Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide
Tomorrow's an illusion and yesterday's a dream, today is a solution...
+1 for the auth.log, interested in seeing that. Sanitize it first though of course. If you want to know how he got in, as someone else mentioned, check logs on the other devices for connections from the same IP. He could have island hopped from another machine, or he could tunnel over http or whatever to get into ssh. You should always place restrictions as close as possible to the restricted machine
The chances that that server is malware infected/still running something are very high though so i would disconnect it. If you want to analyze the data do it offline.. You might also try a portscan on yourself from the office or something to see what exactly is accessible.. try zenmap if you like the gui (its in the repo).
Thanks everyone for good tip and suggestions. My 3com router type 3CRWDR101B-75 has uPNP disabled. Here is netstat done after i uninstalled OpenSSH server:
Code:Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:64586 0.0.0.0:* LISTEN 1005/utserver tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 796/smbd tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 1488/vino-server tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1005/utserver tcp 0 0 127.0.0.1:10000 0.0.0.0:* LISTEN 1005/utserver tcp 0 0 0.0.0.0:30033 0.0.0.0:* LISTEN 1498/ts3server_linu tcp 0 0 127.0.0.1:7634 0.0.0.0:* LISTEN 1180/hddtemp tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1836/dnsmasq tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 705/cupsd tcp 0 0 0.0.0.0:10011 0.0.0.0:* LISTEN 1498/ts3server_linu tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 796/smbd tcp6 0 0 :::5800 :::* LISTEN 1488/vino-server tcp6 0 0 :::64586 :::* LISTEN 1005/utserver tcp6 0 0 :::139 :::* LISTEN 796/smbd tcp6 0 0 :::5900 :::* LISTEN 1488/vino-server tcp6 0 0 :::8080 :::* LISTEN 1005/utserver tcp6 0 0 ::1:631 :::* LISTEN 705/cupsd tcp6 0 0 :::445 :::* LISTEN 796/smbd udp 0 0 127.0.0.1:53 0.0.0.0:* 1836/dnsmasq udp 0 0 0.0.0.0:68 0.0.0.0:* 1467/dhclient udp 0 0 0.0.0.0:57454 0.0.0.0:* 1072/hamachid udp 0 0 192.168.1.255:137 0.0.0.0:* 1981/nmbd udp 0 0 192.168.1.45:137 0.0.0.0:* 1981/nmbd udp 0 0 25.255.255.255:137 0.0.0.0:* 1981/nmbd udp 0 0 25.133.235.12:137 0.0.0.0:* 1981/nmbd udp 0 0 0.0.0.0:137 0.0.0.0:* 1981/nmbd udp 0 0 192.168.1.255:138 0.0.0.0:* 1981/nmbd udp 0 0 192.168.1.45:138 0.0.0.0:* 1981/nmbd udp 0 0 25.255.255.255:138 0.0.0.0:* 1981/nmbd udp 0 0 25.133.235.12:138 0.0.0.0:* 1981/nmbd udp 0 0 0.0.0.0:138 0.0.0.0:* 1981/nmbd udp 0 0 0.0.0.0:6771 0.0.0.0:* 1005/utserver udp 0 0 178.73.196.39:43792 0.0.0.0:* 1072/hamachid udp 0 0 0.0.0.0:64586 0.0.0.0:* 1005/utserver udp 0 0 0.0.0.0:5353 0.0.0.0:* 632/avahi-daemon: r udp 0 0 0.0.0.0:38591 0.0.0.0:* 632/avahi-daemon: r udp 0 0 0.0.0.0:9987 0.0.0.0:* 1498/ts3server_linu udp6 0 0 :::33467 :::* 632/avahi-daemon: r udp6 0 0 :::64586 :::* 1005/utserver udp6 0 0 :::5353 :::* 632/avahi-daemon: r raw 0 0 0.0.0.0:1 0.0.0.0:* 7 1072/hamachid raw 231168 0 0.0.0.0:1 0.0.0.0:* 7 1508/lvpnc Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 7423 632/avahi-daemon: r /var/run/avahi-daemon/socket unix 2 [ ACC ] STREAM LISTENING 8592 1157/X /tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 9550 1436/ssh-agent /tmp/ssh-IxFBlGTw1404/agent.1404 unix 2 [ ACC ] STREAM LISTENING 9600 1455/xfce4-session /tmp/.ICE-unix/1455 unix 2 [ ACC ] STREAM LISTENING 10780 1553/pulseaudio /home/xxxxxx/.pulse/8d4dfdae3ba571c195e6b34b00000002-runtime/native unix 2 [ ACC ] STREAM LISTENING 10102 1508/lvpnc /tmp/vpnautoconnect.sock unix 2 [ ACC ] STREAM LISTENING 9234 1072/hamachid /var/run/logmein-hamachi/ipc.sock unix 2 [ ACC ] SEQPACKET LISTENING 6422 320/udevd /run/udev/control unix 2 [ ACC ] STREAM LISTENING 10942 1785/gnome-keyring- /tmp/keyring-diMWNo/control unix 2 [ ACC ] STREAM LISTENING 6690 591/dbus-daemon /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 13349 2212/pptp /var/run/pptp/255.255.255.255:80.67.8.201 unix 2 [ ACC ] STREAM LISTENING 6321 1/init @/com/ubuntu/upstart unix 2 [ ACC ] STREAM LISTENING 6733 608/bluetoothd /var/run/sdp unix 2 [ ACC ] STREAM LISTENING 6741 608/bluetoothd @/org/bluez/audio unix 2 [ ACC ] STREAM LISTENING 17438 2448/dbus-daemon @/tmp/dbus-5wC8YBkL7E unix 2 [ ACC ] STREAM LISTENING 8286 1110/acpid /var/run/acpid.socket unix 2 [ ACC ] STREAM LISTENING 8591 1157/X @/tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 291962 705/cupsd /var/run/cups/cups.sock unix 2 [ ACC ] STREAM LISTENING 11222 1981/nmbd /var/run/samba/unexpected unix 2 [ ACC ] STREAM LISTENING 9561 1440/dbus-daemon @/tmp/dbus-utIQPNIVxr unix 2 [ ACC ] STREAM LISTENING 9599 1455/xfce4-session @/tmp/.ICE-unix/1455
Are you sure vino wasn't exposed to the internet? There's no way I would run VNC on a *nix box unless I was tunneling it over SSH.
Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide
Tomorrow's an illusion and yesterday's a dream, today is a solution...
Yes, I can see that "my" hacker leaving so much traces is a wannabe that tries to learn from the real ones. And that he like beer, mobile phones, coffee, hanging out with friends, even hugging them, and, desperately want to replace them with a girl...
To me it seems that this guy have deleted auth.log after he finally got logged in since there is only trace of him in auth.log.1 Here I found 7491 lines of his login attempts, obviously he is a bit clever. After removing my own logins and the many Samba logins I decided to only list the first and last part not to spam forum :
As first line in auth.log starts "Feb 2 08:17:01 " this can be assumed is close the when he succeed, of a few hours later. (This is the point where my wife booted her new Ubuntu laptop and gigolo mounts the server)Code:Jan 30 17:13:11 Motte3 sshd[6855]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.39 user=root Jan 30 17:13:13 Motte3 sshd[6855]: Failed password for root from 222.186.62.39 port 4288 ssh2 Jan 30 17:13:24 sshd[6855]: last message repeated 5 times Jan 30 17:13:24 Motte3 sshd[6855]: Disconnecting: Too many authentication failures for root [preauth] Jan 30 17:13:24 Motte3 sshd[6855]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.39 user=root Jan 30 17:13:24 Motte3 sshd[6855]: PAM service(sshd) ignoring max retries; 6 > 3 Jan 30 17:13:32 Motte3 sshd[6857]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.39 user=root Jan 30 17:13:34 Motte3 sshd[6857]: Failed password for root from 222.186.62.39 port 2831 ssh2 Jan 30 17:13:35 Motte3 sshd[6859]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.39 user=root Jan 30 17:13:36 Motte3 sshd[6857]: Failed password for root from 222.186.62.39 port 2831 ssh2 Jan 30 17:13:38 Motte3 sshd[6859]: Failed password for root from 222.186.62.39 port 4712 ssh2 Jan 30 17:13:38 Motte3 sshd[6857]: Failed password for root from 222.186.62.39 port 2831 ssh2 Jan 30 17:13:40 Motte3 sshd[6859]: Failed password for root from 222.186.62.39 port 4712 ssh2 Jan 30 17:13:41 Motte3 sshd[6857]: Failed password for root from 222.186.62.39 port 2831 ssh2 Jan 30 17:13:42 Motte3 sshd[6859]: Failed password for root from 222.186.62.39 port 4712 ssh2 Jan 30 17:13:43 Motte3 sshd[6857]: Failed password for root from 222.186.62.39 port 2831 ssh2 Jan 30 17:13:45 Motte3 sshd[6859]: Failed password for root from 222.186.62.39 port 4712 ssh2 Jan 30 17:13:46 Motte3 sshd[6857]: Failed password for root from 222.186.62.39 port 2831 ssh2 Jan 30 17:13:46 Motte3 sshd[6857]: Disconnecting: Too many authentication failures for root [preauth] Jan 30 17:13:46 Motte3 sshd[6857]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.39 user=root Jan 30 17:13:46 Motte3 sshd[6857]: PAM service(sshd) ignoring max retries; 6 > 3 Jan 30 17:13:47 Motte3 sshd[6859]: Failed password for root from 222.186.62.39 port 4712 ssh2 Jan 30 17:13:49 Motte3 sshd[6859]: Failed password for root from 222.186.62.39 port 4712 ssh2 Jan 30 17:13:49 Motte3 sshd[6859]: Disconnecting: Too many authentication failures for root [preauth] Jan 30 17:13:49 Motte3 sshd[6859]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.39 user=root Jan 30 17:13:49 Motte3 sshd[6859]: PAM service(sshd) ignoring max retries; 6 > 3 Jan 30 17:13:53 Motte3 sshd[6861]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.39 user=root Jan 30 17:13:55 Motte3 sshd[6861]: Failed password for root from 222.186.62.39 port 4274 ssh2 Jan 30 17:13:57 Motte3 sshd[6873]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.39 user=root Jan 30 17:13:58 Motte3 sshd[6861]: Failed password for root from 222.186.62.39 port 4274 ssh2 Jan 30 17:14:00 Motte3 sshd[6873]: Failed password for root from 222.186.62.39 port 4210 ssh2 Jan 30 17:14:00 Motte3 sshd[6861]: Failed password for root from 222.186.62.39 port 4274 ssh2 Jan 30 17:14:01 Motte3 sshd[6875]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.39 user=root Jan 30 17:14:01 Motte3 sshd[6873]: Failed password for root from 222.186.62.39 port 4210 ssh2 Jan 30 17:14:02 Motte3 sshd[6861]: Failed password for root from 222.186.62.39 port 4274 ssh2 Jan 30 17:14:03 Motte3 sshd[6875]: Failed password for root from 222.186.62.39 port 3848 ssh2 Jan 30 17:14:04 Motte3 sshd[6873]: Failed password for root from 222.186.62.39 port 4210 ssh2 Jan 30 17:14:04 Motte3 sshd[6861]: Failed password for root from 222.186.62.39 port 4274 ssh2 Jan 30 17:14:05 Motte3 sshd[6875]: Failed password for root from 222.186.62.39 port 3848 ssh2 Jan 30 17:14:06 Motte3 sshd[6873]: Failed password for root from 222.186.62.39 port 4210 ssh2 Jan 30 17:14:06 Motte3 sshd[6861]: Failed password for root from 222.186.62.39 port 4274 ssh2 Jan 30 17:14:06 Motte3 sshd[6861]: Disconnecting: Too many authentication failures for root [preauth] ..... Feb 1 16:40:02 Motte3 sshd[16942]: input_userauth_request: invalid user test [preauth] Feb 1 16:40:02 Motte3 sshd[16942]: pam_unix(sshd:auth): check pass; user unknown Feb 1 16:40:02 Motte3 sshd[16942]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.85.90.245 Feb 1 16:40:04 Motte3 sshd[16942]: Failed password for invalid user test from 222.85.90.245 port 40044 ssh2 Feb 1 16:40:05 Motte3 sshd[16942]: Received disconnect from 222.85.90.245: 11: Bye Bye [preauth] Feb 1 16:40:08 Motte3 sshd[16944]: reverse mapping checking getaddrinfo for 245.90.85.222.broad.zz.ha.dynamic.163data.com.cn [222.85.90.245] failed - POSSIBLE BREAK-IN ATTEMPT! Feb 1 16:40:08 Motte3 sshd[16944]: Invalid user test from 222.85.90.245 Feb 1 16:40:08 Motte3 sshd[16944]: input_userauth_request: invalid user test [preauth] Feb 1 16:40:08 Motte3 sshd[16944]: pam_unix(sshd:auth): check pass; user unknown Feb 1 16:40:08 Motte3 sshd[16944]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.85.90.245 Feb 1 16:40:10 Motte3 sshd[16944]: Failed password for invalid user test from 222.85.90.245 port 41105 ssh2 Feb 1 16:40:11 Motte3 sshd[16944]: Received disconnect from 222.85.90.245: 11: Bye Bye [preauth] Feb 1 16:40:14 Motte3 sshd[16946]: reverse mapping checking getaddrinfo for 245.90.85.222.broad.zz.ha.dynamic.163data.com.cn [222.85.90.245] failed - POSSIBLE BREAK-IN ATTEMPT! Feb 1 16:40:14 Motte3 sshd[16946]: Invalid user test from 222.85.90.245 Feb 1 16:40:14 Motte3 sshd[16946]: input_userauth_request: invalid user test [preauth] Feb 1 16:40:14 Motte3 sshd[16946]: pam_unix(sshd:auth): check pass; user unknown Feb 1 16:40:14 Motte3 sshd[16946]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.85.90.245 Feb 1 16:40:16 Motte3 sshd[16946]: Failed password for invalid user test from 222.85.90.245 port 42166 ssh2 Feb 1 16:40:17 Motte3 sshd[16946]: Received disconnect from 222.85.90.245: 11: Bye Bye [preauth] Feb 1 16:40:20 Motte3 sshd[16948]: reverse mapping checking getaddrinfo for 245.90.85.222.broad.zz.ha.dynamic.163data.com.cn [222.85.90.245] failed - POSSIBLE BREAK-IN ATTEMPT! Feb 1 16:40:20 Motte3 sshd[16948]: Invalid user test from 222.85.90.245 Feb 1 16:40:20 Motte3 sshd[16948]: input_userauth_request: invalid user test [preauth] Feb 1 16:40:20 Motte3 sshd[16948]: pam_unix(sshd:auth): check pass; user unknown Feb 1 16:40:20 Motte3 sshd[16948]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.85.90.245 Feb 1 16:40:22 Motte3 sshd[16948]: Failed password for invalid user test from 222.85.90.245 port 43183 ssh2 Feb 1 16:40:23 Motte3 sshd[16948]: Received disconnect from 222.85.90.245: 11: Bye Bye [preauth] Feb 1 16:40:27 Motte3 sshd[16950]: reverse mapping checking getaddrinfo for 245.90.85.222.broad.zz.ha.dynamic.163data.com.cn [222.85.90.245] failed - POSSIBLE BREAK-IN ATTEMPT! Feb 1 16:40:27 Motte3 sshd[16950]: Invalid user test from 222.85.90.245 Feb 1 16:40:27 Motte3 sshd[16950]: input_userauth_request: invalid user test [preauth] Feb 1 16:40:27 Motte3 sshd[16950]: pam_unix(sshd:auth): check pass; user unknown Feb 1 16:40:27 Motte3 sshd[16950]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.85.90.245 Feb 1 16:40:29 Motte3 sshd[16950]: Failed password for invalid user test from 222.85.90.245 port 44273 ssh2 Feb 1 16:40:30 Motte3 sshd[16950]: Received disconnect from 222.85.90.245: 11: Bye Bye [preauth] Feb 1 16:40:34 Motte3 sshd[16952]: reverse mapping checking getaddrinfo for 245.90.85.222.broad.zz.ha.dynamic.163data.com.cn [222.85.90.245] failed - POSSIBLE BREAK-IN ATTEMPT! Feb 1 16:40:34 Motte3 sshd[16952]: Invalid user test from 222.85.90.245 Feb 1 16:40:34 Motte3 sshd[16952]: input_userauth_request: invalid user test [preauth] Feb 1 16:40:34 Motte3 sshd[16952]: pam_unix(sshd:auth): check pass; user unknown Feb 1 16:40:34 Motte3 sshd[16952]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.85.90.245 Feb 1 16:40:36 Motte3 sshd[16952]: Failed password for invalid user test from 222.85.90.245 port 45401 ssh2 Feb 1 16:40:36 Motte3 sshd[16952]: Received disconnect from 222.85.90.245: 11: Bye Bye [preauth]
Enjoy !
That tells me SSH was open to the internet because the IP in the log is a public one, not a private one (192.168.x.y/10.x.y.z).
Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide
Tomorrow's an illusion and yesterday's a dream, today is a solution...
I don't see the success authentication in that log, maybe that is the one he deleted?
what are you using PPTP for? Are you logging pptp connections (/var/log/wtmp)?
Also +1 for no vino
Edit: +1 CharlesA, definitely looks like ssh-server was open to the internet...
Last edited by brokenhachi; February 5th, 2014 at 08:45 PM.
This is how my DSL routers firewall was set up when I got hacked. The other tabs is not set up/unused. I noticed though that my routers firewall was set to "Protection Level" = "Medium", not "High".
Local IP for my server is 192.168.1.45 and only two ports are enabled.
But you have port 22 open on your private network? Then I guess he opened it up to the internet. That would require a router reconfig. Do you have default credentials on the router?But the thing is I do not have port 22 open on router (DSL), only Teamspeak 3 server and my kids Minecraft server is open to the world.
Here are my recommendations for someone technically savvy but not a professional security guy:
1. Reset the router, wii, xbox, ps to factory settings. That will boot him off if he managed to own one of them.
2. Download 2 or 3 antivirus free scanners (AVG, McAfee, malwarebytes, whatever. Jus pick a recognizable name). Install & update them on all windows boxes.
3. Unplug the whole network from the internet.
4. Scan all the windows desktops/laptops and servers with AV. If any infections are found then reimage it. You can copy data off onto an external drive relatively safely before you reimage if necessary.
5. Inspect the windows servers for odd or missing event logs. Any signs of hacking just reimage.
6. We already decided your ubuntu server is owned, so reimage that.
Then as you rebuild the systems I encourage you to research how to secure the network and machines. Secure all your running services with keys if you can, strong long passwords if not. Don't allow anonymous ftp login. Make all the boxes automatically update. Install EMET on the Windows boxes. http://www.microsoft.com/en-us/downl....aspx?id=39273
Use a firewall on each host. Disable upnp.
Last edited by bashiergui; February 6th, 2014 at 03:36 AM.
Knock knock.
Race condition.
Who's there?
+1 for this. I'm a huge fan of malwarebytes and clamav. Also, the Kaspersky rescue disk is great for offline scanning (i.e livecd). If you dont know it, this is a great little gui for iptables based firewalls (among others): http://www.fwbuilder.org/
If you need remote admin access to the network, maybe consider openvpn, or getting an actual firewall applicance (which i highly recommend, as its a great learning experience if you're interested in networking/security). You can then configure ipsec vpns and use shrew to connect when needed. You can pick up good deals from some sites..
Good luck!
Bookmarks