Re: Have I been hacked?

To: debian-user@lists.debian.org
Subject: Re: Have I been hacked?
From: Martin Steigerwald <Martin@lichtvoll.de>
Date: Thu, 08 Jan 2015 22:36:46 +0100
Message-id: <[🔎] 7851846.GjTCVcmPuo@merkaba>
In-reply-to: <[🔎] 54AED87B.6050906@gmail.com>
References: <[🔎] 20150106180456.GA8657@fever.havannah.local> <[🔎] 20150108205345.GA4732@fever.havannah.local> <[🔎] 54AED87B.6050906@gmail.com>

Am Donnerstag, 8. Januar 2015, 14:20:27 schrieb Jerry Stuckle:
> As for the attacks - I've seen a big uptake in the attacks over the last
> couple of weeks.  The worst I've seen is > 100 IP's locked out in one 24
> hour period.  They are coming from all over the world, although since
> there are a lot of proxies (many of them from trojans/viruses installed
> on unsuspecting machines), there's no easy way to tell what the real
> origins are.

I don´t see much going on, but this one from auth.log is amusing:

Jan  8 04:44:17 mondschein sshd[28806]: Bad protocol version identification 
'GET http://s1.bdstatic.com/r/www/cache[…; no spam on this list …] HTTP/1.1' 
from 125.64.35.67
Jan  8 04:44:48 mondschein sshd[28808]: Set /proc/self/oom_score_adj to 0
Jan  8 04:44:48 mondschein sshd[28808]: Connection from 125.64.35.67 port 
40044
Jan  8 04:44:48 mondschein sshd[28808]: Bad protocol version identification 

This one is coming from China:

martin@merkaba:~> geoiplookup 125.64.35.67
GeoIP Country Edition: CN, China

And of course not in DNS properly:

martin@merkaba:~> host 125.64.35.67
Host 67.35.64.125.in-addr.arpa. not found: 3(NXDOMAIN)

>From network of a chinese telecommunication company:

martin@merkaba:~#1> whois 125.64.35.67
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '125.64.0.0 - 125.71.255.255'

inetnum:        125.64.0.0 - 125.71.255.255
netname:        CHINANET-SC
descr:          CHINANET Sichuan province network
descr:          China Telecom
descr:          A12,Xin-Jie-Kou-Wai Street
descr:          Beijing 100088
country:        CN
admin-c:        CH93-AP
tech-c:         CS408-AP
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CHINANET-SC
mnt-routes:     MAINT-CHINANET-SC
status:         ALLOCATED PORTABLE
[…]

Ah, nice:

remarks:        send abuse reports to scip[…]

But whether its worth the time? I am not sure, whether this is really an 
attacked, could be some quite confused software application. They are doing 
this repeatedly.

Just as an example on how you can try to have someone go after the attacker.

I have SSH running on a different port and it seems still that most attackers 
do not seem to afford port scans. And no, I don´t rely on it for security. But 
for now, it still keeps my logs clean.

Ah, and I have some attempts to login into Dovecot:

mondschein:~> egrep -v "(postfix|lda|martin|some|more|known|usernames)" 
/var/log/mail.log
[…]
Jan  7 10:18:29 mondschein dovecot: pop3-login: Disconnected (tried to use 
disallowed plaintext auth): user=<>, rip=185.49.12.120, lip=[…]
Jan  7 22:06:49 mondschein dovecot: pop3-login: Disconnected (tried to use 
disallowed plaintext auth): user=<>, rip=185.49.12.120, lip=[…]
Jan  8 09:56:19 mondschein dovecot: pop3-login: Disconnected (tried to use 
disallowed plaintext auth): user=<>, rip=185.49.12.120, lip=[…]
Jan  8 21:43:45 mondschein dovecot: pop3-login: Disconnected (tried to use 
disallowed plaintext auth): user=<>, rip=185.49.12.120, lip=[…]


Okay, this one is from Poland.

martin@merkaba:~> host 185.49.12.120       
120.12.49.185.in-addr.arpa domain name pointer 185a49b12c120.greendata.pl.
martin@merkaba:~> geoiplookup 185.49.12.120
GeoIP Country Edition: PL, Poland
martin@merkaba:~> host 185.49.12.120       
120.12.49.185.in-addr.arpa domain name pointer 185a49b12c120.greendata.pl.
martin@merkaba:~> whois 185.49.12.120      
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '185.49.12.0 - 185.49.12.255'

% Abuse contact for '185.49.12.0 - 185.49.12.255' is '[…]

inetnum:        185.49.12.0 - 185.49.12.255
netname:        WITRYNA-PL-NET-1
descr:          Hosting services
remarks:        INFRA-AW
geoloc:         52.40831540563876 16.934303481487177
country:        PL
admin-c:        WRAD1-RIPE
[…]
abuse-mailbox:  abuse@[…]


Now I would also need to check apache logs as well for a complete picture, and 
well that one is the one with the highest likelyhood of a successful attack as 
I have some PHP stuff installed.

> Just ensure you're using good security practices - don't allow root
> login, use long, random passwords, etc.  I also use a random character
> strings for the login ids, as well as passwords  - just one more thing
> for the hackers to have to figure out how to get around.

Only allow SSH key based logins. Of course, only after you copied a public key 
onto the machine with ssh-copy-id.

And have SSH keys with *strong* passphrases, to protect against someone 
stealing your key. Use ssh-agent wisely only on trusted machines.

Ciao,
-- 
Martin 'Helios' Steigerwald - http://www.Lichtvoll.de
GPG: 03B0 0D6C 0040 0710 4AFA  B82F 991B EAAC A599 84C7

Reply to:

Follow-Ups:
- Re: Have I been hacked?
  - From: Brian <ad44@cityscape.co.uk>

References:
- Have I been hacked?
  - From: Danny <mynixmail@gmail.com>
- Re: Have I been hacked?
  - From: Danny <mynixmail@gmail.com>
- Re: Have I been hacked?
  - From: Jerry Stuckle <stucklejerry@gmail.com>

Prev by Date: Re: remove me from this list
Next by Date: Re: _COMPLETE_ instructions for debootstrap &/or multistrap
Previous by thread: Re: Have I been hacked?
Next by thread: Re: Have I been hacked?
Index(es):
- Date
- Thread