i got hacked. what were they up to?

[bcore]

Ok, so I seem to have been hacked. I run a gentoo box as my home machine, but to be honest, I don't take nearly as good care of it as I should.. I'm sure I got what I deserved.

Here's what I found out. The other day, I noticed a failed SSH login on my little syslog scroller to the user named "test". I completely forgot that such a user existed, but thinking about it, I'm pretty sure that when I first installed gentoo on this machine 3 years ago, I made an account with the username AND password of "test", and I guess I forgot to delete it. Now you see why I say I got what I deserved. I decided that I should delete the account, and when I went to delete it's home directory, I noticed that a directory named "1", had been created. Inside that directory was a directory called "lib", and in the lib directory was a program I had never seen before. Here's the ls output:

[jjasghar]

that is interesting...

moral of that storie, don't have a username called "test"
_________________
#include <LinuxUser #324070>
main()
{
printf("and i'm sorry my spellign sucs.");
}

[bcore]

Hmm, more web searching seems to reveal that they were attempting (and failing) to install and run an IRC bot. Since I have never gotten into IRC, I have no idea what that is, although I've heard the term many times.
_________________
MR DOWNY: BISCUIT BRAAAAAAAAAAA
YUO: LOL!!!!!

[sirber]

You can surely get his IP and contact his ISP about hacking attempt.

[tomchuk]

The source IP of the attack is just another compromised box, with either guest/guest, test/test, admin/admin, root/root username/password combos running sshd. I've been getting so many of these attempts that I've stopped reporting these compromised boxes. There have been a huge ammount of scans using this new tool since the end of July and there are probably tens of thousands of compromised boxes out there.

The attacker's usual course of events is to login from a compromised box, change the password, download this little "run.tar" kit maybe run an irc bot, and then set the scanning tool to scan an entire class A. Many time's he'll also run a trojaned sshd. He'll usually show up later to collect the results and/or use your box to infiltrate others. The scary part is that whoever is behind this hasn't done anything with these compromised boxen yet, they just seem to be cataloging the results of the scans.

[brettlpb]

Sorry to de-rail, but what log are you scrolling to see failed ssh logins etc?

[bcore]

/var/log/messages with some serious grep action.
_________________
MR DOWNY: BISCUIT BRAAAAAAAAAAA
YUO: LOL!!!!!

[Captain_Loser]

Wow, I just looked through my logs and found a whole lot of failed ssh logins, and what I guess are rootkit attempts.. I am very surprised to see this many cracking attempts aimed at me. I am running a very safe system, but it makes you think.. I am sure glad gentoo has things like emerge -u.
_________________
KHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN!!!!!!!

[Determined]

Do you ssh this box from the internet? I hope there is a good reason to have open ports like that.

The moral of the story really: Strong passwords, hardware firewall, encrypt all network traffic possible.
_________________
-Determined

Currently working on;
http://www.familytreelink.com
http://www.davidmonaghan.com

[bcore]

Yeah, I'm SSH'ed in from work most days.. Easiest way to check my email and transfer files between.

I'd say the moral of the story here is don't create a test account, and if you do, don't also make it's password "test", and if you do that too, don't forget to delete it.
_________________
MR DOWNY: BISCUIT BRAAAAAAAAAAA
YUO: LOL!!!!!

[tumbak]

I noticed a directory called src/ in your output, can you tar it and share it please, or tar the whole ~test
_________________
less QQ more pewpew!

[JudgeNik]

damn.

I've seen a folder called /1/ on my server.

I've been told to emerge chkrootkit.
apparently i've been rooted...

Don't know how my server was setup beginning of last year and it never had any testing accounts on it and no accounts with same/same.
_________________
See the famous Niko Roberts at http://www.nikoroberts.com

[drspewfy]

off course you have been routed,,!!!!

and he installed a Psybnc kinda bot, He uses YOUR ip to connect to the IRc and like that talk with others using your ip, if somebody tries to aatack him he wont get down cuz, hes spoofing your IP.. and you will get down

You should use

"lsof" instands of netstat , ps x, etc...

Cuz maybe you have been backdoored..
use the command "find" to see, What files had been modified in that day,
also try to use tripwire, to see what files changed since the intrusion (well that is for the nexts penetrations , besides snort.

good luck!

[bcore]

I'm certainly willing to tar up the directory for anyone who is curious. I have no way of hosting it though...
_________________
MR DOWNY: BISCUIT BRAAAAAAAAAAA
YUO: LOL!!!!!

[evoweiss]

Hi all,

Over the past few weeks I've noticed a similar pattern of hack attempts against my box (ssh'ing in and attempting to log in with things like "test", "NOUSER", and "root"). I keep everything up-to-date and, hence, haven't noticed anything amiss. Just a quick tip: There's no need to dig through the log file of everything, just look into the /var/log/sshd/ files to get an indication of that port's activity.

Another thing I did was invest in a hardware firewall (Zywall 1 model) which will send me an email whenever there are any events whether legitimate (me ssh'ing into my system from work) or illegitimate (attacks on my system, other attempt to gain access via ssh). I highly recommend the same to others.

Finally, I always use strong passwords and keep my system updated. I suspect I'm pretty safe .

Best,

Alex

[jpc82]

Wow I am glad I saw this post.

I was just looking at my logs and I see this

[grant.mcdorman]

[bcore]

Unfortunately I don't get a static IP from work, but I'm thinking I'm gonna set sshd up to only allow key logins, since I use keychain from work. I've already also got it set up do disallow root logins, so I figure I should be reasonably safe...
_________________
MR DOWNY: BISCUIT BRAAAAAAAAAAA
YUO: LOL!!!!!

[smonijhay1]

geez, what an awesome post!

thought I should give my info a look since I saw this post and sure enough there were numerous attempts at trying to connect using random user names.

now I must learn to set up and configure a good firewall (ipchains? iptables?)
_________________
you mean you are going to remember me by what I type....here?

[bcore]

One other thing I have to remark is that looking at the bash_history really shows how inept this person was.. Total script kiddie. I mean cummon.. "cd\"??! The lame failed attempt to read my mail, then install something in "/sbin"?

I definitely don't think I was up against anyone with skill, so if I had been properly prepared I would have had nothning to worry about..
_________________
MR DOWNY: BISCUIT BRAAAAAAAAAAA
YUO: LOL!!!!!

[tomchuk]

[bcore]

Re-read my posts. I fully admitted that I made a mistake, and I said that if I had done my due diligence, I would have been fine.
_________________
MR DOWNY: BISCUIT BRAAAAAAAAAAA
YUO: LOL!!!!!

[tomchuk]

I know, it was a joke, notice the 'Razz' and 'Smile' smileys.

[GentooBox]

I hate ssh worms...

They will never stop.. just like any other worm.
_________________
Encrypt, lock up everything and duct tape the rest

[Ox53746F6E65]

use portknocking to make your system more secure.
_________________
Ox is on
Gentoo on VMWare
Sys: Athlon XP 1800+, 1GB Ram, 340 GB HD, Dual Boot Sys with WinXP and GentooR6