Hi all, In the spirit of New Years resolutions, and because I just found and fixed this hack a few days ago, I'm coming clean on how one of my home systems got hacked.
I've got two kids, nine and five, and they each only use Linux systems for their games and such. This is nice because I can manage them remotely and just not think about it too much. They have simple passwords though. Too simple. Sigh... This system is also the host I use to login to my home machine(s) from the outside, with a dyndns.org hostname, etc. Of course I'm smart and only allow incoming SSH and port 3000 so I can do some Mojolicious hacking from the outside. Since nothing else listens on port 3000 except me, I'm not worried. So I got hacked by someone who found my kid Jack's account and his stupidly simple password. And put in a ssh scanning tool, fired up a web server to listen for IRC command on a filtered port (so it's not clear whether they actually got any data out of here or not...). But it was all running as a non priviledged user, so I don't think so. I ended up killing off all the processes, changing all my kids passwords, and generally feeling stupid. It's not like I haven't been doing this for a long time, I should know better. And it looks like I got hit with: http://blog.infosanity.co.uk/2010/07/21/example-of-post-exploit-utilities/ the GOSH utility stuff. quad:/dev/shm/. /.gosh# ls -ltra total 15048 -rwxr-xr-x 1 jack jack 249980 Feb 13 2001 screen -rwxr-xr-x 1 jack jack 453972 Jul 12 2004 ss -rwxr-xr-x 1 jack jack 21407 Jul 21 2004 pscan2 -rwxr-xr-x 1 jack jack 842736 Nov 24 2004 ssh-scan -rwxr-xr-x 1 jack jack 265 Nov 24 2004 gen-pass.sh -rwxr-xr-x 1 jack jack 22354 Dec 1 2004 common -rwxr-xr-x 1 jack jack 26857 Aug 23 2005 5 -rwxr-xr-x 1 jack jack 197 Aug 23 2005 secure -rwxr-xr-x 1 jack jack 3346659 Jul 23 2006 1 -rwxr-xr-x 1 jack jack 0 Sep 26 2006 vuln.txt -rwxr-xr-x 1 jack jack 54703 Apr 20 2008 4 -rwxr-xr-x 1 jack jack 54703 Apr 20 2008 2 -rwxr-xr-x 1 jack jack 28956 Apr 20 2008 3 -rwxr-xr-x 1 jack jack 3483 Nov 1 2009 mass -rwxr-xr-x 1 jack jack 94988 Nov 1 2009 userrootmic.txt -rwxr-xr-x 1 jack jack 49510 Nov 1 2009 userroomare.txt -rwxr-xr-x 1 jack jack 5050323 Nov 1 2009 sortateusr.txt -rwxr-xr-x 1 jack jack 1184 Nov 1 2009 CITESTE-INAINTE-SA-INCEPI -rwxr-xr-x 1 jack jack 1599 Feb 10 2010 a -rwxr-xr-x 1 jack jack 121 Feb 10 2010 go.shA -rwxr-xr-x 1 jack jack 122 Feb 10 2010 go.shB drwxr-xr-x 3 jack jack 80 Dec 20 18:11 .. -rwxr-xr-x 1 jack jack 5050323 Dec 21 10:11 pass_file -rw-r--r-- 1 jack jack 0 Dec 21 10:11 77.49.pscan.22 drwxr-xr-x 2 jack jack 500 Dec 21 10:11 . The only reason I noticed this sucker is that the load was over 2 on the system and I was wondering what my kid was doing on there, since it's not a system they're allowed on or know about really. So I've done a couple of things: 1. changed passwords. 2. locked down SSH access more, so that only my username and one other can get in via SSH now. 3. applied the latest debian patches, but I was already quite upto date. So, just a friendly reminder, even us professionals can screw up. I will be more anal in the future, and working harder to have services and such default to DENY, rather than allow. Cheers, and Happy New Year! John _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
