I got hacked

[Leo]

OK so I got hacked in the last couple of days (I only realised when hey changed my user password).

 

It is partially my fault as I had a very weak password and I had not been checking my logs.

 

Looking at auth.log someone appears to have been attempting huge lists of usernames over a fairly long period and finally got a hit. They were using ssh2 to connect.

 

thy changed my user password two days ago whcih I changed back they then came back yesterday and changed the password again.

 

I have now locked the account, created a new account (with a more secure password) and copied across some files I need from the old account to the new.

 

I also turned sshd off and rebooted my modem/router to get a new ip address and changed my root password.

 

What I need to know is:

How can I tel if they cracked the root password?

What should I check to find out if they added anything nasty?

 

Thanks

Leo

[phunni]

Mosst of your questions I can't answer off the top of my head - but I will say that you should change your root password straight away - whether you think it's been compromised or not.

 

Also - see if any services are running that you know nothing about and if any other ports have been opened...

[devries]

You need to completely reinstall. Once you have been hacked your system is no longer safe.

[arctic]

https://mandrivausers.org/index.php?showtopic=30036 might be useful.

[tyme]

reinstallation is definitely the best option in a case such as this. any files in your users home could be compromised, and if they were able to escalate to root they could have done a lot more damage. checking your .bash_history may reveal what they did - but they could have covered their tracks.

[Gowator]

Leo, I would worry its someone you know if the log shows they had your username correct and were merely brute forcing the passwword.

[Qchem]

You could try running chkrootkit to see if they left anything nasty behind.

 

I agree with the others, reinstall unless there's a very good reason not to.

[iphitus]

Just another voice to backup, check the files you backup, and reinstall. Who knows what they left running or stored on the system.

[tyme]

Leo, I would worry its someone you know if the log shows they had your username correct and were merely brute forcing the passwword.

in his first post he said they were bruteforcing both username and password.

[uralmasha]

i guess if you go to IRC you expose your both IP and username, aren't you?

[tyme]

i guess if you go to IRC you expose your both IP and username, aren't you?

not necessarily. you can change the "username" that is displayed with most IRC clients, and as far as IP goes, you expose it just by doing anything on the internet.

 

people brute force ssh on a regular basis. this isn't abnormal. anytime i open up my ssh port, and don't add any rules (i.e. only allow from certain ips, only allow certain usernames) i get a lot of brute force attempts. there are people out there just running scripts to find open ssh ports, and then attempt to brute force them with dictionaries. it's unlikely that he was specifically targetted by any one person.

 

this is why when having any services running/ports open (ssh, samba, http) you need to have a good firewall and set rules to limit access when possible.

[Gowator]

Leo, I would worry its someone you know if the log shows they had your username correct and were merely brute forcing the passwword.

in his first post he said they were bruteforcing both username and password.

Sorry missed that! or skipped over it but depending on the usernames was it pure brute force or educated guesses?

Like if it was using leo then perhaps they have seen his name here etc.

The question is why him I guess? I always think that you leave your IP on many pages etc. fill out forms and submit passwords which may give potential hackers an idea of where to start and what OS you are running.

 

This is worth bearing in mind if you change password and username ... but your right is probably is just random but mostly I wouldn't think its worth trying over ssh unless you have somewhere to start ... Leo says he had a weak password but the hacker didn't know that unless they got a clue elsewhere...

 

Examples of bad practice is cutting and pasting a bit of code here which shows your username, even if its just because you are in that directory. Im sure we all do it its just worth bearing in mind!

[michaelcole]

Three things to do with the SSH

 

Dont let root in..

 

Have a good password on your username and the root password.

 

Third one is add a lock out after 3 or 4 Retries lock out the User on SSH..

 

Saw a script out there somewhere to do that..

 

what was the conversation last week someone with no password..

[Leo]

Thanks for the comments.

 

The usernames tried where all names or common applications (e.g. ftp) and on each attempt were tried in strict alphabetical order. Each id was attempted four or five times (suggesting a password guesses of uppercase, lowercase, blank and leading uppercase) the password was the username in lowercase (yes I know!).

 

Each attempt was made within a second of a failed attempt which suggests to me an automated attack.

 

The compromised account has been locked and a new root password setup (I also changed the administrator id and password on my modem/router just in case) however this was a secure password and the administrator username was non-standard.

 

I was hoping to avoid reinstalling (mainly it's a nuisance as much as anything) but given the overall opinion (plus iphitus comment about stuff left running/stored) I think it is necessary.

 

I disabled sshd as I assume this is how they return to my machine (which they did once already).

 

I will check .bash_history I must admit I am curious as to what they were doing, especially since they obviously returned the following night.

 

Thanks for the comments, any others will be gratefully received.

 

Preventing access after failed login attempts sounds like a good idea, I am sure I saw something about that connected to attempts from the same IP address which would have prevented this breach, I will have to dig around and see if I can find it again.

 

Leo

[michaelcole]

Stop them dead next time by using a set up like this..

 

http://www.howtoforge.com/preventing_ssh_d..._with_denyhosts