I was.... hacked?...

[Hell-Razor]

this is quite strange. I have never heard of this before but I received a letter yesterday from my ISP saying that "your internet activity has been viewed in some form of illegal activity". With this letter I received about 30 pages worth of "ls" of random (or so it looks like) files on my machine. Now I am not saying I have not downloaded anything illegal but I honestly haven't in quite some time now (at least 6 months). I have noticed though some of the files are tar.gz and one of the files listed is in fact rkhunter which I installed about two weeks ago AND a .txt file that is in my /home/ dir containing all of my "wish-list" items for christmas. Now first off how the hell can they legally be viewing my files?
Second off who should I call and bitch at for this (if anybody)?... I have to head off to work now though Ill come back and maybe scan the letter I got on my scanner (that is if I can find the letter in the trash).
_________________
Don't ever tell anybody anything. If you do, you start missing everybody.

[Hell-Razor]

oh i forgot to add -- i think its time to ranish my hd's =(
_________________
Don't ever tell anybody anything. If you do, you start missing everybody.

[GODhack]

Update everything if not updated, remove sshd from startup if you have it there.
Set iptables.
Check ps was for strange lines.

ISP can give you IP of hacker, you can whois his ip and find maybe even his phone number is he is stupid enough.
That is maybe all you can do.
_________________
http://www.youtube.com/watch?v=4jtmOZaIvS0

[NeddySeagoon]

Hell-Razor,

Make an image of your drive for later forensics, then reinstall. Better yet, get another drive.
Do not attempt to salvage anything from the old install. It looks like you have been compromised somehow.

Check your access logs if you use ssh for external access.

Exactly what an intruder can do, depends on the account they have access as.
Are there any signs the intruder was root ?
e.g. does the list of files include things in /root ?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[Hell-Razor]

Alright I was unable to find the letter so I dont know if it was any root files (but cant or some / most of the root dir be seen by ls?)

Everything IS up to date hack. ssh is turned off i never really use it.

The strange thing is though that this is from my ISP, i am on the phone now for a different provider -- i dont know if i really can call and complaing because well i did/do illegal things with software except is there a line they crossed here?
_________________
Don't ever tell anybody anything. If you do, you start missing everybody.

[Hell-Razor]

[00:03:33] Checking system startup files for malware [ Warning ]
[00:03:34] Warning: Found string 'hidef' in file '/etc/init.d/net.lo'. Possible rootkit: Possible part of Knark rootkit

that is a post from my rkhunter output -- anything to be worried about?
_________________
Don't ever tell anybody anything. If you do, you start missing everybody.

[platojones]

[platojones]

Sorry, I shouldn't have been so flip in my last comment...yes, your box is 100% owned. If you aren't taking NeddySeagoon's advice right now, you need to start. rkhunter is confirming what you already know by now. Unless you manually put 'hidef' in your net.lo file, then it doesn't get more explicit...

1) Somebody sent you an email containing a directory listing from YOUR own filesystem.

2) Only root can modify anything in /etc/init.d...and the word 'hidef' doesn't belong in net.lo unless you put it there yourself...if you don't remember doing that, then somebody else has root access to your computer.

So, follow Neddy's advise...at a bare minimum, you should have disconnected from the internet and started a reformat every drive on your box...followed by a re-install...and that goes for anything connected to this system. You have been seriously compromised. And don't re-connect to the internet until you have a reliable firewall installed.

[Hell-Razor]

[platojones]

Did you put those there?

[Hell-Razor]

nope
_________________
Don't ever tell anybody anything. If you do, you start missing everybody.

[Hell-Razor]

anyway whats the program that turns all of the data on your hds to 0 then back to 1 and whatnot? i need it now...
_________________
Don't ever tell anybody anything. If you do, you start missing everybody.

[platojones]

[platojones]

[Hell-Razor]

Cause I got an ls of some of the files that were both dled and on my machine, a letter saying stuff about illegal software -- as I know right now my router shows nothing and same with all the other suggestions. How could they get a partial ls of my /home/ files without fully being into my machine? whoever did it knew what they were doing and I think I need to spend the rest of the night working on reinstalling

There is something like an ls but not quite the same I don't know how else to explain it... it has my name my ip my account number on it (basically everything except my full cc number and ss number)...There is also a download history of some but not all files - anywhere from what I think are kernel patches for a gentoo kernel to a random named tar.gz file (I have no idea what it is)...

Does that make sense?
_________________
Don't ever tell anybody anything. If you do, you start missing everybody.

[Hell-Razor]

I know now though I need to go the hardened route and ontop of that start using tor for EVERYTHING...
_________________
Don't ever tell anybody anything. If you do, you start missing everybody.

[platojones]

[platojones]

Oh...and to be fair...I'll just go ahead and ask this...this is a relatively up-to-date Gentoo system, no? It's not like some 5 year old Gentoo install that has never beein updated? This isn't some other distro, or hybrid that was hacked together, right? The reason I'm asking is that the net.lo you posted looks nothing like a current Gentoo net.lo...so if you are running Gentoo, then it has definitely been seriously altered...or way out of date.

[platojones]

Also, hopefully you aren't reading this now and have already started the remedial actions described...I wasn't pointing the finger at you, by any means..If your box was taken over (and it looks like it was), then the hacker is the one who has been the cause of all of this...he may be downloading and forwarding warez all over the world, using your box as an open relay for spam, etc, etc, and your ISP noticed it and sent you that letter...in fact, that makes perfect sense. So yes, wipe your system and call and explain what happened to your ISP....and document that call...also, try and remember anything sensitive you may have on your system...have you used it for credit card transactions for online purchases, etc...if so, your browser has probably cached all of that information...and any passwords, credit cards numbers, etc, you may have used for anything on the internet may be comprimised.

[lookitsme]

[mv]

[Hell-Razor]

well im on a new system (hooray) and yes it seems lookitsme is correct...i did use layman again and made a backup file of my net.lo this time to see if anything funky went on -- it was me i guess but oh well too late now.

I would like to thank everybody that helped -- It wasnt what I wanted to hear but hell it was something that had to be done.

For security measures -- iptables was recommended (going to install it now and take out my wifi router), and what about a proxy? Ive always liked tor and used my machine for a forward in the past -- how hard is it for my **NEW** isp (yes they came about 20 minutes ago to install ) to read my traffic if i torify all my somewhat sensitive data?
_________________
Don't ever tell anybody anything. If you do, you start missing everybody.

[quag7]

The problem with tor is it isn't supposed to be used for p2p traffic, and even if you did use it that way, it would be painfully slow, like sub-dialup slow. Tor is a good idea but there needs to be more relays and more responsible usage. I always groan whenever I have to turn it on.

Using a seedbox or cheap shell account is not a bad alternative.

But what this has to do with where the ducks go in the winter, I do not know
_________________
http://www.dataswamp.net

[kernelOfTruth]

*subscribes*

a little paranoia doesn't hurt anyone

try to harden your system (e.g. hardened use-flags, hardened toolchain, hardened kernel)

and ensure that you have a decent iptables-based firewall and a router with built-in firewall in front of your box
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004

[NeddySeagoon]

Perhaps its worth tempering the paranoia by making it clear that security is like the layers of an onion.
They have to break each layer in turn.

The idea is to make it clear to an attacker that there are easier targets out there and they should try one of those instead.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.