| View previous topic :: View next topic |
| Author |
Message |
persia
Tux's lil' helper
Joined: 02 Oct 2003
Posts: 109
Location: The Netherlands
|
 Posted: Tue Oct 28, 2003 11:44 pm Post subject: help: I MAY be hacked |
 |
|
Hello
after installing this cool OS a couple of weeks ago, i justed exprienced my first crash (Actually it was a FREEZE)
Nothing responded anymore, not the mouse, keyboard nothing and all the sudden too! I was just browsing this forum and bang....
So i rebooted and restarted my speedtouch modem.
Now a couple of friends of mine think of hacking other students as student humor. So i suspect they may be involved in this one and maybe they are joking around. (They have done this often before when i did run NT and XP and one of the reasons for me to switch to Linux was security)
How can i verify this ? Please be clear on this, unlike my friends i am new to Linux.
Are there logs available? Can i check out what really happned with my computer ? Please someone help......
p.s. (i was just reading how to setup Iptables in the security section)
Thank you all guys
_________________
P4-2400mhz - 512MB Samsung(2700)
Asus P4PE - GForce TI 4200 POV 128MB -
Western Digital 80&120GB 7200rpm 8 MB Cache
Realtek NIC (BCM 4400) & Logitech MX500
BrookTree 878 Tv-Tuner Card |
|
| Back to top |
|
 |
bmichaelsen
Veteran
Joined: 17 Nov 2002
Posts: 1277
Location: Hamburg, Germany
|
| Posted: Wed Oct 29, 2003 12:00 am Post subject: |
|
|
| Quote: | | Are there logs available? |
Yes. In
If you are kind of paranoid about your freinds you might consider using
| Code: | * app-admin/chkrootkit
Latest version available: 0.41-r1
Latest version installed: [ Not Installed ]
Size of downloaded files: 29 kB
Homepage: http://www.chkrootkit.org/
Description: a tool to locally check for signs of a rootkit |
Greetz, Björn |
|
| Back to top |
|
|
persia
Tux's lil' helper
Joined: 02 Oct 2003
Posts: 109
Location: The Netherlands
|
| Posted: Wed Oct 29, 2003 12:10 am Post subject: Aha |
|
|
Hi bmichaelsen
ah yes i defenitly need to use that chkrootkit going to read the manuals tommorrow.
But i ve just checked the logs at /var/log and i must say: Man i did nt know it was that much! Is there a way to browse through it in a smart way??
_________________
P4-2400mhz - 512MB Samsung(2700)
Asus P4PE - GForce TI 4200 POV 128MB -
Western Digital 80&120GB 7200rpm 8 MB Cache
Realtek NIC (BCM 4400) & Logitech MX500
BrookTree 878 Tv-Tuner Card |
|
| Back to top |
|
|
meowsqueak
Veteran
Joined: 26 Aug 2003
Posts: 1549
Location: New Zealand
|
| Posted: Wed Oct 29, 2003 12:43 am Post subject: |
|
|
| You could use grc perhaps - app-misc/grc |
|
| Back to top |
|
|
TobiWan
Apprentice
Joined: 07 Jul 2003
Posts: 275
Location: Brussels, Old Europe
|
| Posted: Wed Oct 29, 2003 2:18 pm Post subject: Re: help: I MAY be hacked |
|
|
| persia wrote: |
Now a couple of friends of mine think of hacking other students as student humor. |
You should consider looking for other "friends" 
If you want to take extreme measures for future use, let your machine reject all packages from your friends machines using iptables. That way, they can only bang their heads against your door but will never get in 
Setting up iptables is an essential anyway if you are connecting a machine to the net directly. You should take a look at shorewall since it really makes handling iptables easier.
Also, tripwire is a good idea, given that you set it up at a time when you are certain no security breach has occured so far. Tripwire will monitor your system for changes and compare any anything against a clean database which you should store on a CD or a disk with write protection. If someone tempers with your system he will "trip the wire".
In combination with iptables you should setup some kind of IDS, say snort for example. Snort will log any obvious attempts of scanning or hacking your machine, so you "know" where it came from.
Tobias
_________________
Killing for peace is like fucking for virginity. |
|
| Back to top |
|
|
persia
Tux's lil' helper
Joined: 02 Oct 2003
Posts: 109
Location: The Netherlands
|
| Posted: Wed Oct 29, 2003 9:26 pm Post subject: Thnx Tobi |
|
|
Hi Tobi
thnx alot, very clear answer. I appreciate. Today i spoke to my school "frirends" and yes i was hacked. Before it was always on saturday morning but they ve changed policies and decided to do some overwork.....
(ah at least they dont change anything or do any damage)
At the university where we can print for free:
I am now a pride owner of some hunderds of pages info on security, iptables, sniffers etc.... I have a load to read i think.
| Quote: | | You should consider looking for other "friends" |
he he they are SCHOOL(university) friends , and no fortunatley they are not reading this because they all run debian 
Tripwire:
good stuff ! i did nt know, i am reading my self into iptables right now after this i will setup the tripwire.
_________________
P4-2400mhz - 512MB Samsung(2700)
Asus P4PE - GForce TI 4200 POV 128MB -
Western Digital 80&120GB 7200rpm 8 MB Cache
Realtek NIC (BCM 4400) & Logitech MX500
BrookTree 878 Tv-Tuner Card
Last edited by persia on Wed Oct 29, 2003 9:33 pm; edited 1 time in total |
|
| Back to top |
|
|
professorn
Apprentice
Joined: 18 Sep 2003
Posts: 235
Location: Stockholm, Sweden
|
| Posted: Wed Oct 29, 2003 9:31 pm Post subject: |
|
|
IDS = Intrusion Detection System
If they got static ip, block it? |
|
| Back to top |
|
|
persia
Tux's lil' helper
Joined: 02 Oct 2003
Posts: 109
Location: The Netherlands
|
| Posted: Wed Oct 29, 2003 9:34 pm Post subject: founded |
|
|
Just found it thnx
btw sorry for the many grammar and spelling faults and edits
_________________
P4-2400mhz - 512MB Samsung(2700)
Asus P4PE - GForce TI 4200 POV 128MB -
Western Digital 80&120GB 7200rpm 8 MB Cache
Realtek NIC (BCM 4400) & Logitech MX500
BrookTree 878 Tv-Tuner Card |
|
| Back to top |
|
|
professorn
Apprentice
Joined: 18 Sep 2003
Posts: 235
Location: Stockholm, Sweden
|
| Posted: Wed Oct 29, 2003 9:45 pm Post subject: |
|
|
| And btw, consider doing a fsck on /dev/your/frineds/brain |
|
| Back to top |
|
|
persia
Tux's lil' helper
Joined: 02 Oct 2003
Posts: 109
Location: The Netherlands
|
| Posted: Wed Oct 29, 2003 9:57 pm Post subject: huh? |
|
|
man fsck : i understand, but then the rest ?
_________________
P4-2400mhz - 512MB Samsung(2700)
Asus P4PE - GForce TI 4200 POV 128MB -
Western Digital 80&120GB 7200rpm 8 MB Cache
Realtek NIC (BCM 4400) & Logitech MX500
BrookTree 878 Tv-Tuner Card |
|
| Back to top |
|
|
TobiWan
Apprentice
Joined: 07 Jul 2003
Posts: 275
Location: Brussels, Old Europe
|
| Posted: Wed Oct 29, 2003 9:57 pm Post subject: Re: Thnx Tobi |
|
|
Hi,
| persia wrote: | | thnx alot, very clear answer. I appreciate. |
It's far from complete or detailed. Be sure to work yourself through iptables or at least find some software that does the dirty stuff for you. As I already mentioned, shorewall is nice. Bastille is nice too since it really helps iptables n00bs to setup a working firewall script.
| persia wrote: | | Today i spoke to my school "frirends" and yes i was hacked. |
Did they just tell you and boast or have they been more specific as how they did it so that you have a chance to close the hole?
If they really did, I wouldn't take any chances and invest the time in a real reinstallation, setup iptables first thing after the installation and get Tripwire up and running.
With security you can't trust such friends. As a famous communist once said: Trust is good, control is better.
| persia wrote: | Before it was always on saturday morning but they ve changed policies and decided to do some overwork.....
(ah at least they dont change anything or do any damage) |
They may promise you they didn't change anything but can you really trust they didn't install another backdoor? I wouldn't even if those "friends" were goodlooking blondes waiting to get laid by me.
| persia wrote: | At the university where we can print for free:
I am now a pride owner of some hunderds of pages info on security, iptables, sniffers etc.... I have a load to read i think. |
Well then. Happy reading.
| persia wrote: | | Quote: | | You should consider looking for other "friends" |
he he they are SCHOOL(university) friends , and no fortunatley they are not reading this because they all run debian |
Well, as I already indicated. Real friendship ends where security begins. Especially when they breached your security on purpose.
| persia wrote: |
Tripwire:
good stuff ! i did nt know, i am reading my self into iptables right now after this i will setup the tripwire. |
Tripwire is rather complicated. Be sure to dig yourself in the excellent docs.
A little hint. If you browse the Tripwire webpages (I think not the Open Source but the commercial ones) you will find an offer to receive a huge poster free of charge. In fact, it's two posters 
One is a funny "Servers under Siege" matrix, showing the routine of an IT person setting up a secure project and fighting against failures and so on.
The other one is the Common Security Exploit and Vulnerability Matrix 2.0 which is quite impressive since it shows common security flaws in commonly used software.
Security can be fun when you dive into it. Look at it as a challenge. Can you secure your system the best possible way?
The first step is mistrust. Always assume the worst and plan for the worst.
cheers,
Tobias
_________________
Killing for peace is like fucking for virginity. |
|
| Back to top |
|
|
TobiWan
Apprentice
Joined: 07 Jul 2003
Posts: 275
Location: Brussels, Old Europe
|
| Posted: Wed Oct 29, 2003 10:09 pm Post subject: |
|
|
| professorn wrote: | IDS = Intrusion Detection System
If they got static ip, block it? |
Yes. Simply add a rule to iptables rejecting all packets from those IPs. I know the origin of packets can be forged, but I assume that if his "friends" occupy the same student house, he can investigate their real IPs. Since they seem to know he is not into the whole thing too much, they probably won't anticipate such a harsh move. If he doesn't tell them that he rejects their traffic they have to guess themselves and then go to the trouble of forging someone else's IP.
I don't think they will keep up in the "race of arms" if he manages to install a working iptables configuration and rejects their packets. If he only runs up to date software (which is easy with Gentoo) and doesn't run insecure services, then he should be fine.
If he installs Tripwire after a clean installation (assuming the online installation fo Gentoo doesn't get compromised), then he can track their actions even if they got through the outer defenses.
Probably Bastille is the best start since it helps setting up a running firewall and closing other barn doors very fast and easy.
regards,
Tobias
_________________
Killing for peace is like fucking for virginity. |
|
| Back to top |
|
|
barlad
l33t
Joined: 22 Feb 2003
Posts: 673
|
| Posted: Wed Oct 29, 2003 10:14 pm Post subject: |
|
|
By the way, I always wondered how someone could hack into a personal linux box that is not running any service. Sure, you can impersonate, fake, flood or whatever else you want but cracking into the box?
How the hell do you do that? there is nothing to exploit! |
|
| Back to top |
|
|
professorn
Apprentice
Joined: 18 Sep 2003
Posts: 235
Location: Stockholm, Sweden
|
| Posted: Wed Oct 29, 2003 10:18 pm Post subject: Re: huh? |
|
|
| persia wrote: | | man fsck : i understand, but then the rest ? |
Uhm, it was a joke
How do you know they hacked you? Sure you just didnt ask if they hacked you and they said We did and you didnt get any confir? |
|
| Back to top |
|
|
persia
Tux's lil' helper
Joined: 02 Oct 2003
Posts: 109
Location: The Netherlands
|
| Posted: Wed Oct 29, 2003 10:32 pm Post subject: |
|
|
a little history
before i ve used suse and red hat but i did nt like these distro's at all. (suse is horribly slow, red hat : not really free and the search for dependencies is a drag for a noob)
My collagues ( the univ. friends i was talking about) convinced me to get linux, they advised Debian and one them slackware. I choose instead gentoo, because i liked the portage idea.
So i am now here satisified and pride with my achievment (Gentoo installed from level 1). But then i run into trouble.
Today i was complaining, about i had troubles with Linux and that it freezes up sometimes. And the guys start laughing.... and start asking if it was late in the night? Then i knew the bastards were acting like clowns again....
But what i dont understand either is this: We have Xp&Linux machines but also some older Sparc models. 5 and 10 if i am not mistaking. One of the guys who is really into linux and always is talking about his debian told me that he could log me out any time! (while we were programming ont he sparcs) So i asked him to do this. So he logged from a machine next to me into my machine (i did "WHO" and i could see him) and bang .. i was logged out??
.p.s. they would nt tell how they did it.
_________________
P4-2400mhz - 512MB Samsung(2700)
Asus P4PE - GForce TI 4200 POV 128MB -
Western Digital 80&120GB 7200rpm 8 MB Cache
Realtek NIC (BCM 4400) & Logitech MX500
BrookTree 878 Tv-Tuner Card
Last edited by persia on Wed Oct 29, 2003 10:39 pm; edited 1 time in total |
|
| Back to top |
|
|
persia
Tux's lil' helper
Joined: 02 Oct 2003
Posts: 109
Location: The Netherlands
|
| Posted: Wed Oct 29, 2003 10:35 pm Post subject: |
|
|
arrrgggg
ok i think i am being hacked again. Had to log in again while i was writing the last messages. I lost control of my keyboard but everything else worked.......
_________________
P4-2400mhz - 512MB Samsung(2700)
Asus P4PE - GForce TI 4200 POV 128MB -
Western Digital 80&120GB 7200rpm 8 MB Cache
Realtek NIC (BCM 4400) & Logitech MX500
BrookTree 878 Tv-Tuner Card |
|
| Back to top |
|
|
professorn
Apprentice
Joined: 18 Sep 2003
Posts: 235
Location: Stockholm, Sweden
|
| Posted: Wed Oct 29, 2003 10:39 pm Post subject: |
|
|
| You better get your IP tables up fast, or use the gentoo live cd if your forced because i think it has iptabeles, not sure but a friend of mine told me it has |
|
| Back to top |
|
|
persia
Tux's lil' helper
Joined: 02 Oct 2003
Posts: 109
Location: The Netherlands
|
| Posted: Wed Oct 29, 2003 10:42 pm Post subject: |
|
|
i did emerge iptables, i have compiled my kernel again with netfilter support. Now i have tried iptables -L but i get this:
| Quote: | ash-2.05b# iptables -L
modprobe: Can't locate module ip_tables
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
bash-2.05b#
|
_________________
P4-2400mhz - 512MB Samsung(2700)
Asus P4PE - GForce TI 4200 POV 128MB -
Western Digital 80&120GB 7200rpm 8 MB Cache
Realtek NIC (BCM 4400) & Logitech MX500
BrookTree 878 Tv-Tuner Card |
|
| Back to top |
|
|
persia
Tux's lil' helper
Joined: 02 Oct 2003
Posts: 109
Location: The Netherlands
|
| Posted: Wed Oct 29, 2003 10:48 pm Post subject: Bastille |
|
|
Hello Tobi
i checked the webiste of bastille but i see no! documentation! How is this possible ? Is it very convinient to configure or what ????
_________________
P4-2400mhz - 512MB Samsung(2700)
Asus P4PE - GForce TI 4200 POV 128MB -
Western Digital 80&120GB 7200rpm 8 MB Cache
Realtek NIC (BCM 4400) & Logitech MX500
BrookTree 878 Tv-Tuner Card |
|
| Back to top |
|
|
persia
Tux's lil' helper
Joined: 02 Oct 2003
Posts: 109
Location: The Netherlands
|
| Posted: Wed Oct 29, 2003 11:01 pm Post subject: |
|
|
| Quote: | i did emerge iptables, i have compiled my kernel again with netfilter support. Now i have tried iptables -L but i get this:
Quote:
ash-2.05b# iptables -L
modprobe: Can't locate module ip_tables
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
bash-2.05b#
|
I see i forgot more options in the sub-menus
i am compiling the kernel again with more options enables
p.s. tobi: as soon as kernel 2.6 comes out i format my whole disc and start from stage 1 installation again
_________________
P4-2400mhz - 512MB Samsung(2700)
Asus P4PE - GForce TI 4200 POV 128MB -
Western Digital 80&120GB 7200rpm 8 MB Cache
Realtek NIC (BCM 4400) & Logitech MX500
BrookTree 878 Tv-Tuner Card |
|
| Back to top |
|
|
100%hound_dog
n00b
Joined: 01 Oct 2003
Posts: 32
|
| Posted: Fri Oct 31, 2003 6:55 am Post subject: Hacked? |
|
|
Not sure how you could have been hacked network wise if you had no services running. Now on the other hand if your Friends(?) had access to your computer they could have done about anything they wanted to. Do you have a bios password? Is your computer set to boot from the CD or floppy if one is loaded? If your computer is not bios password protected and is set to boot first from cdrom any joker could do anything they wanted to your system if they had access to it.
Tripwire - tripwire is indespensible as far as I am concerned. It is actually quite easy to install, just make sure you are doing it on a new, clean install or thier is really no point. With tripwire you will easily be able to see if anyone modifies, replaces ,deletes your files. Just emerge the ebuild, then cd /etc/tripwire and run the install script you see. Next tripwire -m i , this is to create the database. To read the tripwire files that will be created in /var/lib/tripwire/report use twprint -m r -r (whatever the file you want to read). That is it. A small price to pay for peace of mind.
Iptables- Compile Netfilter support into your kernel, and get ready to learn whatever method of rule creation you want to use ( shorewall, firewall builder, or if your like me just create your own firewall scripts and add them to the local startup file.
Chkrootkit- this seems like a good idea, just check for log file deletions, trojans, and such. I don't have much experience with it but it seems like a goodl idea.
Just keep playing and learning, and watch out for those friends of yours.
_________________
When hunting monsters one should take care not to become one. |
|
| Back to top |
|
|
|
Networking & Security
