One last update, as near as Rich Drummond and I can tell it installed the EnergyMech IRC bot, http://www.energymech.net/features.html .
I'm still going to run a rootkit check tonight as well as inspect the Mac, but I don't think anything was severely compromised. James Scott advised running IRC on a different port and switching to key based auth only, which I'm going to implement ASAP. I think the takeaway lesson here is that regularly auditing who is accessing your public facing machines is as good of an idea as double checking your configs in the first place. On Mon, Aug 4, 2008 at 1:07 PM, Jonathan Bartels <[EMAIL PROTECTED] > wrote: > Ok fortunately the postgres user does have a home directory and I was able > to extract the attached command history. > > Working on sorting out that bots tarball it downloads. I would like to just > wget that tarball, but don't want to attract attention to the network I'd be > grabbing that from. > > On Mon, Aug 4, 2008 at 12:23 PM, Vern Ceder <[EMAIL PROTECTED]>wrote: > >> Then very definitely be sure you have the rootkit angle covered. >> >> A mac would have a /var/log/sytem.log and secure.log - haven't looked at >> them much, but they might tell you what's going on. There may even be a >> GUI log viewer in the control panel, I'm not sure. And that's ONLY if >> you have ssh and samba turned on for that machine. >> >> Vern >> >> Jonathan Bartels wrote: >> > Damn it. >> > >> > Given a choice I would prefer to take the longer, slightly riskier route >> > of repairing rather than reinstalling. >> > >> > The only other machines on the network are my wifes Mac (how can I >> > review logins on that?) and my throwaway laptop (will be rebuilt). >> > >> > What I'm expecting is that from the postgres account the user would have >> > full access to anything running on postgres as well as whatever read >> > access a normal user would have. The only "sensitive" operations I do on >> > that machine are online banking, so I'll generate some new passwords at >> > work and wipe out my keepass file at home. >> > >> > On Sun, Aug 3, 2008 at 10:39 PM, Rob Ludwick <[EMAIL PROTECTED] >> > <mailto:[EMAIL PROTECTED]>> wrote: >> > >> > Yeah I agree and run the root kit detector from a bootable cdrom or >> usb >> > key, using a known linux kernel that has not been corrupted. >> > >> > There are rootkits that hide the existence of themselves by loading >> a >> > special kernel module that prevents root from seeing certain files, >> > processes, and other things necessary to detect their presence. >> > >> > --R >> > >> > On Sun, 2008-08-03 at 22:09 -0400, Vern Ceder wrote: >> > > Don't forget to check for a rootkit, or to be even safer, just >> > resintall >> > > the OS from scratch and the data from a back up. >> > > >> > > There is a chkrootkit and a rkhunter, I believe, that will check >> for >> > > rootkits. >> > > >> > > Vern >> > > >> > > Rob Ludwick wrote: >> > > > Jon, >> > > > >> > > > 92.55.82.121 <http://92.55.82.121> is listed in Dshield.org >> > database, as an attacker 3 times. >> > > > Possibly from Macedonia. >> > > > >> > > > 62.162.164.116 <http://62.162.164.116> is in a block assigned >> > to Macedonia, it appears 0 times >> > > > in the Dshield.org database. >> > > > >> > > > Considering that both came from Macedonia, one with a hit on >> > Dshield, I >> > > > would say that yes. It's safe to assume you've been hacked. >> > > > >> > > > If you've noticed, there may have been a lot of activity on >> > port 22, >> > > > with a lot of rejections on the same IP within maybe within a >> > span of 30 >> > > > minutes. Then there's another IP address that scans the next >> > day with >> > > > another set of usernames and passwords. That's been pretty >> > standard for >> > > > about 2 or 3 years now. >> > > > >> > > > So I would figure out if they had any access to boxes on that >> > network as >> > > > well. Putting nologin in /etc/passwd is good, but they may >> > have been >> > > > going on for a while, and that may not be their only avenue of >> > entry. >> > > > >> > > > And when you determine the list of boxes they had entered on >> your >> > > > network, reformat them and put a fresh install of software on. >> > > > >> > > > And if you did any banking with those boxes, it would be wise >> > to change >> > > > account passwords. As well as any other account you consider >> > > > confidential that you accessed from those machines. >> > > > >> > > > --R >> > > > >> > > > On Sun, 2008-08-03 at 11:20 -0400, Jon wrote: >> > > >> In the last few weeks I poked a hole through my router to SSH >> > into my >> > > >> box at home from the road. >> > > >> >> > > >> I was just scrounging thru the auth.log with `grep 'Accepted >> > password >> > > >> for' ./auth.log* | less` >> > > >> >> > > >> And got this: >> > > >> >> > > >> ./auth.log.0:Jul 28 12:03:39 nichtscheissen sshd[24906]: >> Accepted >> > > >> password for jon from 216.155.176.39 <http://216.155.176.39> >> > port 5873 ssh2 >> > > >> ./auth.log.0:Jul 28 13:04:40 nichtscheissen sshd[25857]: >> Accepted >> > > >> password for jon from 216.155.176.39 <http://216.155.176.39> >> > port 4689 ssh2 >> > > >> ./auth.log.0:Jul 28 21:41:34 nichtscheissen sshd[1839]: >> Accepted >> > > >> password for jon from 192.168.1.104 <http://192.168.1.104> >> > port 40752 ssh2 >> > > >> ./auth.log.0:Jul 28 21:43:27 nichtscheissen sshd[2138]: >> Accepted >> > > >> password for jon from 192.168.1.104 <http://192.168.1.104> >> > port 40755 ssh2 >> > > >> ./auth.log.0:Jul 28 21:44:07 nichtscheissen sshd[2155]: >> Accepted >> > > >> password for jon from 192.168.1.104 <http://192.168.1.104> >> > port 40757 ssh2 >> > > >> ./auth.log.0:Jul 28 22:01:27 nichtscheissen sshd[2440]: >> Accepted >> > > >> password for jon from 192.168.1.104 <http://192.168.1.104> >> > port 43941 ssh2 >> > > >> ./auth.log.0:Jul 28 22:01:50 nichtscheissen sshd[2452]: >> Accepted >> > > >> password for jon from 192.168.1.104 <http://192.168.1.104> >> > port 43942 ssh2 >> > > >> ./auth.log.0:Jul 28 22:09:36 nichtscheissen sshd[2726]: >> Accepted >> > > >> password for jon from 192.168.1.104 <http://192.168.1.104> >> > port 46126 ssh2 >> > > >> ./auth.log.0:Jul 29 21:17:35 nichtscheissen sshd[18658]: >> Accepted >> > > >> password for jon from 192.168.1.104 <http://192.168.1.104> >> > port 42032 ssh2 >> > > >> ./auth.log.0:Jul 31 08:34:03 nichtscheissen sshd[26223]: >> Accepted >> > > >> password for jon from 216.155.176.39 <http://216.155.176.39> >> > port 21045 ssh2 >> > > >> ./auth.log.0:Jul 31 08:34:09 nichtscheissen sshd[26227]: >> Accepted >> > > >> password for jon from 216.155.176.39 <http://216.155.176.39> >> > port 21283 ssh2 >> > > >> ./auth.log.0:Jul 31 08:38:42 nichtscheissen sshd[26243]: >> Accepted >> > > >> password for jon from 216.155.176.39 <http://216.155.176.39> >> > port 20307 ssh2 >> > > >> ./auth.log.0:Jul 31 08:39:21 nichtscheissen sshd[26257]: >> Accepted >> > > >> password for jon from 216.155.176.39 <http://216.155.176.39> >> > port 20229 ssh2 >> > > >> ./auth.log.0:Jul 31 08:39:44 nichtscheissen sshd[26262]: >> Accepted >> > > >> password for jon from 216.155.176.39 <http://216.155.176.39> >> > port 17171 ssh2 >> > > >> ./auth.log.0:Jul 31 18:13:22 nichtscheissen sshd[6258]: >> Accepted >> > > >> password for postgres from port 63075 ssh2 >> > > >> ./auth.log.0:Aug 1 03:20:35 nichtscheissen sshd[11115]: >> Accepted >> > > >> password for postgres from 62.162.164.116 >> > <http://62.162.164.116> port 1283 ssh2 >> > > >> ./auth.log.0:Aug 1 03:31:04 nichtscheissen sshd[11368]: >> Accepted >> > > >> password for postgres from 62.162.164.116 >> > <http://62.162.164.116> port 1685 ssh2 >> > > >> ./auth.log.0:Aug 1 11:04:02 nichtscheissen sshd[18404]: >> Accepted >> > > >> password for postgres from 62.162.164.116 >> > <http://62.162.164.116> port 3262 ssh2 >> > > >> ./auth.log.0:Aug 1 13:41:06 nichtscheissen sshd[20845]: >> Accepted >> > > >> password for postgres from 92.55.82.121 <http://92.55.82.121> >> > port 64237 ssh2 >> > > >> >> > > >> The logins for me from the 216 address are kosher. Thats me >> > from work. >> > > >> >> > > >> Its the logins for postgres that concern me. >> > > >> >> > > >> What I've done so far is changed the postgres users shell >> > > >> to /usr/sbin/nologin. >> > > >> >> > > >> Any ideas whats going on here? How concerned should I be about >> > these >> > > >> successful logins? >> > > >> >> > > > >> > > > >> > > > _______________________________________________ >> > > > Fwlug mailing list >> > > > [email protected] <mailto:[email protected]> >> > > > >> http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org >> > > >> > >> > >> > _______________________________________________ >> > Fwlug mailing list >> > [email protected] <mailto:[email protected]> >> > http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org >> > >> > >> > >> > >> > -- >> > ----- >> > Jonathan Bartels >> > >> > >> > ------------------------------------------------------------------------ >> > >> > _______________________________________________ >> > Fwlug mailing list >> > [email protected] >> > http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org >> >> -- >> This time for sure! >> -Bullwinkle J. Moose >> ----------------------------- >> Vern Ceder, Director of Technology >> Canterbury School, 3210 Smith Road, Ft Wayne, IN 46804 >> [EMAIL PROTECTED]; 260-436-0746; FAX: 260-436-5137 >> >> _______________________________________________ >> Fwlug mailing list >> [email protected] >> http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org >> > > > > -- > ----- > Jonathan Bartels > -- ----- Jonathan Bartels
_______________________________________________ Fwlug mailing list [email protected] http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org
