Re: My machine was hacked - possibly via sshd?

[Alvin Oga <aoga@mail.Linux-Consulting.com>]

hi ya malcolm

On Mon, 28 Mar 2005, Malcolm Ferguson wrote:

> Machine was running Debian 3.0 and was behind a NAT box with ports 
> forwarded for SMTP, HTTP and SSH.  It hadn't been rebooted for 430 
> days.  I was using a 2.4  kernel with MPPE builtin.

which particular 2.4 kernel ??
 
> Early on the 25th, my logcheck emails indicated increasing messages in 
> syslog concerning failed login attempts against ssh.

its common that everybody and their dog will attempt to connect
to yoru box via ssh

	- you should disallow ssh connections from the world
	and only allow known ip# ... incoming ssh connections from
	dynamic ip# should be disallowed

>   At some point 
> though I see ssh authentication failures for valid user names - how?   

just random people trying to ssh into your box ??

> Somehow they were being enumerated in the hack attempt, and I think that 
> one person had a weak password.

that'd be about 50% of all accounts ... where users get to use their
passwd of their choice

>  Finally I see an attempt to load 
> net-pf-14 and other modprobe errors.  At some point there are also 
> messages about the ethernet card entering promiscuous mode. 

iirc, that means they already have root access to your box to attempt
those network connection changes
	- they'd be sniffing for login and passwd info inside your lan

> When I logged on I discovered two outgoing connections to port ircd on 
> the foreign hosts, and some thing listening on port 48744 TCP.  

sorta harmless ... script kiddies having fun

> No PID  associated with them. 

odd .. if your ps and libs had not been modified

normal if they changed lots of your binaries to hide themself

> I also discovered that a bunch binaries were 
> failing: gzip seg faulted; man couldn't load any man pages; any commands 
> caused new messages to appear in the syslog concerning kernel modules 
> loading and eth0 going in to promis mode.  I'm guessing (maybe I read it 
> somewhere in a log) that a packet sniffer was running.

no ... they simply control your machine and modified your programs
like man, gzip, tar, ps, top, find, ls, ... and its libraries

they're definitely running irc and could be sniffing too but 
can't guess without any additional info of other binaries that's loaded
on your machine

> So what can I do to prevent it?

harden your machine ..

be strict about who you allow to login ..

eg... i know my logn and passwd and yet i cannot ssh into my own machines
from anywhere ... only from certain machines to only certain other guinne
pig machines to get to where i want to g

>  My best guess is that ssh failed,

nah ... they probably got in thru exploiting apache or mta or dns
vs lot harder to exploit ssh to getting in to modifying root-owned files

	- in order to modify those files, they are already in your machine
	and i keep wondering, if they already are in, why do they
	make it obvious they are in the box
	
> but 
> this is based on the log messages.  Exim or Apache could have been the 
> point of failure too though.

which version of exim and apache...
	- you should be running the latest versions from
	apache/exim/isc/etc...

	- there's been a lot of serious apache problems lately

>  Seeing as it was so long since I rebooted, 
> perhaps the exploit was coupled with a kernel vulnerability.  Any 
> thoughts? 

hundred million ways to get into a given server ... 
which one they got in on would be a separate task 

> I was up to date on all security patches.

but not on something or other ?? if they got in anyway ..

>  My kernel came from:
> deb http://www.vanadac.com/~dajhorn/projects/debian-pptp woody main

bad idea ??

> Somehow the usernames were enumerated and weak password was discovered.  

not surprising .. but that is unrelated to kernels

> There must have then been a local elevation of privileges attack at 
> which point it was definitely all over.

yup

> I've rebuilt the machine. 

ahhh ... it would have been fun to see how they got in ..
	and when they got in
	and who got in
	and how long they been in
	and where else they broke into to
	and what files they changed
	and ...

> The biggest changes so far have been partitioning.

that won't stop them ... unless they exploited a race condition
in /tmp and you didn't have a separate /tmp that was not chmod 1777

>  I no longer have a single partition,

bad idea for gazillion reasons, and not just for security issues

> but about 10, 
> including read-only ones for /usr and /boot.

readonly won't matter ...  they got in and modified your readonly
root-owned files ...

>  I'm also running the 
> Debian stock 2.4.18-1-586tsc 2.4.18-1-586tsc

you are way way way too old ..  current kernels is 2.4.29
or 2.6.11.5
	- though some time/tested known-to-be-good kernels is
	good too  vs newest/greatest kernels with newest/latest
	exploits against it

> (I don't need to create PPTP tunnels anymore).

good ...

and add no wireless, no dchp, no vpn ...
and add no clear text logins ( no pop3, no imap, no telnet, no ftp, .. )
.. and gazillion other don't do that ..

>  I have Exim up and running and exposed to the  internet. 

good .. but latest version from exim.org and minimized for what you need


> I need to open up ssh to external connections too soon, and 

and who do you allow an ssh connection from ??
	1.2.3.4 only and only as userJoe ... and all others are
	disallowed

	but than gain, if they are attacking apache and getting in,
	it wont matter what we do with ssh and other ports

> of course I will be reinstalling Apache within a week.

its more like ... update everything BEFORE you go online

i know some people's machine that was coincidentally hacked within 
5 minutes of getting online to the outside ..
 
> Mar 25 02:23:12 erin-and-malc PAM_unix[24756]: authentication failure; 
> (uid=0) -> backup for ssh service

whacky

> Mar 25 02:23:14 erin-and-malc sshd[24756]: Failed password for backup 
> from 193.170.65.132 port 4128 ssh2

good that its failed, but backup should NOT be a login account

> Mar 25 02:24:24 erin-and-malc PAM_unix[24884]: authentication failure; 
> (uid=0) -> erin for ssh service
> Mar 25 02:24:26 erin-and-malc sshd[24884]: Failed password for erin from 
> 193.170.65.132 port 5776 ssh2

you have a gf ??
 
> Mar 25 02:40:57 erin-and-malc sshd[26053]: warning: /etc/hosts.deny, 
> line 15: can't verify hostname: 
> gethostbyname(17.red-82-158-1.user.auna.net) failed

hosts.deny should deny everything to everybody ... period ..
	ALL : ALL

hosts.allow should allow only known ip# and known users

> Mar 25 02:40:57 erin-and-malc sshd[26053]: refused connect from 82.158.1.17

good

> Mar 25 02:43:53 erin-and-malc kernel: request_module[net-pf-14]: 
> waitpid(26279,...) failed, errno 512

hehehe... :-)

> There are hundreds of these:
> Mar 25 02:40:48 erin-and-malc sshd[26038]: Could not reverse map address 
> 193.170.65.132.

good ... normal ...

> Access gained to a normal user:
> Mar 25 02:44:03 erin-and-malc newgrp[26309]: user `steve' switched to 
> group `steve'

seems odd ... but people do su to themself after login in

> Mar 25 02:47:42 erin-and-malc PAM_unix[26416]: Password for steve was 
> changed

good ... but was that the "real steve"
 
> Mar 25 05:02:04 erin-and-malc kernel: eth0: Promiscuous mode enabled.
> Mar 25 05:05:13 erin-and-malc kernel: eth0: Promiscuous mode enabled.

bad ....

.. that was fun .. but .. it'd be more fun to figure out who the script
   kiddie was


c ya
alvin