Re: Have I been hacked?
On Thursday 08 January 2015 21:53:45, Danny wrote :
> Hi guys,
>
> So what I did was do disable all startup scripts/servers/services and then
> enable only one at a time ... then I would reboot and wait and keep an eye
> on "/boot" (I deleted all randomly generated files, so I could see if a
> file was added or not, and it was also the only way I knew for certain
> that the culprit was active or not, hence that is how I could time it) ...
>
> All went well untill I enabled cron ... I checked all cron jobs and they
> all "look" normal ... here is an "ls" of my cron directories ...
>
> ###########################################################################
> /etc/cron.d/
> anacron atop mrtg php5
>
> /etc/cron.daily/
> anacron atop mrtg php5
>
> /etc/cron.hourly/
> cron.sh sarg
>
> /etc/cron.monthly
> 0anacron sarg
>
> /etc/cron.weekly
> 0anacron apt-xapian-index man-db sarg
> ###########################################################################
Have a look at /etc/crontab. The file contains commands to be run by cron.
The directory /var/spool/cron/crontabs also contains user's cron jobs.
If anacrontab is installed, /etc/anacrontab may contain more jobs.
> Since I killed cron at bootup everything seems fine ... network is back to
> normal ...
I don't get the transition between the above paragraph (network is normal if
cron is killed) and the below paragraph (troubles begin when network is up).
Do you have any evidence that cron is triggering the attack or am I misreading
your mail?
> However, as soon as my network was up and running I got attacked ...
> here is an excerpt of one of the fail2ban mails ...
>
> ###########################################################################
> The IP 204.12.241.227 has just been banned by
> Fail2Ban after
> 3 attempts against ssh.
>
> Jan 8 04:23:15 fever sshd[17406]: Connection from 204.12.241.227 port
> 38090 on 10.0.0.5 port 22 Jan 8 04:23:17 fever sshd[17406]: Invalid user
> zhangyan from 204.12.241.227 Jan 8 04:23:17 fever sshd[17406]:
> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
> ruser= rhost=204.12.241.227 Jan 8 04:23:20 fever sshd[17406]: Failed
> password for invalid user zhangyan from 204.12.241.227 port 38090 ssh2 Jan
> 8 04:23:20 fever sshd[17406]: Received disconnect from 204.12.241.227:
> 11: Bye Bye [preauth] Jan 8 04:23:20 fever sshd[17408]: Connection from
> 204.12.241.227 port 39800 on 10.0.0.5 port 22 Jan 8 04:23:22 fever
> sshd[17408]: Invalid user dff from 204.12.241.227 Jan 8 04:23:23 fever
> sshd[17408]: pam_unix(sshd:auth): authentication failure; logname= uid=0
> euid=0 tty=ssh ruser= rhost=204.12.241.227 Jan 8 04:23:24 fever
> sshd[17408]: Failed password for invalid user dff from 204.12.241.227 port
> 39800 ssh2
> ##########################################################################
The mail is sent because someone is brute force attacking your ssh server.
Not starting fail2ban or your mail server would suppress those mails but not
the attack. Turning off ssh or the network would stop the attack though :-)
If your line of reasoning is to correlate the mail arrival with starting cron,
then maybe cron is the last link required to make the fail2ban alert
functional.
> What is interesting to me is the user in the above excerpt "zhangyan" ...
> By using a username that is unfamiliar to the western world tells me that
> whatever is on my system had to respond to this username otherwise why
> would this guy use a username that only he is familiar with ... Other
> usernames that were used: 3D, ssht and ftfl ... Also, attempts were made
> from China, Hong Kong, Belgium and Canada ...
You cannot tell something is responding to that user name on your system based
only on that fail2ban alert. On the contrary, the mail means fail2ban
successfully thwarted that particular attempt.
Attackers can't know what names are valid login names unless they can find one
by hacking into a legitimate user's computer or a user posted its login on the
net.
What hackers do instead, is to try a long list of possible login names
collected on servers they have hacked in the past. That's the reason this
particular bot was trying to login with the "zhangyan" user name.
There is nothing to worry about unless you receive alerts about a valid login
name.
> Currently my iptables looks like this ...
>
> ###########################################################################
>
> -A INPUT -p tcp -s 122.0.0.0/8 -j DROP
> -A INPUT -p tcp -s 61.0.0.0/8 -j DROP
> -A INPUT -p tcp -s 117.0.0.0/8 -j DROP
> -A INPUT -p tcp -s 103.0.0.0/8 -j DROP
> -A INPUT -p tcp -s 82.0.0.0/8 -j DROP
> -A INPUT -p tcp -s 204.0.0.0/8 -j DROP
> -A INPUT -p tcp -s 218.0.0.0/8 -j DROP
> ###########################################################################
>
> As you can see ... I am already DROPping some of these IP's ... I just need
> something to block an ENTIRE country ...
You can't ban an entire country based on IPv4 addresses because the whole IPv4
address space is heavily fragmented.
Beside, if your server is IPv6 capable, you need rules to ban addresses in
that space too. By the way, fail2ban isn't blocking IPv6 attacks. They totally
go unnoticed...
As for the country of origin, have a look at the real time attack map on the
Norse site: http://map.ipviking.com/. Some countries tend to be more frequent
attackers due to the number of computers they host but no country is devoid of
hacked machines participating in the foray.
Frederic
Reply to: