 |
|
 |
|
|
 |
I've been hacked, found mldonkey running |
 |
 |
|
|
10-04-04 11:03 PM
I'm pretty sure that I've been hacked, I found mldonkey running on one of
my systems. I had an open FTP port which I normally keep closed but I
opened for someone to do a download and then forgot to close. I have a
Linksys router which has open SSH ports and had an open FTP port (which
is now closed). The machine that was compromised with mldonkey is running
mandrake 9.2 as is the FTP machine. I ran chkrootkit-0.44 (the latest) on
all of my machines and it found nothing. There is a restart message in
the /var/log/messages on all of my systems that has the roughly the same
time stamp.
Oct 3 04:02:10 localhost syslogd 1.4.1: restart.
What else should I do and which logs should I check? Is there another port
besides FTP that is a likely entry point? Could SSH have been compromised?
Here are some suspicious entries in the log on the machine that had
mldonkey,
/var/log/auth.log
Oct 3 05:01:02 saratoga msec: set variable SystemMenu to true in /etc/X11/g
dm/gdm.conf
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/open_port.t
oday from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_root.t
oday from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_md5.to
day from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/sgid.today
from 644 to 640
Oct 3 05:01:03 saratoga msec: changed owner of /var/log/mldonkey.log from m
ldonkey to root
Oct 3 05:01:03 saratoga msec: changed group of /var/log/mldonkey.log from m
ldonkey to adm
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/unowned_gro
up.today from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/writable.to
day from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of
/var/log/security/unowned_user.today from 644 to 640
and the following in /var/log/messages
Oct 3 04:17:49 saratoga :
Oct 3 04:17:49 saratoga : Security Warning: '+' character found in hosts tr
usting files,
Oct 3 04:17:49 saratoga : this probably mean that you trust certains users/
domain
Oct 3 04:17:49 saratoga : to connect on this host without proper authentica
tion :
Oct 3 04:17:49 saratoga : - /home/bjrosen/.rhosts: + bjrosen
Oct 3 04:20:00 saratoga CROND[24005]: (mail) CMD (/usr/bin/python -S /u
sr/lib/mailman/cron/gate_news)
Oct 3 04:22:00 saratoga CROND[24009]: (root) CMD (nice -n 19 run-parts
/etc/cron.weekly)
Oct 3 04:25:00 saratoga CROND[1608]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 04:30:00 saratoga CROND[1655]: (root) CMD (/usr/lib/mldonkey/mldo
nkey_df_monitor.sh)
Oct 3 04:30:00 saratoga CROND[1656]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 04:35:00 saratoga CROND[1670]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 04:40:00 saratoga CROND[1680]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 04:45:00 saratoga CROND[1688]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 04:50:00 saratoga CROND[1695]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 04:55:00 saratoga CROND[1702]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 05:00:00 saratoga CROND[1711]: (root) CMD (/usr/lib/mldonkey/mldo
nkey_df_monitor.sh)
Oct 3 05:00:00 saratoga CROND[1712]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 05:01:01 saratoga CROND[1725]: (root) CMD (nice -n 19 run-parts /
etc/cron.hourly)
Oct 3 05:01:02 saratoga msec: set variable SystemMenu to true in /etc/X11/g
dm/gdm.conf
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/open_port.t
oday from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_root.t
oday from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_md5.to
day from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/sgid.today
from 644 to 640
Oct 3 05:01:03 saratoga msec: changed owner of /var/log/mldonkey.log from m
ldonkey to root
Oct 3 05:01:03 saratoga msec: changed group of /var/log/mldonkey.log from m
ldonkey to adm
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/unowned_gro
up.today from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/writable.to
day from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/unowned_use
r.today from 644 to 640
Oct 3 05:05:00 saratoga CROND[1740]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 05:10:00 saratoga CROND[1747]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 05:15:00 saratoga CROND[1754]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 05:20:00 saratoga CROND[1764]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 05:25:00 saratoga CROND[1773]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 05:30:00 saratoga CROND[1781]: (root) CMD (/usr/lib/mldonkey/mldo
nkey_df_monitor.sh)
Oct 3 05:30:00 saratoga CROND[1782]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 05:35:00 saratoga CROND[1796]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 05:40:00 saratoga CROND[1803]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 05:45:00 saratoga CROND[1811]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 05:50:00 saratoga CROND[1818]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 05:55:00 saratoga CROND[1825]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 06:00:00 saratoga CROND[1834]: (root) CMD (/usr/lib/mldonkey/mldo
nkey_df_monitor.sh)
Oct 3 06:00:00 saratoga CROND[1835]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 06:01:01 saratoga CROND[1842]: (root) CMD (nice -n 19 run-parts /
etc/cron.hourly)
Oct 3 06:01:02 saratoga msec: set variable SystemMenu to true in /etc/X11/g
dm/gdm.conf
Oct 3 06:05:00 saratoga CROND[1861]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 06:10:00 saratoga CROND[1868]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 06:15:00 saratoga CROND[1875]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 06:20:00 saratoga CROND[1882]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 06:25:00 saratoga CROND[1890]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 06:30:00 saratoga CROND[1898]: (root) CMD (/usr/lib/mldonkey/mldo
nkey_df_monitor.sh)
Oct 3 06:30:00 saratoga CROND[1899]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 06:35:00 saratoga CROND[1914]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 06:40:00 saratoga CROND[1921]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 06:41:07 saratoga kernel: _M_str_putnext: queue overflow: dropping a
message
Oct 3 06:41:09 saratoga last message repeated 69 times
Oct 3 06:45:00 saratoga CROND[1933]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 06:50:00 saratoga CROND[1940]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 06:55:00 saratoga CROND[1947]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 07:00:00 saratoga CROND[1966]: (root) CMD (/usr/lib/mldonkey/mldo
nkey_df_monitor.sh)
Oct 3 07:00:00 saratoga CROND[1967]: (mail) CMD (/usr/bin/python -S /us
r/lib/mailman/cron/gate_news)
Oct 3 07:01:01 saratoga CROND[1976]: (root) CMD (nice -n 19 run-parts /
etc/cron.hourly)
Oct 3 07:01:01 saratoga msec: set variable SystemMenu to true in /etc/X11/g
dm/gdm.conf
[ Post a follow-up to this message ]
|
|
|
 |
|
 |
|
 |
|
|
|
Re: I've been hacked, found mldonkey running |
|
|
|
|
10-04-04 11:03 PM
General Schvantzkoph <schvantzkoph@yahoo.com> writes:
]I'm pretty sure that I've been hacked, I found mldonkey running on one of
]my systems. I had an open FTP port which I normally keep closed but I
]opened for someone to do a download and then forgot to close. I have a
]Linksys router which has open SSH ports and had an open FTP port (which
]is now closed). The machine that was compromised with mldonkey is running
]mandrake 9.2 as is the FTP machine. I ran chkrootkit-0.44 (the latest) on
]all of my machines and it found nothing. There is a restart message in
]the /var/log/messages on all of my systems that has the roughly the same
]time stamp.
]Oct 3 04:02:10 localhost syslogd 1.4.1: restart.
]What else should I do and which logs should I check? Is there another port
]besides FTP that is a likely entry point? Could SSH have been compromised?
]Here are some suspicious entries in the log on the machine that had
]mldonkey,
]/var/log/auth.log
]Oct 3 05:01:02 saratoga msec: set variable SystemMenu to true in /etc/X11/
gdm/gdm.conf
]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/open_port.
today from 644 to 640
]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_root.
today from 644 to 640
]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_md5.t
oday from 644 to 640
]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/sgid.today
from 644 to 640
]Oct 3 05:01:03 saratoga msec: changed owner of /var/log/mldonkey.log from
mldonkey to root
]Oct 3 05:01:03 saratoga msec: changed group of /var/log/mldonkey.log from
mldonkey to adm
]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/unowned_gr
oup.today from 644 to 640
]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/writable.t
oday from 644 to 640
]Oct 3 05:01:03 saratoga msec: changed mode of
]/var/log/security/unowned_user.today from 644 to 640
These are all fine. -- they are standard msec messages.
] and the following in /var/log/messages
]Oct 3 04:17:49 saratoga :
]Oct 3 04:17:49 saratoga : Security Warning: '+' character found in hosts t
rusting files,
This is terrible. It allows anyone in the world to connect to your
server. You certainly should not have this. Many users to make it easy to
run from another machine to their own put + into xauth to make it easy.
This is a badbadbadbadbad thinkg to do.
You should tell your sshd not to allow .rhosts and also do not allow telnet
connections.
]Oct 3 04:17:49 saratoga : this probably mean that you trust certains users
/domain
]Oct 3 04:17:49 saratoga : to connect on this host without proper authentic
ation :
]Oct 3 04:17:49 saratoga : - /home/bjrosen/.rhosts: + bjrosen
The user bjrosen has done this. Tell him not to do so.
Use the .ssh/authorized_hosts file instead.
]Oct 3 04:20:00 saratoga CROND[24005]: (mail) CMD (/usr/bin/python -S /
usr/lib/mailman/cron/gate_news)
]Oct 3 04:22:00 saratoga CROND[24009]: (root) CMD (nice -n 19 run-parts
/etc/cron.weekly)
]Oct 3 04:25:00 saratoga CROND[1608]: (mail) CMD (/usr/bin/python -S /u
sr/lib/mailman/cron/gate_news)
]Oct 3 04:30:00 saratoga CROND[1655]: (root) CMD (/usr/lib/mldonkey/mld
onkey_df_monitor.sh)
No idea what mldonkey is, but they have inserted it into root's cron. If
this was done by a stranger, then your system is completely comprimised.
Wipe and reinstall and then use find to look for any suid/sgid files, and
make sure that they should be tehre. Eg no file in /tmp, /dev/ /usr/share,
... should be suid root (I found such files on one of my comprimised
machines.)
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Re: I've been hacked, found mldonkey running |
|
|
|
|
10-04-04 11:03 PM
unruh@string.physics.ubc.ca (Bill Unruh) writes:
]General Schvantzkoph <schvantzkoph@yahoo.com> writes:
]]I'm pretty sure that I've been hacked, I found mldonkey running on one of
]]my systems. I had an open FTP port which I normally keep closed but I
From http://mldonkey.org
MLdonkey is a powerful peer 2 peer (p2p) application for accessing the
Edonkey2000 network as well as a few others like FastTrack, Bittorrent and
Gnutella2.
The opensource MLdonkey p2p client is mainly being developed for
Linux/Unix, but is also compiled and running on Windows and even MacOS X.
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Re: I've been hacked, found mldonkey running |
|
|
|
|
10-05-04 08:01 AM
On Mon, 04 Oct 2004 23:38:53 +0000, Bill Unruh wrote:
> unruh@string.physics.ubc.ca (Bill Unruh) writes:
>
> ]General Schvantzkoph <schvantzkoph@yahoo.com> writes:
>
> ]]I'm pretty sure that I've been hacked, I found mldonkey running on one o
f
> ]]my systems. I had an open FTP port which I normally keep closed but I
>
>
> From http://mldonkey.org
> MLdonkey is a powerful peer 2 peer (p2p) application for accessing the
> Edonkey2000 network as well as a few others like FastTrack, Bittorrent and
> Gnutella2.
> The opensource MLdonkey p2p client is mainly being developed for
> Linux/Unix, but is also compiled and running on Windows and even MacOS X.
Does anyone know if Linksys routers are adequate firewalls? I had the FTP
port open but I don't know for sure if that was the route that the
intruders used. I'm trying to configure Mandrake 10.1 as second
level firewall machine but it seems to want to block the local net as well
as the internet port. Has anyone used 10.1 as a firewall?
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Re: I've been hacked, found mldonkey running |
|
|
|
|
10-05-04 08:01 AM
On Mon, 04 Oct 2004 22:48:39 -0400, General Schvantzkoph wrote:
> I'm trying to configure Mandrake 10.1 as second
> level firewall machine but it seems to want to block the local net as well
> as the internet port. Has anyone used 10.1 as a firewall?
I am using md 10.0
Shorewall is used on 10.1 and 10.0
I looked around here http://www.shorewall.net/
used webmin to play with the config files, read the config file
headers in /etc/shorewall and it does pretty good.
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Re: I've been hacked, found mldonkey running |
|
|
|
|
10-05-04 10:59 PM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On mandag 4. oktober 2004, 23:44 Bill Unruh tried to express an opinion:
> Eg no file in /tmp, dev /usr/share, ... should be suid root
also the /tmp dir should be mounted (in /etc/fstab also)
with 'noexec,nosuid'.
If you also do not allow users to run their own programs from home,
set /home up with 'noexec'.
(Two of the servers I help administering, does this.)
- --
Solbu - http://www.solbu.net
Remove 'ugyldig' for email
PGP key ID: 0xFA687324
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQFBYrbzT1rWTfpocyQRAr7EAKDChxh91kd2
Q5NXRTI0cOsawWxWcACg2xV9
aZeGjdCMmt6DlYMiT1oRKWA=
=Z4VB
-----END PGP SIGNATURE-----
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Re: I've been hacked, found mldonkey running |
|
|
|
|
10-05-04 10:59 PM
General Schvantzkoph wrote:
> Does anyone know if Linksys routers are adequate firewalls? I had the FTP
> port open but I don't know for sure if that was the route that the
> intruders used. I'm trying to configure Mandrake 10.1 as second
> level firewall machine but it seems to want to block the local net as well
> as the internet port. Has anyone used 10.1 as a firewall?
>
>
well, if you pay $40 for a combo firewall/router/dsl device i guess you
can't expect too much? good enough for home use tho.
keep in mind that you can have 2 cisco PIX firewalls and 2 linux
firewalls in front of your server and still be hacked if you dont
configure your FTP or whatever service correctly. for FTP use vsftpd...
not alot of parameters to screw up... or read some doco on how to
setup these services tightly.
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Re: I've been hacked, found mldonkey running |
|
|
|
|
10-05-04 10:59 PM
On Mon, 04 Oct 2004 21:44:21 +0000, Bill Unruh wrote:
> General Schvantzkoph <schvantzkoph@yahoo.com> writes:
>
> ]I'm pretty sure that I've been hacked, I found mldonkey running on one of
> ]my systems. I had an open FTP port which I normally keep closed but I
> ]opened for someone to do a download and then forgot to close. I have a
> ]Linksys router which has open SSH ports and had an open FTP port (which
> ]is now closed). The machine that was compromised with mldonkey is running
> ]mandrake 9.2 as is the FTP machine. I ran chkrootkit-0.44 (the latest) on
> ]all of my machines and it found nothing. There is a restart message in
> ]the /var/log/messages on all of my systems that has the roughly the same
> ]time stamp.
> ]Oct 3 04:02:10 localhost syslogd 1.4.1: restart.
>
> ]What else should I do and which logs should I check? Is there another por
t
> ]besides FTP that is a likely entry point? Could SSH have been compromised
?
>
> ]Here are some suspicious entries in the log on the machine that had
> ]mldonkey,
>
>
> ]/var/log/auth.log
>
> ]Oct 3 05:01:02 saratoga msec: set variable SystemMenu to true in /etc/X1
1/gdm/gdm.conf
> ]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/open_por
t.today from 644 to 640
> ]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_roo
t.today from 644 to 640
> ]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_md5
.today from 644 to 640
> ]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/sgid.tod
ay from 644 to 640
> ]Oct 3 05:01:03 saratoga msec: changed owner of /var/log/mldonkey.log fro
m mldonkey to root
> ]Oct 3 05:01:03 saratoga msec: changed group of /var/log/mldonkey.log fro
m mldonkey to adm
> ]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/unowned_
group.today from 644 to 640
> ]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/writable
.today from 644 to 640
> ]Oct 3 05:01:03 saratoga msec: changed mode of
> ]/var/log/security/unowned_user.today from 644 to 640
>
> These are all fine. -- they are standard msec messages.
>
>
> ] and the following in /var/log/messages
>
> ]Oct 3 04:17:49 saratoga :
> ]Oct 3 04:17:49 saratoga : Security Warning: '+' character found in hosts
trusting files,
>
> This is terrible. It allows anyone in the world to connect to your
> server. You certainly should not have this. Many users to make it easy to
> run from another machine to their own put + into xauth to make it easy.
> This is a badbadbadbadbad thinkg to do.
I assume that this is the result of my doing xhost + which I do on my
workstation so that I can run xemacs on other machines. I'm the only user
on my network, the attack came from outside.
> You should tell your sshd not to allow .rhosts and also do not allow
> telnet connections.
I don't have telnet installed on any of my machines. SSHD doesn't allow
.rhosts authentication and I require RSA authentication, passwords are
disallowed.
>
> ]Oct 3 04:17:49 saratoga : this probably mean that you trust certains
> users/domain ]Oct 3 04:17:49 saratoga : to connect on this host without
> proper authentication : ]Oct 3 04:17:49 saratoga : -
> /home/bjrosen/.rhosts: + bjrosen
>
> The user bjrosen has done this. Tell him not to do so.
That's me.
> Use the .ssh/authorized_hosts file instead.
>
> ]Oct 3 04:20:00 saratoga CROND[24005]: (mail) CMD (/usr/bin/python -S
> /usr/lib/mailman/cron/gate_news) ]Oct 3 04:22:00 saratoga CROND[24009
]:
> (root) CMD (nice -n 19 run-parts /etc/cron.weekly) ]Oct 3 04:25:00
> saratoga CROND[1608]: (mail) CMD (/usr/bin/python -S
> /usr/lib/mailman/cron/gate_news) ]Oct 3 04:30:00 saratoga CROND[1655]
:
> (root) CMD (/usr/lib/mldonkey/mldonkey_df_monitor.sh)
>
> No idea what mldonkey is, but they have inserted it into root's cron. If
> this was done by a stranger, then your system is completely comprimised.
> Wipe and reinstall and then use find to look for any suid/sgid files,
> and make sure that they should be tehre. Eg no file in /tmp, /dev/
> /usr/share, ... should be suid root (I found such files on one of my
> comprimised machines.)
I've done clean installs of Mandrake 10.1C on all of my systems and
enabled the HIGH level of security (I had standard before). I also enabled
chkrootkit as part of the periodic security checks. I've also closed all
of the ports on my firewall with the exception of a single SSH port. I had
inadvertently left open an FTP which is how I expect that they got in but
I don't know for sure. Is it possible to get through an ssh port if RSA
authentication is required? How secure are home routers? I'm using a
Linksys.
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Re: I've been hacked, found mldonkey running |
|
|
|
|
10-05-04 10:59 PM
On Tue, 05 Oct 2004 18:01:57 -0400, Marco Benton wrote:
> General Schvantzkoph wrote:
>
> well, if you pay $40 for a combo firewall/router/dsl device i guess you
> can't expect too much? good enough for home use tho.
This is a home office network. Does anyone know how reliable these things
are?
> keep in mind that you can have 2 cisco PIX firewalls and 2 linux
> firewalls in front of your server and still be hacked if you dont
> configure your FTP or whatever service correctly. for FTP use vsftpd...
> not alot of parameters to screw up... or read some doco on how to
> setup these services tightly.
I don't normally allow FTP, I opened a port so that a collegue could
download something and I forgot to close it. I'll never open an FTP port
again.
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Re: I've been hacked, found mldonkey running |
|
|
|
|
10-06-04 01:48 AM
General Schvantzkoph <schvantzkoph@yahoo.com> writes:
]On Mon, 04 Oct 2004 21:44:21 +0000, Bill Unruh wrote:
]> General Schvantzkoph <schvantzkoph@yahoo.com> writes:
]>
]> ]I'm pretty sure that I've been hacked, I found mldonkey running on one o
f
]> ]my systems. I had an open FTP port which I normally keep closed but I
]> ]opened for someone to do a download and then forgot to close. I have a
]> ]Linksys router which has open SSH ports and had an open FTP port (which
]> ]is now closed). The machine that was compromised with mldonkey is runnin
g
]> ]mandrake 9.2 as is the FTP machine. I ran chkrootkit-0.44 (the latest) o
n
]> ]all of my machines and it found nothing. There is a restart message in
]> ]the /var/log/messages on all of my systems that has the roughly the same
]> ]time stamp.
]> ]Oct 3 04:02:10 localhost syslogd 1.4.1: restart.
]>
]> ]What else should I do and which logs should I check? Is there another po
rt
]> ]besides FTP that is a likely entry point? Could SSH have been compromise
d?
]>
]> ]Here are some suspicious entries in the log on the machine that had
]> ]mldonkey,
]>
]>
]> ]/var/log/auth.log
]>
]> ]Oct 3 05:01:02 saratoga msec: set variable SystemMenu to true in /etc/X
11/gdm/gdm.conf
]> ]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/open_po
rt.today from 644 to 640
]> ]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_ro
ot.today from 644 to 640
]> ]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_md
5.today from 644 to 640
]> ]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/sgid.to
day from 644 to 640
]> ]Oct 3 05:01:03 saratoga msec: changed owner of /var/log/mldonkey.log fr
om mldonkey to root
]> ]Oct 3 05:01:03 saratoga msec: changed group of /var/log/mldonkey.log fr
om mldonkey to adm
]> ]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/unowned
_group.today from 644 to 640
]> ]Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/writabl
e.today from 644 to 640
]> ]Oct 3 05:01:03 saratoga msec: changed mode of
]> ]/var/log/security/unowned_user.today from 644 to 640
]>
]> These are all fine. -- they are standard msec messages.
]>
]>
]> ] and the following in /var/log/messages
]>
]> ]Oct 3 04:17:49 saratoga :
]> ]Oct 3 04:17:49 saratoga : Security Warning: '+' character found in host
s trusting files,
]>
]> This is terrible. It allows anyone in the world to connect to your
]> server. You certainly should not have this. Many users to make it easy to
]> run from another machine to their own put + into xauth to make it easy.
]> This is a badbadbadbadbad thinkg to do.
]I assume that this is the result of my doing xhost + which I do on my
]workstation so that I can run xemacs on other machines. I'm the only user
]on my network, the attack came from outside.
NONONONO. That allows attacks from anywhere in the world.
Use ssh and X11 forwarding instead. Do NOT use xhost +
even using the machine name is a better (though it can be spoofed).
You are worried about hacker attacks, and then use one of the most
dangerous things you can. Anyone in the world can copy everything on your
screen and keyboard to their system.They can read off all your passwords as
you type them . They can see what you read.
]> You should tell your sshd not to allow .rhosts and also do not allow
]> telnet connections.
]I don't have telnet installed on any of my machines. SSHD doesn't allow
].rhosts authentication and I require RSA authentication, passwords are
]disallowed.
VEry strange message then. Get rid of .rhosts then from everywhere.
]>
]> ]Oct 3 04:17:49 saratoga : this probably mean that you trust certains
]> users/domain ]Oct 3 04:17:49 saratoga : to connect on this host without
]> proper authentication : ]Oct 3 04:17:49 saratoga : -
]> /home/bjrosen/.rhosts: + bjrosen
]>
]> The user bjrosen has done this. Tell him not to do so.
]That's me.
OK. Don't do it.
]> Use the .ssh/authorized_hosts file instead.
]>
]> ]Oct 3 04:20:00 saratoga CROND[24005]: (mail) CMD (/usr/bin/python -
S
]> /usr/lib/mailman/cron/gate_news) ]Oct 3 04:22:00 saratoga CROND[2400
9]:
]> (root) CMD (nice -n 19 run-parts /etc/cron.weekly) ]Oct 3 04:25:00
]> saratoga CROND[1608]: (mail) CMD (/usr/bin/python -S
]> /usr/lib/mailman/cron/gate_news) ]Oct 3 04:30:00 saratoga CROND[1655
]:
]> (root) CMD (/usr/lib/mldonkey/mldonkey_df_monitor.sh)
]>
]> No idea what mldonkey is, but they have inserted it into root's cron. If
]> this was done by a stranger, then your system is completely comprimised.
]> Wipe and reinstall and then use find to look for any suid/sgid files,
]> and make sure that they should be tehre. Eg no file in /tmp, /dev/
]> /usr/share, ... should be suid root (I found such files on one of my
]> comprimised machines.)
]I've done clean installs of Mandrake 10.1C on all of my systems and
]enabled the HIGH level of security (I had standard before). I also enabled
]chkrootkit as part of the periodic security checks. I've also closed all
]of the ports on my firewall with the exception of a single SSH port. I had
]inadvertently left open an FTP which is how I expect that they got in but
]I don't know for sure. Is it possible to get through an ssh port if RSA
]authentication is required? How secure are home routers? I'm using a
]Linksys.
It is not clear to me that mldonkey is from outside. It may be an internal
program included with mandrake 10.1.
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Sponsored Links |
|
|
|
|
 |
All times are GMT. The time now is 07:47 AM. |
 |
|
|
 |
|
 |
|
|
 |
|
Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is OFF
|
|
|
|
|
 |
|
 |
|
