Re: Have I been hacked?

To: debian-user@lists.debian.org
Subject: Re: Have I been hacked?
From: Danny <mynixmail@gmail.com>
Date: Thu, 8 Jan 2015 22:53:45 +0200
Message-id: <[🔎] 20150108205345.GA4732@fever.havannah.local>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] CAAr43iPRs62MTvuru055NpjBf4qN-VFeY3Sh85=wpRTg5sudhg@mail.gmail.com>
References: <[🔎] 20150106180456.GA8657@fever.havannah.local> <[🔎] CAAr43iPRs62MTvuru055NpjBf4qN-VFeY3Sh85=wpRTg5sudhg@mail.gmail.com>

Hi guys,

My apologies for replying a little late ...

It was an absolute struggle getting things to work just so that I can give more
information about the intrusion. I narrowed it down to cron ... What would
happen is this ... After a boot the network would work fine but would start
degrading at different times ... sometimes after 5 minutes, sometime after a
longer period of time ...

So what I did was do disable all startup scripts/servers/services and then
enable only one at a time ... then I would reboot and wait and keep an eye on
"/boot" (I deleted all randomly generated files, so I could see if a file was
added or not, and it was also the only way I knew for certain that the culprit
was active or not, hence that is how I could time it) ...

All went well untill I enabled cron ... I checked all cron jobs and they all
"look" normal ... here is an "ls" of my cron directories ...

###################################################################################################
/etc/cron.d/
anacron atop mrtg php5

/etc/cron.daily/
anacron atop mrtg php5

/etc/cron.hourly/
cron.sh sarg 

/etc/cron.monthly
0anacron sarg

/etc/cron.weekly
0anacron apt-xapian-index man-db sarg
###################################################################################################

For those of you who asked ... here is 

###################################################################################################
file -k
bxerzoalfk: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped
###################################################################################################

and 

###################################################################################################
grep -ir
Binary file kvvcqvddix matches
Binary file aknaykocbs matches
Binary file bxerzoalfk matches
Binary file isrgzlchmx matches
Binary file ryrfvxjggh matches
Binary file wevzubbsgn matches
grub/grub.cfg:# from /etc/grub.d and settings from /etc/default/grub
grub/grub.cfg:### BEGIN /etc/grub.d/00_header ###
grub/grub.cfg:### END /etc/grub.d/00_header ###
grub/grub.cfg:### BEGIN /etc/grub.d/05_debian_theme ###
grub/grub.cfg:### END /etc/grub.d/05_debian_theme ###
grub/grub.cfg:### BEGIN /etc/grub.d/10_linux ###
grub/grub.cfg:### END /etc/grub.d/10_linux ###
grub/grub.cfg:### BEGIN /etc/grub.d/20_linux_xen ###
grub/grub.cfg:### END /etc/grub.d/20_linux_xen ###
grub/grub.cfg:### BEGIN /etc/grub.d/30_os-prober ###
grub/grub.cfg:### END /etc/grub.d/30_os-prober ###
grub/grub.cfg:### BEGIN /etc/grub.d/40_custom ###
grub/grub.cfg:### END /etc/grub.d/40_custom ###
grub/grub.cfg:### BEGIN /etc/grub.d/41_custom ###
grub/grub.cfg:### END /etc/grub.d/41_custom ###
Binary file esijfkmwnd matches
Binary file cwpgfmvkrk matches
Binary file gyimenpwnt matches
Binary file fndswijgdk matches
Binary file rfjmdtlsoj matches
Binary file zfmpizunja matches
Binary file zkdjlvhuui matches
Binary file hutaslspbf matches
Binary file dkseypedtx matches
Binary file hjmmvaxfzq matches
Binary file izytxsbskq matches
Binary file czhlgmsgzh matches
Binary file ttqssdikcn matches
Binary file xjeemjyuly matches
###################################################################################################

Since I killed cron at bootup everything seems fine ... network is back to
normal ... 

However, as soon as my network was up and running I got attacked ...
here is an excerpt of one of the fail2ban mails ...

###################################################################################################
The IP 204.12.241.227 has just been banned by Fail2Ban after
3 attempts against ssh.

Jan  8 04:23:15 fever sshd[17406]: Connection from 204.12.241.227 port 38090 on 10.0.0.5 port 22
Jan  8 04:23:17 fever sshd[17406]: Invalid user zhangyan from 204.12.241.227
Jan  8 04:23:17 fever sshd[17406]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=204.12.241.227 
Jan  8 04:23:20 fever sshd[17406]: Failed password for invalid user zhangyan from 204.12.241.227 port 38090 ssh2
Jan  8 04:23:20 fever sshd[17406]: Received disconnect from 204.12.241.227: 11: Bye Bye [preauth]
Jan  8 04:23:20 fever sshd[17408]: Connection from 204.12.241.227 port 39800 on 10.0.0.5 port 22
Jan  8 04:23:22 fever sshd[17408]: Invalid user dff from 204.12.241.227
Jan  8 04:23:23 fever sshd[17408]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=204.12.241.227 
Jan  8 04:23:24 fever sshd[17408]: Failed password for invalid user dff from 204.12.241.227 port 39800 ssh2
###################################################################################################

What is interesting to me is the user in the above excerpt "zhangyan" ...
By using a username that is unfamiliar to the western world tells me that
whatever is on my system had to respond to this username otherwise why would
this guy use a username that only he is familiar with ... Other usernames that
were used: 3D, ssht and ftfl ... Also, attempts were made from China, Hong Kong,
Belgium and Canada ...

Anyway, I have decided to get new hardware and do a clean install of everything
... as many of you have suggested ...

However, as I fly a lot internationally, is there a way I can temporarily block
these country's IP's for a few days at most untill I have enough time on
hand to do a fresh install ...

Currently my iptables looks like this ...

###################################################################################################
*nat
:PREROUTING ACCEPT [73562:7321518]
:INPUT ACCEPT [26916:2177387]
:OUTPUT ACCEPT [80090:6554227]
:POSTROUTING ACCEPT [0:0]
#For squid to reroute HTTP trafic to port 80
-A PREROUTING -s 10.0.0.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i wlan0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.5:3128
-A POSTROUTING -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [5927:1484640]
:FORWARD ACCEPT [1571:107578]
:OUTPUT ACCEPT [4983:1212852]
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.0.0.0/24 -i eth1 -o wlan0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -s 122.0.0.0/8 -j DROP
-A INPUT -p tcp -s 61.0.0.0/8 -j DROP
-A INPUT -p tcp -s 117.0.0.0/8 -j DROP
-A INPUT -p tcp -s 103.0.0.0/8 -j DROP
-A INPUT -p tcp -s 82.0.0.0/8 -j DROP
-A INPUT -p tcp -s 204.0.0.0/8 -j DROP
-A INPUT -p tcp -s 218.0.0.0/8 -j DROP
COMMIT
###################################################################################################

As you can see ... I am already DROPping some of these IP's ... I just need
something to block an ENTIRE country ...

Thank you ... and thanks to everyone replying ... I apreciate it ...

Danny

Reply to:

Follow-Ups:
- Re: Have I been hacked?
  - From: Joris Bolsens <Joris@linux.com>
- Re: Have I been hacked?
  - From: Jerry Stuckle <stucklejerry@gmail.com>
- Re: Have I been hacked?
  - From: Joe <joe@jretrading.com>
- Re: Have I been hacked?
  - From: Brian <ad44@cityscape.co.uk>
- Re: Have I been hacked?
  - From: Frédéric Marchal <frederic.marchal@wowtechnology.com>
- Re: Have I been hacked?
  - From: Darac Marjal <mailinglist@darac.org.uk>

References:
- Have I been hacked?
  - From: Danny <mynixmail@gmail.com>
- Re: Have I been hacked?
  - From: Joel Rees <joel.rees@gmail.com>

Prev by Date: Using NVIDIA drivers in Jessie
Next by Date: Re: multiple outbound NAT
Previous by thread: Re: Have I been hacked?
Next by thread: Re: Have I been hacked?
Index(es):
- Date
- Thread