Re: Have I been hacked?

To: debian-user@lists.debian.org
Subject: Re: Have I been hacked?
From: Jerry Stuckle <stucklejerry@gmail.com>
Date: Thu, 08 Jan 2015 14:20:27 -0500
Message-id: <[🔎] 54AED87B.6050906@gmail.com>
In-reply-to: <[🔎] 20150108205345.GA4732@fever.havannah.local>
References: <[🔎] 20150106180456.GA8657@fever.havannah.local> <[🔎] CAAr43iPRs62MTvuru055NpjBf4qN-VFeY3Sh85=wpRTg5sudhg@mail.gmail.com> <[🔎] 20150108205345.GA4732@fever.havannah.local>

On 1/8/2015 3:53 PM, Danny wrote:
> Hi guys,
> 
> My apologies for replying a little late ...
> 
> It was an absolute struggle getting things to work just so that I can give more
> information about the intrusion. I narrowed it down to cron ... What would
> happen is this ... After a boot the network would work fine but would start
> degrading at different times ... sometimes after 5 minutes, sometime after a
> longer period of time ...
> 
> So what I did was do disable all startup scripts/servers/services and then
> enable only one at a time ... then I would reboot and wait and keep an eye on
> "/boot" (I deleted all randomly generated files, so I could see if a file was
> added or not, and it was also the only way I knew for certain that the culprit
> was active or not, hence that is how I could time it) ...
> 
> All went well untill I enabled cron ... I checked all cron jobs and they all
> "look" normal ... here is an "ls" of my cron directories ...
> 
> ###################################################################################################
> /etc/cron.d/
> anacron atop mrtg php5
> 
> /etc/cron.daily/
> anacron atop mrtg php5
> 
> /etc/cron.hourly/
> cron.sh sarg 
> 
> /etc/cron.monthly
> 0anacron sarg
> 
> /etc/cron.weekly
> 0anacron apt-xapian-index man-db sarg
> ###################################################################################################
> 
> For those of you who asked ... here is 
> 
> ###################################################################################################
> file -k
> bxerzoalfk: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped
> ###################################################################################################
> 
> and 
> 
> ###################################################################################################
> grep -ir
> Binary file kvvcqvddix matches
> Binary file aknaykocbs matches
> Binary file bxerzoalfk matches
> Binary file isrgzlchmx matches
> Binary file ryrfvxjggh matches
> Binary file wevzubbsgn matches
> grub/grub.cfg:# from /etc/grub.d and settings from /etc/default/grub
> grub/grub.cfg:### BEGIN /etc/grub.d/00_header ###
> grub/grub.cfg:### END /etc/grub.d/00_header ###
> grub/grub.cfg:### BEGIN /etc/grub.d/05_debian_theme ###
> grub/grub.cfg:### END /etc/grub.d/05_debian_theme ###
> grub/grub.cfg:### BEGIN /etc/grub.d/10_linux ###
> grub/grub.cfg:### END /etc/grub.d/10_linux ###
> grub/grub.cfg:### BEGIN /etc/grub.d/20_linux_xen ###
> grub/grub.cfg:### END /etc/grub.d/20_linux_xen ###
> grub/grub.cfg:### BEGIN /etc/grub.d/30_os-prober ###
> grub/grub.cfg:### END /etc/grub.d/30_os-prober ###
> grub/grub.cfg:### BEGIN /etc/grub.d/40_custom ###
> grub/grub.cfg:### END /etc/grub.d/40_custom ###
> grub/grub.cfg:### BEGIN /etc/grub.d/41_custom ###
> grub/grub.cfg:### END /etc/grub.d/41_custom ###
> Binary file esijfkmwnd matches
> Binary file cwpgfmvkrk matches
> Binary file gyimenpwnt matches
> Binary file fndswijgdk matches
> Binary file rfjmdtlsoj matches
> Binary file zfmpizunja matches
> Binary file zkdjlvhuui matches
> Binary file hutaslspbf matches
> Binary file dkseypedtx matches
> Binary file hjmmvaxfzq matches
> Binary file izytxsbskq matches
> Binary file czhlgmsgzh matches
> Binary file ttqssdikcn matches
> Binary file xjeemjyuly matches
> ###################################################################################################
> 
> Since I killed cron at bootup everything seems fine ... network is back to
> normal ... 
> 
> However, as soon as my network was up and running I got attacked ...
> here is an excerpt of one of the fail2ban mails ...
> 
> ###################################################################################################
> The IP 204.12.241.227 has just been banned by Fail2Ban after
> 3 attempts against ssh.
> 
> Jan  8 04:23:15 fever sshd[17406]: Connection from 204.12.241.227 port 38090 on 10.0.0.5 port 22
> Jan  8 04:23:17 fever sshd[17406]: Invalid user zhangyan from 204.12.241.227
> Jan  8 04:23:17 fever sshd[17406]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=204.12.241.227 
> Jan  8 04:23:20 fever sshd[17406]: Failed password for invalid user zhangyan from 204.12.241.227 port 38090 ssh2
> Jan  8 04:23:20 fever sshd[17406]: Received disconnect from 204.12.241.227: 11: Bye Bye [preauth]
> Jan  8 04:23:20 fever sshd[17408]: Connection from 204.12.241.227 port 39800 on 10.0.0.5 port 22
> Jan  8 04:23:22 fever sshd[17408]: Invalid user dff from 204.12.241.227
> Jan  8 04:23:23 fever sshd[17408]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=204.12.241.227 
> Jan  8 04:23:24 fever sshd[17408]: Failed password for invalid user dff from 204.12.241.227 port 39800 ssh2
> ###################################################################################################
> 
> What is interesting to me is the user in the above excerpt "zhangyan" ...
> By using a username that is unfamiliar to the western world tells me that
> whatever is on my system had to respond to this username otherwise why would
> this guy use a username that only he is familiar with ... Other usernames that
> were used: 3D, ssht and ftfl ... Also, attempts were made from China, Hong Kong,
> Belgium and Canada ...
> 
> Anyway, I have decided to get new hardware and do a clean install of everything
> ... as many of you have suggested ...
> 
> However, as I fly a lot internationally, is there a way I can temporarily block
> these country's IP's for a few days at most untill I have enough time on
> hand to do a fresh install ...
> 
> Currently my iptables looks like this ...
> 
> ###################################################################################################
> *nat
> :PREROUTING ACCEPT [73562:7321518]
> :INPUT ACCEPT [26916:2177387]
> :OUTPUT ACCEPT [80090:6554227]
> :POSTROUTING ACCEPT [0:0]
> #For squid to reroute HTTP trafic to port 80
> -A PREROUTING -s 10.0.0.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
> -A PREROUTING -i wlan0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.5:3128
> -A POSTROUTING -j MASQUERADE
> COMMIT
> *filter
> :INPUT ACCEPT [5927:1484640]
> :FORWARD ACCEPT [1571:107578]
> :OUTPUT ACCEPT [4983:1212852]
> -A INPUT -i eth1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
> -A FORWARD -s 10.0.0.0/24 -i eth1 -o wlan0 -m conntrack --ctstate NEW -j ACCEPT
> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p tcp -s 122.0.0.0/8 -j DROP
> -A INPUT -p tcp -s 61.0.0.0/8 -j DROP
> -A INPUT -p tcp -s 117.0.0.0/8 -j DROP
> -A INPUT -p tcp -s 103.0.0.0/8 -j DROP
> -A INPUT -p tcp -s 82.0.0.0/8 -j DROP
> -A INPUT -p tcp -s 204.0.0.0/8 -j DROP
> -A INPUT -p tcp -s 218.0.0.0/8 -j DROP
> COMMIT
> ###################################################################################################
> 
> As you can see ... I am already DROPping some of these IP's ... I just need
> something to block an ENTIRE country ...
> 
> Thank you ... and thanks to everyone replying ... I apreciate it ...
> 
> Danny
> 
> 

Danny,

If you want to inspect further, I would suggest you look at each of the
jobs being run.  See if they are what you expect them to be.  Also check
your /etc/crontab and /etc/anacrontab to see what is in them.

As for the attacks - I've seen a big uptake in the attacks over the last
couple of weeks.  The worst I've seen is > 100 IP's locked out in one 24
hour period.  They are coming from all over the world, although since
there are a lot of proxies (many of them from trojans/viruses installed
on unsuspecting machines), there's no easy way to tell what the real
origins are.

I have permanently blocked the IP ranges of some of the worst offenders,
but the only real way to stop it is to take your machine off the
internet completely.

Just ensure you're using good security practices - don't allow root
login, use long, random passwords, etc.  I also use a random character
strings for the login ids, as well as passwords  - just one more thing
for the hackers to have to figure out how to get around.

And finally, keep an eye on your logs!  I use logcheck to filter out the
normal stuff and email me every day the abnormal stuff.  Of course this
is no good if someone gets in and cleans your logs out - but it does
show all the attempts to hack the system without having to wade through
all the normal stuff.

Jerry

Reply to:

Follow-Ups:
- Re: Have I been hacked?
  - From: Rob Owens <rowens@ptd.net>
- Re: Have I been hacked?
  - From: Martin Steigerwald <Martin@lichtvoll.de>
- Re: Have I been hacked?
  - From: Martin Steigerwald <Martin@lichtvoll.de>
- Re: Have I been hacked?
  - From: Danny <mynixmail@gmail.com>

References:
- Have I been hacked?
  - From: Danny <mynixmail@gmail.com>
- Re: Have I been hacked?
  - From: Joel Rees <joel.rees@gmail.com>
- Re: Have I been hacked?
  - From: Danny <mynixmail@gmail.com>

Prev by Date: Re: Have I been hacked?
Next by Date: Re: Have I been hacked?
Previous by thread: Re: Have I been hacked?
Next by thread: Re: Have I been hacked?
Index(es):
- Date
- Thread