth.log after removing any personal information. Does the source IP show as coming from your internal network or from outside?

    Do you have uPNP enabled on your router?
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  2. #12
    Join Date
    Jan 2008
    Location
    Bay Area, CA/Kanagawa, JP
    Beans
    248
    Distro
    Xubuntu 13.10 Saucy Salamander

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    +1 for the auth.log, interested in seeing that. Sanitize it first though of course. If you want to know how he got in, as someone else mentioned, check logs on the other devices for connections from the same IP. He could have island hopped from another machine, or he could tunnel over http or whatever to get into ssh. You should always place restrictions as close as possible to the restricted machine

    The chances that that server is malware infected/still running something are very high though so i would disconnect it. If you want to analyze the data do it offline.. You might also try a portscan on yourself from the office or something to see what exactly is accessible.. try zenmap if you like the gui (its in the repo).

  3. #13
    Join Date
    Sep 2009
    Location
    Norway
    Beans
    48
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    Thanks everyone for good tip and suggestions. My 3com router type 3CRWDR101B-75 has uPNP disabled. Here is netstat done after i uninstalled OpenSSH server:

    Code:
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0 0.0.0.0:64586           0.0.0.0:*               LISTEN      1005/utserver   
    tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      796/smbd        
    tcp        0      0 0.0.0.0:5900            0.0.0.0:*               LISTEN      1488/vino-server
    tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      1005/utserver   
    tcp        0      0 127.0.0.1:10000         0.0.0.0:*               LISTEN      1005/utserver   
    tcp        0      0 0.0.0.0:30033           0.0.0.0:*               LISTEN      1498/ts3server_linu
    tcp        0      0 127.0.0.1:7634          0.0.0.0:*               LISTEN      1180/hddtemp    
    tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      1836/dnsmasq    
    tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      705/cupsd       
    tcp        0      0 0.0.0.0:10011           0.0.0.0:*               LISTEN      1498/ts3server_linu
    tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      796/smbd        
    tcp6       0      0 :::5800                 :::*                    LISTEN      1488/vino-server
    tcp6       0      0 :::64586                :::*                    LISTEN      1005/utserver   
    tcp6       0      0 :::139                  :::*                    LISTEN      796/smbd        
    tcp6       0      0 :::5900                 :::*                    LISTEN      1488/vino-server
    tcp6       0      0 :::8080                 :::*                    LISTEN      1005/utserver   
    tcp6       0      0 ::1:631                 :::*                    LISTEN      705/cupsd       
    tcp6       0      0 :::445                  :::*                    LISTEN      796/smbd        
    udp        0      0 127.0.0.1:53            0.0.0.0:*                           1836/dnsmasq    
    udp        0      0 0.0.0.0:68              0.0.0.0:*                           1467/dhclient   
    udp        0      0 0.0.0.0:57454           0.0.0.0:*                           1072/hamachid   
    udp        0      0 192.168.1.255:137       0.0.0.0:*                           1981/nmbd       
    udp        0      0 192.168.1.45:137        0.0.0.0:*                           1981/nmbd       
    udp        0      0 25.255.255.255:137      0.0.0.0:*                           1981/nmbd       
    udp        0      0 25.133.235.12:137       0.0.0.0:*                           1981/nmbd       
    udp        0      0 0.0.0.0:137             0.0.0.0:*                           1981/nmbd       
    udp        0      0 192.168.1.255:138       0.0.0.0:*                           1981/nmbd       
    udp        0      0 192.168.1.45:138        0.0.0.0:*                           1981/nmbd       
    udp        0      0 25.255.255.255:138      0.0.0.0:*                           1981/nmbd       
    udp        0      0 25.133.235.12:138       0.0.0.0:*                           1981/nmbd       
    udp        0      0 0.0.0.0:138             0.0.0.0:*                           1981/nmbd       
    udp        0      0 0.0.0.0:6771            0.0.0.0:*                           1005/utserver   
    udp        0      0 178.73.196.39:43792     0.0.0.0:*                           1072/hamachid   
    udp        0      0 0.0.0.0:64586           0.0.0.0:*                           1005/utserver   
    udp        0      0 0.0.0.0:5353            0.0.0.0:*                           632/avahi-daemon: r
    udp        0      0 0.0.0.0:38591           0.0.0.0:*                           632/avahi-daemon: r
    udp        0      0 0.0.0.0:9987            0.0.0.0:*                           1498/ts3server_linu
    udp6       0      0 :::33467                :::*                                632/avahi-daemon: r
    udp6       0      0 :::64586                :::*                                1005/utserver   
    udp6       0      0 :::5353                 :::*                                632/avahi-daemon: r
    raw        0      0 0.0.0.0:1               0.0.0.0:*               7           1072/hamachid   
    raw   231168      0 0.0.0.0:1               0.0.0.0:*               7           1508/lvpnc      
    Active UNIX domain sockets (only servers)
    Proto RefCnt Flags       Type       State         I-Node   PID/Program name    Path
    unix  2      [ ACC ]     STREAM     LISTENING     7423     632/avahi-daemon: r /var/run/avahi-daemon/socket
    unix  2      [ ACC ]     STREAM     LISTENING     8592     1157/X              /tmp/.X11-unix/X0
    unix  2      [ ACC ]     STREAM     LISTENING     9550     1436/ssh-agent      /tmp/ssh-IxFBlGTw1404/agent.1404
    unix  2      [ ACC ]     STREAM     LISTENING     9600     1455/xfce4-session  /tmp/.ICE-unix/1455
    unix  2      [ ACC ]     STREAM     LISTENING     10780    1553/pulseaudio    /home/xxxxxx/.pulse/8d4dfdae3ba571c195e6b34b00000002-runtime/native
    unix  2      [ ACC ]     STREAM     LISTENING     10102    1508/lvpnc          /tmp/vpnautoconnect.sock
    unix  2      [ ACC ]     STREAM     LISTENING     9234     1072/hamachid       /var/run/logmein-hamachi/ipc.sock
    unix  2      [ ACC ]     SEQPACKET  LISTENING     6422     320/udevd           /run/udev/control
    unix  2      [ ACC ]     STREAM     LISTENING     10942    1785/gnome-keyring- /tmp/keyring-diMWNo/control
    unix  2      [ ACC ]     STREAM     LISTENING     6690     591/dbus-daemon     /var/run/dbus/system_bus_socket
    unix  2      [ ACC ]     STREAM     LISTENING     13349    2212/pptp           /var/run/pptp/255.255.255.255:80.67.8.201
    unix  2      [ ACC ]     STREAM     LISTENING     6321     1/init              @/com/ubuntu/upstart
    unix  2      [ ACC ]     STREAM     LISTENING     6733     608/bluetoothd      /var/run/sdp
    unix  2      [ ACC ]     STREAM     LISTENING     6741     608/bluetoothd      @/org/bluez/audio
    unix  2      [ ACC ]     STREAM     LISTENING     17438    2448/dbus-daemon    @/tmp/dbus-5wC8YBkL7E
    unix  2      [ ACC ]     STREAM     LISTENING     8286     1110/acpid          /var/run/acpid.socket
    unix  2      [ ACC ]     STREAM     LISTENING     8591     1157/X              @/tmp/.X11-unix/X0
    unix  2      [ ACC ]     STREAM     LISTENING     291962   705/cupsd           /var/run/cups/cups.sock
    unix  2      [ ACC ]     STREAM     LISTENING     11222    1981/nmbd           /var/run/samba/unexpected
    unix  2      [ ACC ]     STREAM     LISTENING     9561     1440/dbus-daemon    @/tmp/dbus-utIQPNIVxr
    unix  2      [ ACC ]     STREAM     LISTENING     9599     1455/xfce4-session  @/tmp/.ICE-unix/1455

  4. #14
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    Are you sure vino wasn't exposed to the internet? There's no way I would run VNC on a *nix box unless I was tunneling it over SSH.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  5. #15
    Join Date
    Sep 2009
    Location
    Norway
    Beans
    48
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    Yes, I can see that "my" hacker leaving so much traces is a wannabe that tries to learn from the real ones. And that he like beer, mobile phones, coffee, hanging out with friends, even hugging them, and, desperately want to replace them with a girl...

    To me it seems that this guy have deleted auth.log after he finally got logged in since there is only trace of him in auth.log.1 Here I found 7491 lines of his login attempts, obviously he is a bit clever. After removing my own logins and the many Samba logins I decided to only list the first and last part not to spam forum :

    Code:
    Jan 30 17:13:11 Motte3 sshd[6855]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.39  user=root
    Jan 30 17:13:13 Motte3 sshd[6855]: Failed password for root from 222.186.62.39 port 4288 ssh2
    Jan 30 17:13:24  sshd[6855]: last message repeated 5 times
    Jan 30 17:13:24 Motte3 sshd[6855]: Disconnecting: Too many authentication failures for root [preauth]
    Jan 30 17:13:24 Motte3 sshd[6855]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.39  user=root
    Jan 30 17:13:24 Motte3 sshd[6855]: PAM service(sshd) ignoring max retries; 6 > 3
    Jan 30 17:13:32 Motte3 sshd[6857]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.39  user=root
    Jan 30 17:13:34 Motte3 sshd[6857]: Failed password for root from 222.186.62.39 port 2831 ssh2
    Jan 30 17:13:35 Motte3 sshd[6859]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.39  user=root
    Jan 30 17:13:36 Motte3 sshd[6857]: Failed password for root from 222.186.62.39 port 2831 ssh2
    Jan 30 17:13:38 Motte3 sshd[6859]: Failed password for root from 222.186.62.39 port 4712 ssh2
    Jan 30 17:13:38 Motte3 sshd[6857]: Failed password for root from 222.186.62.39 port 2831 ssh2
    Jan 30 17:13:40 Motte3 sshd[6859]: Failed password for root from 222.186.62.39 port 4712 ssh2
    Jan 30 17:13:41 Motte3 sshd[6857]: Failed password for root from 222.186.62.39 port 2831 ssh2
    Jan 30 17:13:42 Motte3 sshd[6859]: Failed password for root from 222.186.62.39 port 4712 ssh2
    Jan 30 17:13:43 Motte3 sshd[6857]: Failed password for root from 222.186.62.39 port 2831 ssh2
    Jan 30 17:13:45 Motte3 sshd[6859]: Failed password for root from 222.186.62.39 port 4712 ssh2
    Jan 30 17:13:46 Motte3 sshd[6857]: Failed password for root from 222.186.62.39 port 2831 ssh2
    Jan 30 17:13:46 Motte3 sshd[6857]: Disconnecting: Too many authentication failures for root [preauth]
    Jan 30 17:13:46 Motte3 sshd[6857]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.39  user=root
    Jan 30 17:13:46 Motte3 sshd[6857]: PAM service(sshd) ignoring max retries; 6 > 3
    Jan 30 17:13:47 Motte3 sshd[6859]: Failed password for root from 222.186.62.39 port 4712 ssh2
    Jan 30 17:13:49 Motte3 sshd[6859]: Failed password for root from 222.186.62.39 port 4712 ssh2
    Jan 30 17:13:49 Motte3 sshd[6859]: Disconnecting: Too many authentication failures for root [preauth]
    Jan 30 17:13:49 Motte3 sshd[6859]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.39  user=root
    Jan 30 17:13:49 Motte3 sshd[6859]: PAM service(sshd) ignoring max retries; 6 > 3
    Jan 30 17:13:53 Motte3 sshd[6861]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.39  user=root
    Jan 30 17:13:55 Motte3 sshd[6861]: Failed password for root from 222.186.62.39 port 4274 ssh2
    Jan 30 17:13:57 Motte3 sshd[6873]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.39  user=root
    Jan 30 17:13:58 Motte3 sshd[6861]: Failed password for root from 222.186.62.39 port 4274 ssh2
    Jan 30 17:14:00 Motte3 sshd[6873]: Failed password for root from 222.186.62.39 port 4210 ssh2
    Jan 30 17:14:00 Motte3 sshd[6861]: Failed password for root from 222.186.62.39 port 4274 ssh2
    Jan 30 17:14:01 Motte3 sshd[6875]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.39  user=root
    Jan 30 17:14:01 Motte3 sshd[6873]: Failed password for root from 222.186.62.39 port 4210 ssh2
    Jan 30 17:14:02 Motte3 sshd[6861]: Failed password for root from 222.186.62.39 port 4274 ssh2
    Jan 30 17:14:03 Motte3 sshd[6875]: Failed password for root from 222.186.62.39 port 3848 ssh2
    Jan 30 17:14:04 Motte3 sshd[6873]: Failed password for root from 222.186.62.39 port 4210 ssh2
    Jan 30 17:14:04 Motte3 sshd[6861]: Failed password for root from 222.186.62.39 port 4274 ssh2
    Jan 30 17:14:05 Motte3 sshd[6875]: Failed password for root from 222.186.62.39 port 3848 ssh2
    Jan 30 17:14:06 Motte3 sshd[6873]: Failed password for root from 222.186.62.39 port 4210 ssh2
    Jan 30 17:14:06 Motte3 sshd[6861]: Failed password for root from 222.186.62.39 port 4274 ssh2
    Jan 30 17:14:06 Motte3 sshd[6861]: Disconnecting: Too many authentication failures for root [preauth]
    .....
    Feb  1 16:40:02 Motte3 sshd[16942]: input_userauth_request: invalid user test [preauth]
    Feb  1 16:40:02 Motte3 sshd[16942]: pam_unix(sshd:auth): check pass; user unknown
    Feb  1 16:40:02 Motte3 sshd[16942]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.85.90.245 
    Feb  1 16:40:04 Motte3 sshd[16942]: Failed password for invalid user test from 222.85.90.245 port 40044 ssh2
    Feb  1 16:40:05 Motte3 sshd[16942]: Received disconnect from 222.85.90.245: 11: Bye Bye [preauth]
    Feb  1 16:40:08 Motte3 sshd[16944]: reverse mapping checking getaddrinfo for 245.90.85.222.broad.zz.ha.dynamic.163data.com.cn [222.85.90.245] failed - POSSIBLE BREAK-IN ATTEMPT!
    Feb  1 16:40:08 Motte3 sshd[16944]: Invalid user test from 222.85.90.245
    Feb  1 16:40:08 Motte3 sshd[16944]: input_userauth_request: invalid user test [preauth]
    Feb  1 16:40:08 Motte3 sshd[16944]: pam_unix(sshd:auth): check pass; user unknown
    Feb  1 16:40:08 Motte3 sshd[16944]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.85.90.245 
    Feb  1 16:40:10 Motte3 sshd[16944]: Failed password for invalid user test from 222.85.90.245 port 41105 ssh2
    Feb  1 16:40:11 Motte3 sshd[16944]: Received disconnect from 222.85.90.245: 11: Bye Bye [preauth]
    Feb  1 16:40:14 Motte3 sshd[16946]: reverse mapping checking getaddrinfo for 245.90.85.222.broad.zz.ha.dynamic.163data.com.cn [222.85.90.245] failed - POSSIBLE BREAK-IN ATTEMPT!
    Feb  1 16:40:14 Motte3 sshd[16946]: Invalid user test from 222.85.90.245
    Feb  1 16:40:14 Motte3 sshd[16946]: input_userauth_request: invalid user test [preauth]
    Feb  1 16:40:14 Motte3 sshd[16946]: pam_unix(sshd:auth): check pass; user unknown
    Feb  1 16:40:14 Motte3 sshd[16946]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.85.90.245 
    Feb  1 16:40:16 Motte3 sshd[16946]: Failed password for invalid user test from 222.85.90.245 port 42166 ssh2
    Feb  1 16:40:17 Motte3 sshd[16946]: Received disconnect from 222.85.90.245: 11: Bye Bye [preauth]
    Feb  1 16:40:20 Motte3 sshd[16948]: reverse mapping checking getaddrinfo for 245.90.85.222.broad.zz.ha.dynamic.163data.com.cn [222.85.90.245] failed - POSSIBLE BREAK-IN ATTEMPT!
    Feb  1 16:40:20 Motte3 sshd[16948]: Invalid user test from 222.85.90.245
    Feb  1 16:40:20 Motte3 sshd[16948]: input_userauth_request: invalid user test [preauth]
    Feb  1 16:40:20 Motte3 sshd[16948]: pam_unix(sshd:auth): check pass; user unknown
    Feb  1 16:40:20 Motte3 sshd[16948]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.85.90.245 
    Feb  1 16:40:22 Motte3 sshd[16948]: Failed password for invalid user test from 222.85.90.245 port 43183 ssh2
    Feb  1 16:40:23 Motte3 sshd[16948]: Received disconnect from 222.85.90.245: 11: Bye Bye [preauth]
    Feb  1 16:40:27 Motte3 sshd[16950]: reverse mapping checking getaddrinfo for 245.90.85.222.broad.zz.ha.dynamic.163data.com.cn [222.85.90.245] failed - POSSIBLE BREAK-IN ATTEMPT!
    Feb  1 16:40:27 Motte3 sshd[16950]: Invalid user test from 222.85.90.245
    Feb  1 16:40:27 Motte3 sshd[16950]: input_userauth_request: invalid user test [preauth]
    Feb  1 16:40:27 Motte3 sshd[16950]: pam_unix(sshd:auth): check pass; user unknown
    Feb  1 16:40:27 Motte3 sshd[16950]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.85.90.245 
    Feb  1 16:40:29 Motte3 sshd[16950]: Failed password for invalid user test from 222.85.90.245 port 44273 ssh2
    Feb  1 16:40:30 Motte3 sshd[16950]: Received disconnect from 222.85.90.245: 11: Bye Bye [preauth]
    Feb  1 16:40:34 Motte3 sshd[16952]: reverse mapping checking getaddrinfo for 245.90.85.222.broad.zz.ha.dynamic.163data.com.cn [222.85.90.245] failed - POSSIBLE BREAK-IN ATTEMPT!
    Feb  1 16:40:34 Motte3 sshd[16952]: Invalid user test from 222.85.90.245
    Feb  1 16:40:34 Motte3 sshd[16952]: input_userauth_request: invalid user test [preauth]
    Feb  1 16:40:34 Motte3 sshd[16952]: pam_unix(sshd:auth): check pass; user unknown
    Feb  1 16:40:34 Motte3 sshd[16952]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.85.90.245 
    Feb  1 16:40:36 Motte3 sshd[16952]: Failed password for invalid user test from 222.85.90.245 port 45401 ssh2
    Feb  1 16:40:36 Motte3 sshd[16952]: Received disconnect from 222.85.90.245: 11: Bye Bye [preauth]
    As first line in auth.log starts "Feb 2 08:17:01 " this can be assumed is close the when he succeed, of a few hours later. (This is the point where my wife booted her new Ubuntu laptop and gigolo mounts the server)

    Enjoy !

  6. #16
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    That tells me SSH was open to the internet because the IP in the log is a public one, not a private one (192.168.x.y/10.x.y.z).
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  7. #17
    Join Date
    Jan 2008
    Location
    Bay Area, CA/Kanagawa, JP
    Beans
    248
    Distro
    Xubuntu 13.10 Saucy Salamander

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    I don't see the success authentication in that log, maybe that is the one he deleted?

    what are you using PPTP for? Are you logging pptp connections (/var/log/wtmp)?

    Also +1 for no vino


    Edit: +1 CharlesA, definitely looks like ssh-server was open to the internet...
    Last edited by brokenhachi; February 5th, 2014 at 08:45 PM.

  8. #18
    Join Date
    Sep 2009
    Location
    Norway
    Beans
    48
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    This is how my DSL routers firewall was set up when I got hacked. The other tabs is not set up/unused. I noticed though that my routers firewall was set to "Protection Level" = "Medium", not "High".
    Local IP for my server is 192.168.1.45 and only two ports are enabled.
    Attached Images Attached Images

  9. #19
    Join Date
    Nov 2013
    Location
    On the edge
    Beans
    861
    Distro
    Ubuntu

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    But the thing is I do not have port 22 open on router (DSL), only Teamspeak 3 server and my kids Minecraft server is open to the world.
    But you have port 22 open on your private network? Then I guess he opened it up to the internet. That would require a router reconfig. Do you have default credentials on the router?

    Here are my recommendations for someone technically savvy but not a professional security guy:

    1. Reset the router, wii, xbox, ps to factory settings. That will boot him off if he managed to own one of them.
    2. Download 2 or 3 antivirus free scanners (AVG, McAfee, malwarebytes, whatever. Jus pick a recognizable name). Install & update them on all windows boxes.
    3. Unplug the whole network from the internet.
    4. Scan all the windows desktops/laptops and servers with AV. If any infections are found then reimage it. You can copy data off onto an external drive relatively safely before you reimage if necessary.
    5. Inspect the windows servers for odd or missing event logs. Any signs of hacking just reimage.
    6. We already decided your ubuntu server is owned, so reimage that.

    Then as you rebuild the systems I encourage you to research how to secure the network and machines. Secure all your running services with keys if you can, strong long passwords if not. Don't allow anonymous ftp login. Make all the boxes automatically update. Install EMET on the Windows boxes. http://www.microsoft.com/en-us/downl....aspx?id=39273
    Use a firewall on each host. Disable upnp.
    Last edited by bashiergui; February 6th, 2014 at 03:36 AM.
    Knock knock.
    Race condition.
    Who's there?

  10. #20
    Join Date
    Jan 2008
    Location
    Bay Area, CA/Kanagawa, JP
    Beans
    248
    Distro
    Xubuntu 13.10 Saucy Salamander

    Re: Xubuntu 12.04/64, OpenSSH Server Hacked

    +1 for this. I'm a huge fan of malwarebytes and clamav. Also, the Kaspersky rescue disk is great for offline scanning (i.e livecd). If you dont know it, this is a great little gui for iptables based firewalls (among others): http://www.fwbuilder.org/

    If you need remote admin access to the network, maybe consider openvpn, or getting an actual firewall applicance (which i highly recommend, as its a great learning experience if you're interested in networking/security). You can then configure ipsec vpns and use shrew to connect when needed. You can pick up good deals from some sites..

    Good luck!

Page 2 of 3 FirstFirst 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •