Hallo,
there are numerous brute force ssh attacks in the web. I was quite curious, and for fun, I created the typical user accounts and set easy to guess passwords....
Yesterday, such a ssh login was successful for users kevin and daikanyama. The hackers changed the passwords for both logins. They installed a certain program "undernet" as daikanyama and started a program called mech.
After some minutes, I removed the network cable, killed all the processes of the users and disabled these users.
Then, I figured out that some programs as grep did not work. I rebooted the machine, but during the reboot I got various "segmentation faults", "illegal instructions", ....
I booted from an FC3 rescue CD, and I found out that various executables in /bin and /user/bin where manipulated (grep, egrep, gzip, rpm, mount, ...). I replaced these manipulated executlables by original files, but I forgot to replace gtbl.
Then, the machine booted correctly. Later when gtbl was called, some executables in /bin and /user/bin where manipulated. It seems to be some virus, when you start a manipulated executable it manipulates other executables.
I managed to replace all manipulated files and the machine seems to work correctly.
My question is: They did not guess the root password, how did they manipulate files which are only writable by root???
Is anyone interested in log-files or in the programs which the hackers installed under daikanyama?
Best regards, Daniel
Hi,
My question is: They did not guess the root password, how did they manipulate files which are only writable by root???
The following articles at wikipedia should give you an idea what was going on on your maschine:
http://en.wikipedia.org/wiki/Exploit_%28computer_security%29 http://en.wikipedia.org/wiki/Rootkit
Hope that helps,
Jan
P.S. I would recommend an clean re-install. You never know what things are sleeping and hiding on your maschine now...
meaning that they did gain root access after all but were able to hide this through a rootkit???
I'm really not an expert on this. But from my understanding, I would say yes. I recommended a re-install of the complete box, because the original poster can't be sure, that he has cleaned everthing that was changed...
Greetings,
Jan
On Wed, 27 Apr 2005, Daniel Kirsten wrote:
Hallo,
there are numerous brute force ssh attacks in the web. I was quite curious, and for fun, I created the typical user accounts and set easy to guess passwords....
Yesterday, such a ssh login was successful for users kevin and daikanyama. The hackers changed the passwords for both logins. They installed a certain program "undernet" as daikanyama and started a program called mech.
After some minutes, I removed the network cable, killed all the processes of the users and disabled these users.
Then, I figured out that some programs as grep did not work. I rebooted the machine, but during the reboot I got various "segmentation faults", "illegal instructions", ....
I booted from an FC3 rescue CD, and I found out that various executables in /bin and /user/bin where manipulated (grep, egrep, gzip, rpm, mount, ...). I replaced these manipulated executlables by original files, but I forgot to replace gtbl.
Then, the machine booted correctly. Later when gtbl was called, some executables in /bin and /user/bin where manipulated. It seems to be some virus, when you start a manipulated executable it manipulates other executables.
I managed to replace all manipulated files and the machine seems to work correctly.
My question is: They did not guess the root password, how did they manipulate files which are only writable by root???
close examination of rootkit they installed should be able to determine the attack vector used to gain root privledges
Is anyone interested in log-files or in the programs which the hackers installed under daikanyama?
Best regards, Daniel
On Wed, Apr 27, 2005 at 01:26:03PM +0200, Daniel Kirsten wrote:
My question is: They did not guess the root password, how did they manipulate files which are only writable by root???
Did you happen to have perl-suidperl installed?
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146738
Daniel Kirsten wrote:
Hallo,
there are numerous brute force ssh attacks in the web. I was quite curious, and for fun, I created the typical user accounts and set easy to guess passwords....
Generally, very bad idea. Unless you know exactly what you are doing, which you obviously don't.
Yesterday, such a ssh login was successful for users kevin and daikanyama. The hackers changed the passwords for both logins. They installed a certain program "undernet" as daikanyama and started a program called mech.
After some minutes, I removed the network cable, killed all the processes of the users and disabled these users.
You don't just unplug network cable. You wipe off machine and reinstall it from scratch. Simple as that.
Then, I figured out that some programs as grep did not work. I rebooted the machine, but during the reboot I got various "segmentation faults", "illegal instructions", ....
Yeah, they were probably script kiddies who had no clue what they were doing, and they installed corrupted rootkit. If they knew what they were doing, you'd never notice any files changes. See my previous comment about reinstalling machine from scratch.
My question is: They did not guess the root password, how did they manipulate files which are only writable by root???
They don't need to guess root's password. All they need is a single setuid root buggy executable. Either you didn't have security updates installed, or the kids got their hands on yet unreported exploit (somehow, somewhere).
Is anyone interested in log-files or in the programs which the hackers installed under daikanyama?
I don't see why. In most probability, they installed some robots that can be controlled from IRC, that would enable them to perform DDoS using your machine (and dozens or hundreds of other machines).
On 4/27/05, Aleksandar Milivojevic amilivojevic@pbl.ca wrote:
Daniel Kirsten wrote:
there are numerous brute force ssh attacks in the web. I was quite curious, and for fun, I created the typical user accounts and set easy to guess passwords....
Generally, very bad idea. Unless you know exactly what you are doing, which you obviously don't.
Also, learn to use ssh RSA keys rather than allowing ssh passwords. Even if you have keys you still need to disable passwords for it to be secure. Doing that prevents dictionary password-guessing attacks. To disable ssh password access, edit /etc/ssh/sshd_config and set
PasswordAuthentication no
You may also want to disable root via ssh as well with
PermitRootLogin no
(After changing config either reboot or 'service sshd restart')
Deron Meranda wrote:
On 4/27/05, Aleksandar Milivojevic amilivojevic@pbl.ca wrote:
Daniel Kirsten wrote:
there are numerous brute force ssh attacks in the web. I was quite curious, and for fun, I created the typical user accounts and set easy to guess passwords....
Generally, very bad idea. Unless you know exactly what you are doing, which you obviously don't.
Also, learn to use ssh RSA keys rather than allowing ssh passwords. Even if you have keys you still need to disable passwords for it to be secure. Doing that prevents dictionary password-guessing attacks. To disable ssh password access, edit /etc/ssh/sshd_config and set
PasswordAuthentication no
You may also want to disable root via ssh as well with
PermitRootLogin no
(After changing config either reboot or 'service sshd restart')
The first of _my_ boxes to be cracked now has ssh logins w/o passwords, and firewall rules to allow ssh login only from select parts of the world. No access to Americans, Russians or Israelis.
However, I do think that's more than necessary. I uses a password generator (expect has one but there are alternatives)
I'm prepared to assume that this (defunct) password is unguessable: q64bxjdc and that word combinations such as amaze-egg and listansett are good enough.
One does need to watch word length though: I used calamityjane (on RHL 4.2) for some time, later discovered it was equivalent to calamityj.
On Wed, Apr 27, 2005 at 10:56:38AM -0500, Aleksandar Milivojevic wrote:
there are numerous brute force ssh attacks in the web. I was quite curious, and for fun, I created the typical user accounts and set easy to guess passwords....
Generally, very bad idea. Unless you know exactly what you are doing, which you obviously don't.
What's the harm? I mean, assuming you're planning on doing a limited, controlled experiment?
You don't just unplug network cable. You wipe off machine and reinstall it from scratch. Simple as that.
Sure. But it doesn't hurt to investigate what happened. It's educational.
On Wed, 27 Apr 2005 17:13:45 -0400 Matthew Miller mattdm@mattdm.org wrote
On Wed, Apr 27, 2005 at 10:56:38AM -0500, Aleksandar Milivojevic wrote:
there are numerous brute force ssh attacks in the web. I was quite curious, and for fun, I created the typical user accounts and set easy to guess passwords....
Generally, very bad idea. Unless you know exactly what you are doing, which you obviously don't.
What's the harm? I mean, assuming you're planning on doing a limited, controlled experiment?
I'd want users who try this to be a bit more prepared. If, for instance, you set up a honeypot without firewalling it off from the rest of your local net, you're practically inviting a new sysadmin, so to speak.
If you're going to set up a honeypot, I'd suggest setting up a full honeynet, firewalled away from anything important, traffic monitored from outside the honeynet. (Otherwise, you tend to miss the most interesting stuff, anyway.)
There's just a lot of traps you can fall into (this thread shows several examples).
If you have the spare hardware and time, though, go for it.
One thing -- I'd want to make sure the BIOS on every box inside the honeynet is write-protected physically, and I'd plan on sacrificing the hard drives.
-- Joel Rees rees@ddcom.co.jp digitcom, inc. 株式会社デジコム Kobe, Japan +81-78-672-8800 ** http://www.ddcom.co.jp **
Matthew Miller wrote:
On Wed, Apr 27, 2005 at 10:56:38AM -0500, Aleksandar Milivojevic wrote:
there are numerous brute force ssh attacks in the web. I was quite curious, and for fun, I created the typical user accounts and set easy to guess passwords....
Generally, very bad idea. Unless you know exactly what you are doing, which you obviously don't.
What's the harm? I mean, assuming you're planning on doing a limited, controlled experiment?
Was it controlled? Was it really limited? Judging from original post, I wouldn't be suprised if his entire local network got infected.
You don't just unplug network cable. You wipe off machine and reinstall it from scratch. Simple as that.
Sure. But it doesn't hurt to investigate what happened. It's educational.
Sure, investigate. Learn. And then wipe off the harddrives.
On Thu, Apr 28, 2005 at 08:14:44AM -0500, Aleksandar Milivojevic wrote:
Was it controlled? Was it really limited? Judging from original post, I wouldn't be suprised if his entire local network got infected.
I'd be somewhat surprised, given that the attackers here seemed run-of-the-mill, but you're right, definitely something to check for.
Sure. But it doesn't hurt to investigate what happened. It's educational.
Sure, investigate. Learn. And then wipe off the harddrives.
Agreed.
On Thu, 2005-04-28 at 09:41 -0400, Matthew Miller wrote:
On Thu, Apr 28, 2005 at 08:14:44AM -0500, Aleksandar Milivojevic wrote:
Was it controlled? Was it really limited? Judging from original post, I wouldn't be suprised if his entire local network got infected.
I'd be somewhat surprised, given that the attackers here seemed run-of-the-mill, but you're right, definitely something to check for.
From the attack vector, the attackers seemed run of the mill.
From the OPs comments, this attack could easily have infected any and
all machines on his network. The OP even did not have any concept of the effects of running UNKNOWN programs that obviously were put on his system by an attacker and yet he executed the program as root himself. Ignorance is not an excuse for an SA to make mistakes that can be deadly and in this case may easily have infected many other machines.
As was stated by Aleksander, I will be surprised if the rest of his network did not also get infected.
Sure. But it doesn't hurt to investigate what happened. It's educational.
Sure, investigate. Learn. And then wipe off the harddrives.
Agreed.
-- Matthew Miller mattdm@mattdm.org http://www.mattdm.org/ Boston University Linux ------> http://linux.bu.edu/ Current office temperature: 75 degrees Fahrenheit.
Aleksandar Milivojevic wrote:
Matthew Miller wrote:
On Wed, Apr 27, 2005 at 10:56:38AM -0500, Aleksandar Milivojevic wrote:
there are numerous brute force ssh attacks in the web. I was quite curious, and for fun, I created the typical user accounts and set easy to guess passwords....
Generally, very bad idea. Unless you know exactly what you are doing, which you obviously don't.
What's the harm? I mean, assuming you're planning on doing a limited, controlled experiment?
Was it controlled? Was it really limited? Judging from original post, I wouldn't be suprised if his entire local network got infected.
Why? I would be very surprised if it was. It requires infected files to be manually transferred from system to system.
Unless Daniel actually transferred an infected file to another system, or he has filesystems cross-mounted with write permission I don't see how they would be infected. Doing either on a system you are testing to see how long it takes to be compromised would be just as daft as running binaries installed by a cracker when root...
... Ok, maybe his network is infected.
Nigel Wade wrote:
Why? I would be very surprised if it was. It requires infected files to be manually transferred from system to system.
The attackers might have used shell access on compromised machine as a platform to lunch attack to his local network. Or even the automated tools they uploaded/installed on the compromised machine might have done that. It is classic approach. The attacker gets access to single machine. Then he tries to see what else is reachable from it.
That is why when setting honney pot machine, it must be on physically separate network segment, completely cut off from any other network by firewall.
Daniel's (Daniel was OP, right?) reasoning was "they can't do much harm if all they got is user-level shell access". My guess is Daniel already realized how wrong his reasoning was. You can do lot of nasty things with user-level shell access.
An analogy would be letting a thief into your house, and locking him in the room. There's a locked cabinet with some valuables inside that room. However, your room doors, and lock on the cabinet are certanly no match to your front door. It is so much easier for thief to get the stuff from locked cabinet (root access) and move to other rooms (machines on local network), once he is already inside the house. To continue with the analogy, honey pot machines are completely separate houses. They are not rooms inside your house.
Moral of the story (which would be this thread): kids, don't do this at home.
On Wed, 2005-27-04 at 17:13 -0400, Matthew Miller wrote:
On Wed, Apr 27, 2005 at 10:56:38AM -0500, Aleksandar Milivojevic wrote:
there are numerous brute force ssh attacks in the web. I was quite curious, and for fun, I created the typical user accounts and set easy to guess passwords....
Generally, very bad idea. Unless you know exactly what you are doing, which you obviously don't.
What's the harm? I mean, assuming you're planning on doing a limited, controlled experiment?
That was how I understood your initial post, it sounded like you were intentionally creating a honey pot.
You don't just unplug network cable. You wipe off machine and reinstall it from scratch. Simple as that.
Sure. But it doesn't hurt to investigate what happened. It's educational.
Absolutely correct. That is a good way to see how intrusions are performed.
A couple of suggestions though ;
1) You should make sure that the honey pot is segregated on its own little subnet. If possible isolated with a dedicated router to ensure arp poisoning can't be used by it to capture traffic from other devices on your switch once the honey pot is compromised.
2) Make sure that honey pot is blocked from accessing the rest of your network(s) with a router that is not accessible directly from the honey pot.
3) Capture all traffic that is sent or received by the honey pot for later analysis. You can use the captured data to confirm the actions that transpired and if logs are removed you still have an audit trail.
Honey pots can be fun, especially if your a bear. ;-)
On Thu, Apr 28, 2005 at 08:56:19AM -0600, Guy Fraser wrote:
On Wed, 2005-27-04 at 17:13 -0400, Matthew Miller wrote: That was how I understood your initial post, it sounded like you were intentionally creating a honey pot.
Not me. Someone else. :)
On Wednesday 27 April 2005 11:56 am, Aleksandar Milivojevic wrote snip
Is anyone interested in log-files or in the programs which the hackers installed under daikanyama?
I don't see why. In most probability, they installed some robots that can be controlled from IRC, that would enable them to perform DDoS using your machine (and dozens or hundreds of other machines).
-- Aleksandar Milivojevic amilivojevic@pbl.ca Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
When I installed linux 7.3 on my first internet machine, I visited a Brazilian black hat site and was hacked before the page was fully loaded. I shut down reformatted using msdos then linux and reloaded. Most viruses and trojans only work on a single O.S.
I suggest you do the same (reformat and reload).
Don't play with a corrupted machine, there are those who crack computers that are better then most expreianced Sys Ads and Sys security people. It is a constant war.
-
Aleksandar Milivojevic -
Daniel Kirsten -
Deron Meranda -
Guy Fraser -
Håkan Persson -
Jan Schaefer -
Jeff Vian -
jludwig -
Joel -
Joel Jaeggli -
John Summerfield -
Matthew Miller -
Nigel Wade