D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Server got hacked


On 25/11/13 16:15, bad apple wrote:
Let's hope for more details from Stinga when he's finished locking
everything down again. I love post-hack forensics!
Not sure there will be much!
Reinstall is not really an option at this time.
It is pretty locked down but obviously not enough!

There was no failed attempts from either of the two ip address used to gain entry.

Nov 23 00:56:48 sq sshd[28153]: Accepted publickey for root from port 4596 ssh2 Nov 23 00:56:48 sq sshd[28153]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 23 00:57:11 sq useradd[28257]: new group: name=mark, GID=1211
Nov 23 00:57:12 sq useradd[28257]: new user: name=mark, UID=1210, GID=1211, home=/home/mark, shell=/bin/bash Nov 23 00:57:15 sq passwd[28263]: pam_unix(passwd:chauthtok): password changed for mark Nov 23 00:57:44 sq sshd[28277]: Accepted password for mark from port 55870 ssh2

I noticed the new user and new user login from logwatch also about 10 bounced emails to the new user they had created.

Looks like they got in via a publickey access that was put there somehow...
-rw-r--r-- 1 root root  607 2013-11-02 17:55 authorized_keys
-rw-r--r-- 1 root root 6310 2013-04-30 12:47 known_hosts
God knows when that happened, beginning of the month if you believe the time-stamp...

So there were entries in the /root/.ssh/authorized_keys file. Now removed, along with PubkeyAuthentication no in sshd config

Shouldn't be able to get in anyway since root is locked down.

How they got in?
1 - brute force
2 - key log or something else from a windows box, there is 1 other user with shell access that uses windows 7 3 - exploitable php script that allowed root access and the creating of a /root/.ssh/authorized_keys file

I don't think is likely I have not seen lots of failed logins to root, over time yes but not in a small time frame, I block using iptables and sec once a login has failed after 4 attempts in 60 seconds and I have not seen a huge increase in log for failed root logins.

Maybe, a bit difficult to determine, but will probably suggest a wipe and reinstall of windows 7. This user always su's to do root stuff.

Not sure how hard this would be, but leaning towards this being the access point.
The only login I have seen that is not from my ip is the publickey access.

What have I done?
Made sure ssh access is only allowed to those users that need it, which was the case anyway. Only allowed access to root from my ip address since I am the only one that needs direct root access. (Which was not the case)
Removed publickey access from sshd, now you have to use a password.

Now just need to monitor and see what happens.
Suppose I will have to look at doing a reinstall, the website is still running and if I can believe tcpdump/ps binarys etc there is nothing untoward running. If I can believe the history file for root then nothing was changed. The history file had the hackers commands interspersed with mine so unless they where very clever I don't think it was tampered with. Time to look at upgrading the server maybe and seeing if I can do a deal with the hosting company to change/upgrade...


Email: stinga+dclug@xxxxxxxxxxxxx   o
You need only two tools.        o /////
A hammer and duct tape. If it    /@   `\  /) ~
doesn't move and it should use  >  (O)  X<  ~  Fish!!
the hammer. If it moves and      `\___/'  \) ~
shouldn't, use the tape.           \\\

The Mailing List for the Devon & Cornwall LUG
FAQ: http://www.dcglug.org.uk/listfaq