Machine compromised

bhiksha bhiksha at merl.com
Wed Dec 20 07:03:55 UTC 2006 

A-ha!

It appears that the user "backup" was created on the day I actually
installed FC5 on my box (back on September 4), and the user who
created the account was root, who logged in from an adjacent windows
box, which, presumably, was compromised on that date (its protected
with Norton AV, so I expect this happened before liveupdate got the
fix for that particular bug..).

The PC that the hacker logged in from belongs to my wife who was
logged in at that time.
Interestingly, whoever had also tried using her userid (on the PC)
on my linux box, although she didnt have an account on it till more than
a month later!

I  sshed into the linux box from her machine for something or the other,
and they probably read the keystrokes  (my linux box had no monitor
initially, and after borrowing my wife's monitor for the initial install I
returned it to her and simply sshed in from her machine to mess around).
I confess I was somewhat sloppy during the installation since the machine
was not directly conntected to the net directly (it was however connected
to a linksys box that the windows box was also connected to. Portforwarding
was turned off and I felt unwisely safe).
I changed the root password immediately after installation, before 
forwarding
port 22 to it; this might explain why the subsequent dictionary attacks on
root failed.

It appears the hacker also attempted a few dictionary attacks on that
day for other userids, but did not succed. 

Trust a windows box (and a careless user) to be at the bottom of it all 
eventually :-)

I do have a new monitor, so my reinstallation should be safe :-)

-Bhiksha


bhiksha wrote:

> Jason L Tibbitts III wrote:
>
>> I'm not sure why you replied off-list; you lose the benefit of other
>> insights into the discussion.
>>
>>  
>>
>
> Sorry, I didnt realize I'd done that. I just hit a "reply".
> Im certainly getting a lot of useful advice from the group.
>
>>>>>>> "b" == bhiksha  <bhiksha at merl.com> writes:
>>>>>>>           
>>>>>>
>>
>> b> Im still curious about how an account called "backup" belonging to
>> b> uid 0 came to be!
>>
>> I can say with absolute certainty that a hacker put it there, which
>> means that they found some other way into your system.  Are you
>> absolutely sure that you were keeping up with all of the security
>> updates?  Did you have the firewall on?  Obviously you had at least
>> one port open (22); there have been security issues in openssh
>> although I don't recall that any of them were remotely exploitable.
>> What other services were you running?
>>
>> b> I just hope the hackers are not taking advantage of some intrinsic
>> b> hole in FC5.
>>
>> Rest assured that if there were a significant unpatched vulnerability,
>> yours wouldn't be the only compromised machine.  But there are many
>> available servers in Fedora, and there have been many security
>> updates.  And of course there is plenty of software available outside
>> of Fedora that could present security issues.
>>
>>  
>>
>
> I have iptables on. I also have a firewall box that only lets in ports 
> 22 and 80.
> I left port 22 open to allow me to ssh in from outside, and I have 
> tried to keep
> abreast of the updates.
> Im not sure what happened exactly, but Im taking the suggested 
> precaution of simply
> cleaning out the machine and reinstalling.
>
> Thanks much
> Bhiksha
>
>
>> - J<
>>  
>>
>
> -- 
> Fedora-security-list mailing list
> Fedora-security-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-security-list

More information about the security mailing list