From: steve on
Well it happened again, but this time I was a little better prepared.
It seems that my /etc/shadow file got modified somehow. Knowing the
time of the new file I was able to go back into my /var/log/messages
file to see if anything of interest was happening. It definitely was!

Jun 4 03:33:27 myacer sshd[26933]: Invalid user emma from
219.233.229.77
Jun 4 03:33:27 myacer sshd[26933]: Failed password for invalid user
emma from 219.233.229.77 port 39063 ssh2
Jun 4 03:33:31 myacer sshd[26937]: Invalid user oracle from
219.233.229.77
Jun 4 03:33:31 myacer sshd[26937]: Failed password for invalid user
oracle from 219.233.229.77 port 40690 ssh2
Jun 4 03:33:33 myacer sshd[26939]: Invalid user netdump from
219.233.229.77
Jun 4 03:33:33 myacer sshd[26939]: Failed password for invalid user
netdump from 219.233.229.77 port 41623 ssh2

If I'm interpreting this correctly, someone in China was trying to
hack into my computer.

So my questions are:

1) am I understanding this correctly?
2) does the fact that my /etc/shadow file got changed indicate that
they were successful?
3) And of course, how do I prevent this from happening in the future?

Steve

--
From: Lew Pitcher on
On June 4, 2010 14:25, in alt.os.linux.slackware, shmartonak(a)ticnet.com
wrote:

> Well it happened again, but this time I was a little better prepared.
> It seems that my /etc/shadow file got modified somehow. Knowing the
> time of the new file I was able to go back into my /var/log/messages
> file to see if anything of interest was happening. It definitely was!
>
> Jun 4 03:33:27 myacer sshd[26933]: Invalid user emma from
> 219.233.229.77
> Jun 4 03:33:27 myacer sshd[26933]: Failed password for invalid user
> emma from 219.233.229.77 port 39063 ssh2
> Jun 4 03:33:31 myacer sshd[26937]: Invalid user oracle from
> 219.233.229.77
> Jun 4 03:33:31 myacer sshd[26937]: Failed password for invalid user
> oracle from 219.233.229.77 port 40690 ssh2
> Jun 4 03:33:33 myacer sshd[26939]: Invalid user netdump from
> 219.233.229.77
> Jun 4 03:33:33 myacer sshd[26939]: Failed password for invalid user
> netdump from 219.233.229.77 port 41623 ssh2
>
> If I'm interpreting this correctly, someone in China was trying to
> hack into my computer.

Likely. There are many, ongoing widespread hack attempts against improperly
secured ssh servers. This is one of them. It isn't some casual hacker
rattling your doorknob; it is part of an organized attempt to break into
and pwn /any/ unsecured ssh system.

>
> So my questions are:
>
> 1) am I understanding this correctly?

The above dump? Yes.
The surface implications? Yes.
The deep implications? I don't know. Have you checked your system thoroughly
for "infections" and internal break-in attempts? Checked and validated
every running process? Validated all your user, application, and system
data? If not, then no, you haven't understood the deeper implications of
having your system invaded and taken over by an outsider.

> 2) does the fact that my /etc/shadow file got changed indicate that
> they were successful?

Possibly. It would take some research to validate that hypothesis. But, it
is likely that, once someone has broken in to your system (no matter how
they have done it), they would have altered the vunerible user's password
settings. And thus, the /etc/shadow file contents.

> 3) And of course, how do I prevent this from happening in the future?

Be viligant. Watch for and block attempted invasions with IPTABLES rules.
For instance, somehow have the SSH "failed password attempt" messages feed
IPTABLES to block repeated hack attempts from foreign IP addresses.

Change your SSH service to disable the use of cleartext passwords on logon
(in /etc/ssh/sshd_config, change PasswordAuthentication to no) and use
Public Key Authentication with host and user ssh keys (the HostKey
parameter, and the RSAAuthentication and PubkeyAuthentication parameters).

Check your logs daily. Watch for breakins using other protocols, and ban
(IPTABLES or whatever) the offending IP addresses.

In other words, be proactive about protecting your system.

HTH
--
Lew Pitcher
Master Codewright & JOAT-in-training | Registered Linux User #112576
Me: http://pitcher.digitalfreehold.ca/ | Just Linux: http://justlinux.ca/
---------- Slackware - Because I know what I'm doing. ------


From: John F. Morse on
steve wrote:
> Well it happened again, but this time I was a little better prepared.
> It seems that my /etc/shadow file got modified somehow. Knowing the
> time of the new file I was able to go back into my /var/log/messages
> file to see if anything of interest was happening. It definitely was!
>
> Jun 4 03:33:27 myacer sshd[26933]: Invalid user emma from
> 219.233.229.77
> Jun 4 03:33:27 myacer sshd[26933]: Failed password for invalid user
> emma from 219.233.229.77 port 39063 ssh2
> Jun 4 03:33:31 myacer sshd[26937]: Invalid user oracle from
> 219.233.229.77
> Jun 4 03:33:31 myacer sshd[26937]: Failed password for invalid user
> oracle from 219.233.229.77 port 40690 ssh2
> Jun 4 03:33:33 myacer sshd[26939]: Invalid user netdump from
> 219.233.229.77
> Jun 4 03:33:33 myacer sshd[26939]: Failed password for invalid user
> netdump from 219.233.229.77 port 41623 ssh2
>
> If I'm interpreting this correctly, someone in China was trying to
> hack into my computer.
>
> So my questions are:
>
> 1) am I understanding this correctly?
> 2) does the fact that my /etc/shadow file got changed indicate that
> they were successful?
> 3) And of course, how do I prevent this from happening in the future?
>
> Steve
>

Use a NAT router. Don't open port 22. Remove openssh-server if you don't
need it.

Why does your log show sshd running on so many "unassigned" ports?

--
John

When a person has -- whether they knew it or not -- already rejected the Truth, by what means do they discern a lie?
From: Grant on
On Fri, 4 Jun 2010 11:25:03 -0700 (PDT), steve <shmartonak(a)ticnet.com> wrote:

>Well it happened again, but this time I was a little better prepared.
>It seems that my /etc/shadow file got modified somehow. Knowing the
>time of the new file I was able to go back into my /var/log/messages
>file to see if anything of interest was happening. It definitely was!
>
>Jun 4 03:33:27 myacer sshd[26933]: Invalid user emma from
>219.233.229.77
>Jun 4 03:33:27 myacer sshd[26933]: Failed password for invalid user
>emma from 219.233.229.77 port 39063 ssh2
>Jun 4 03:33:31 myacer sshd[26937]: Invalid user oracle from
>219.233.229.77
>Jun 4 03:33:31 myacer sshd[26937]: Failed password for invalid user
>oracle from 219.233.229.77 port 40690 ssh2
>Jun 4 03:33:33 myacer sshd[26939]: Invalid user netdump from
>219.233.229.77
>Jun 4 03:33:33 myacer sshd[26939]: Failed password for invalid user
>netdump from 219.233.229.77 port 41623 ssh2
>
>If I'm interpreting this correctly, someone in China was trying to
>hack into my computer.
>
>So my questions are:
>
>1) am I understanding this correctly?

Consider possibilities, not probabilities. Yes, it looks bad.

>2) does the fact that my /etc/shadow file got changed indicate that
>they were successful?

Possibly!

>3) And of course, how do I prevent this from happening in the future?

Unless you need remote ssh, shut down port 22 simple user/pass access
from the big bad Internet.

If you need it, we had a discussion here a while back about fitting
firewall rules to allow remote access but blocking attackers with a
combination of timeouts and three tries, you're banned.

Use passwordless access with private and public keys, so an attack
fails as soon as attacker tries the wrong username, let alone starts
guessing what the keys are. An agent is there for local access so
it can be painless.

You might open a different port for remote ssh access, or even install
some port-knocking arrangement to only open the port on demand.

Limit remote ssh access to known IPs or IP blocks.

Depends what you want for remote access. Best is to shut remote access
down unless you really need it.

Don't offer user/pass ftp access either, anonymous read-only ftp is safe.

Grant.
--
http://bugs.id.au/
From: Chris Vine on
On Fri, 4 Jun 2010 11:25:03 -0700 (PDT)
steve <shmartonak(a)ticnet.com> wrote:
> Well it happened again, but this time I was a little better prepared.
> It seems that my /etc/shadow file got modified somehow. Knowing the
> time of the new file I was able to go back into my /var/log/messages
> file to see if anything of interest was happening. It definitely was!
>
> Jun 4 03:33:27 myacer sshd[26933]: Invalid user emma from
> 219.233.229.77
> Jun 4 03:33:27 myacer sshd[26933]: Failed password for invalid user
> emma from 219.233.229.77 port 39063 ssh2
> Jun 4 03:33:31 myacer sshd[26937]: Invalid user oracle from
> 219.233.229.77
> Jun 4 03:33:31 myacer sshd[26937]: Failed password for invalid user
> oracle from 219.233.229.77 port 40690 ssh2
> Jun 4 03:33:33 myacer sshd[26939]: Invalid user netdump from
> 219.233.229.77
> Jun 4 03:33:33 myacer sshd[26939]: Failed password for invalid user
> netdump from 219.233.229.77 port 41623 ssh2
>
> If I'm interpreting this correctly, someone in China was trying to
> hack into my computer.
>
> So my questions are:
>
> 1) am I understanding this correctly?
> 2) does the fact that my /etc/shadow file got changed indicate that
> they were successful?
> 3) And of course, how do I prevent this from happening in the future?

I get loads of these. If you have users on your system with weak
passwords then it is quite possible that you have been hacked. Worse
even if root has a weak password. The system log should tell you if a
user has managed to log in, but of course if they have achieved root
access then your log can't be trusted.

A few obvious points:

Why are you running servers on your system open to the internet when it
doesn't look as if you need them?

Why haven't you set up a firewall, especially if you are not using a
NATing router?

If you do need ssh open to the internet (and some do,
including me), why have you allowed password authentication on ssh?
Use private/public key authentication and disallow password
authentication.

I use private/public key encryption with a pass phrase on the
key, and disallow all other forms of ssh authentication, and that makes
my system pretty well impregnable. In addition, to cut down the noise
in my system log, I have a "three strikes and you are out rule" on
my firewall. If a connection has not been established after three
tries in one minute, the person accessing the server is kicked off for 5
minutes. That's enough to see them off.

You may not be entirely or even mainly to blame. I noticed when
installing Slackware 13.1 that by default it started ssh on boot up in
rc.sshd without a firewall, and the default sshd_config file allows
password authentication by default. That is a very poor choice of
defaults, in my opinion, and it looks as if you have been skewered by
them. Most people are inadvertently protected by the fact that they
have a NATing router.

Chris
 |  Next  |  Last
Pages: 1 2 3 4
Prev: Returning printer problems on Slack 12
Next: Acer Nplify