From: steve on 4 Jun 2010 14:25 Well it happened again, but this time I was a little better prepared. It seems that my /etc/shadow file got modified somehow. Knowing the time of the new file I was able to go back into my /var/log/messages file to see if anything of interest was happening. It definitely was! Jun 4 03:33:27 myacer sshd[26933]: Invalid user emma from 219.233.229.77 Jun 4 03:33:27 myacer sshd[26933]: Failed password for invalid user emma from 219.233.229.77 port 39063 ssh2 Jun 4 03:33:31 myacer sshd[26937]: Invalid user oracle from 219.233.229.77 Jun 4 03:33:31 myacer sshd[26937]: Failed password for invalid user oracle from 219.233.229.77 port 40690 ssh2 Jun 4 03:33:33 myacer sshd[26939]: Invalid user netdump from 219.233.229.77 Jun 4 03:33:33 myacer sshd[26939]: Failed password for invalid user netdump from 219.233.229.77 port 41623 ssh2 If I'm interpreting this correctly, someone in China was trying to hack into my computer. So my questions are: 1) am I understanding this correctly? 2) does the fact that my /etc/shadow file got changed indicate that they were successful? 3) And of course, how do I prevent this from happening in the future? Steve --
From: Lew Pitcher on 4 Jun 2010 14:40 On June 4, 2010 14:25, in alt.os.linux.slackware, shmartonak(a)ticnet.com wrote: > Well it happened again, but this time I was a little better prepared. > It seems that my /etc/shadow file got modified somehow. Knowing the > time of the new file I was able to go back into my /var/log/messages > file to see if anything of interest was happening. It definitely was! > > Jun 4 03:33:27 myacer sshd[26933]: Invalid user emma from > 219.233.229.77 > Jun 4 03:33:27 myacer sshd[26933]: Failed password for invalid user > emma from 219.233.229.77 port 39063 ssh2 > Jun 4 03:33:31 myacer sshd[26937]: Invalid user oracle from > 219.233.229.77 > Jun 4 03:33:31 myacer sshd[26937]: Failed password for invalid user > oracle from 219.233.229.77 port 40690 ssh2 > Jun 4 03:33:33 myacer sshd[26939]: Invalid user netdump from > 219.233.229.77 > Jun 4 03:33:33 myacer sshd[26939]: Failed password for invalid user > netdump from 219.233.229.77 port 41623 ssh2 > > If I'm interpreting this correctly, someone in China was trying to > hack into my computer. Likely. There are many, ongoing widespread hack attempts against improperly secured ssh servers. This is one of them. It isn't some casual hacker rattling your doorknob; it is part of an organized attempt to break into and pwn /any/ unsecured ssh system. > > So my questions are: > > 1) am I understanding this correctly? The above dump? Yes. The surface implications? Yes. The deep implications? I don't know. Have you checked your system thoroughly for "infections" and internal break-in attempts? Checked and validated every running process? Validated all your user, application, and system data? If not, then no, you haven't understood the deeper implications of having your system invaded and taken over by an outsider. > 2) does the fact that my /etc/shadow file got changed indicate that > they were successful? Possibly. It would take some research to validate that hypothesis. But, it is likely that, once someone has broken in to your system (no matter how they have done it), they would have altered the vunerible user's password settings. And thus, the /etc/shadow file contents. > 3) And of course, how do I prevent this from happening in the future? Be viligant. Watch for and block attempted invasions with IPTABLES rules. For instance, somehow have the SSH "failed password attempt" messages feed IPTABLES to block repeated hack attempts from foreign IP addresses. Change your SSH service to disable the use of cleartext passwords on logon (in /etc/ssh/sshd_config, change PasswordAuthentication to no) and use Public Key Authentication with host and user ssh keys (the HostKey parameter, and the RSAAuthentication and PubkeyAuthentication parameters). Check your logs daily. Watch for breakins using other protocols, and ban (IPTABLES or whatever) the offending IP addresses. In other words, be proactive about protecting your system. HTH -- Lew Pitcher Master Codewright & JOAT-in-training | Registered Linux User #112576 Me: http://pitcher.digitalfreehold.ca/ | Just Linux: http://justlinux.ca/ ---------- Slackware - Because I know what I'm doing. ------
From: John F. Morse on 4 Jun 2010 16:32 steve wrote: > Well it happened again, but this time I was a little better prepared. > It seems that my /etc/shadow file got modified somehow. Knowing the > time of the new file I was able to go back into my /var/log/messages > file to see if anything of interest was happening. It definitely was! > > Jun 4 03:33:27 myacer sshd[26933]: Invalid user emma from > 219.233.229.77 > Jun 4 03:33:27 myacer sshd[26933]: Failed password for invalid user > emma from 219.233.229.77 port 39063 ssh2 > Jun 4 03:33:31 myacer sshd[26937]: Invalid user oracle from > 219.233.229.77 > Jun 4 03:33:31 myacer sshd[26937]: Failed password for invalid user > oracle from 219.233.229.77 port 40690 ssh2 > Jun 4 03:33:33 myacer sshd[26939]: Invalid user netdump from > 219.233.229.77 > Jun 4 03:33:33 myacer sshd[26939]: Failed password for invalid user > netdump from 219.233.229.77 port 41623 ssh2 > > If I'm interpreting this correctly, someone in China was trying to > hack into my computer. > > So my questions are: > > 1) am I understanding this correctly? > 2) does the fact that my /etc/shadow file got changed indicate that > they were successful? > 3) And of course, how do I prevent this from happening in the future? > > Steve > Use a NAT router. Don't open port 22. Remove openssh-server if you don't need it. Why does your log show sshd running on so many "unassigned" ports? -- John When a person has -- whether they knew it or not -- already rejected the Truth, by what means do they discern a lie?
From: Grant on 4 Jun 2010 16:32 On Fri, 4 Jun 2010 11:25:03 -0700 (PDT), steve <shmartonak(a)ticnet.com> wrote: >Well it happened again, but this time I was a little better prepared. >It seems that my /etc/shadow file got modified somehow. Knowing the >time of the new file I was able to go back into my /var/log/messages >file to see if anything of interest was happening. It definitely was! > >Jun 4 03:33:27 myacer sshd[26933]: Invalid user emma from >219.233.229.77 >Jun 4 03:33:27 myacer sshd[26933]: Failed password for invalid user >emma from 219.233.229.77 port 39063 ssh2 >Jun 4 03:33:31 myacer sshd[26937]: Invalid user oracle from >219.233.229.77 >Jun 4 03:33:31 myacer sshd[26937]: Failed password for invalid user >oracle from 219.233.229.77 port 40690 ssh2 >Jun 4 03:33:33 myacer sshd[26939]: Invalid user netdump from >219.233.229.77 >Jun 4 03:33:33 myacer sshd[26939]: Failed password for invalid user >netdump from 219.233.229.77 port 41623 ssh2 > >If I'm interpreting this correctly, someone in China was trying to >hack into my computer. > >So my questions are: > >1) am I understanding this correctly? Consider possibilities, not probabilities. Yes, it looks bad. >2) does the fact that my /etc/shadow file got changed indicate that >they were successful? Possibly! >3) And of course, how do I prevent this from happening in the future? Unless you need remote ssh, shut down port 22 simple user/pass access from the big bad Internet. If you need it, we had a discussion here a while back about fitting firewall rules to allow remote access but blocking attackers with a combination of timeouts and three tries, you're banned. Use passwordless access with private and public keys, so an attack fails as soon as attacker tries the wrong username, let alone starts guessing what the keys are. An agent is there for local access so it can be painless. You might open a different port for remote ssh access, or even install some port-knocking arrangement to only open the port on demand. Limit remote ssh access to known IPs or IP blocks. Depends what you want for remote access. Best is to shut remote access down unless you really need it. Don't offer user/pass ftp access either, anonymous read-only ftp is safe. Grant. -- http://bugs.id.au/
From: Chris Vine on 4 Jun 2010 20:34
On Fri, 4 Jun 2010 11:25:03 -0700 (PDT) steve <shmartonak(a)ticnet.com> wrote: > Well it happened again, but this time I was a little better prepared. > It seems that my /etc/shadow file got modified somehow. Knowing the > time of the new file I was able to go back into my /var/log/messages > file to see if anything of interest was happening. It definitely was! > > Jun 4 03:33:27 myacer sshd[26933]: Invalid user emma from > 219.233.229.77 > Jun 4 03:33:27 myacer sshd[26933]: Failed password for invalid user > emma from 219.233.229.77 port 39063 ssh2 > Jun 4 03:33:31 myacer sshd[26937]: Invalid user oracle from > 219.233.229.77 > Jun 4 03:33:31 myacer sshd[26937]: Failed password for invalid user > oracle from 219.233.229.77 port 40690 ssh2 > Jun 4 03:33:33 myacer sshd[26939]: Invalid user netdump from > 219.233.229.77 > Jun 4 03:33:33 myacer sshd[26939]: Failed password for invalid user > netdump from 219.233.229.77 port 41623 ssh2 > > If I'm interpreting this correctly, someone in China was trying to > hack into my computer. > > So my questions are: > > 1) am I understanding this correctly? > 2) does the fact that my /etc/shadow file got changed indicate that > they were successful? > 3) And of course, how do I prevent this from happening in the future? I get loads of these. If you have users on your system with weak passwords then it is quite possible that you have been hacked. Worse even if root has a weak password. The system log should tell you if a user has managed to log in, but of course if they have achieved root access then your log can't be trusted. A few obvious points: Why are you running servers on your system open to the internet when it doesn't look as if you need them? Why haven't you set up a firewall, especially if you are not using a NATing router? If you do need ssh open to the internet (and some do, including me), why have you allowed password authentication on ssh? Use private/public key authentication and disallow password authentication. I use private/public key encryption with a pass phrase on the key, and disallow all other forms of ssh authentication, and that makes my system pretty well impregnable. In addition, to cut down the noise in my system log, I have a "three strikes and you are out rule" on my firewall. If a connection has not been established after three tries in one minute, the person accessing the server is kicked off for 5 minutes. That's enough to see them off. You may not be entirely or even mainly to blame. I noticed when installing Slackware 13.1 that by default it started ssh on boot up in rc.sshd without a firewall, and the default sshd_config file allows password authentication by default. That is a very poor choice of defaults, in my opinion, and it looks as if you have been skewered by them. Most people are inadvertently protected by the fact that they have a NATing router. Chris |