Yea. I'm really on the fence here, I've already burned an evening scrubbing it (used ClamAV, chkrootkit, and rkhunter off of a live CD), moved SSH ports, updated credit, bank, and gmail passwords. ClamAV grabbed the latest signature (as soon as I found an ethernet card the live CD had a driver for).
Fortunately my bank is not email centric. If I can't auth to the website I gotta either call and chat to someone or go in and chat with someone. When I do talk to people I get real people who are able to communicate clearly. Credit card issuer is the same except for the "communicate clearly" part, sometimes the accents get a bit thick to resolve issues quickly. Gmail has been updated as well. At this point I think I'm clear. Thanks for the advice and tips, for those of you who advised a rebuild: If I get my identity stolen or lose money or access to an accont over this, I grant you the right to say "I told you so" and rub my nose in it a little. One last tip, the pwgen utility kicks ass! Reasonably secure passwords that aren't impossible to remember. On Mon, 2008-08-04 at 22:14 -0400, Rob Ludwick wrote: > The paranoid guy in me would just rebuild it. A rootkit detector only > uncovers rootkits it knows about. If you're a halfway decent C coder, > you can roll your own rootkit with a moderate amount of trouble. > > I also forgot something, if changing your banking password requires an > email sent to your, say, gmail account, then you should change that too > -- preferably from a bootable cdrom (like the ubuntu CD). If they get > into the email account, there's a trust relationship between it and the > banking web site they can use. They change the password at your banking > site, and then open up your email and click through the confirmation. > > --R > > On Mon, 2008-08-04 at 12:23 -0400, Vern Ceder wrote: > > Then very definitely be sure you have the rootkit angle covered. > > > > A mac would have a /var/log/sytem.log and secure.log - haven't looked at > > them much, but they might tell you what's going on. There may even be a > > GUI log viewer in the control panel, I'm not sure. And that's ONLY if > > you have ssh and samba turned on for that machine. > > > > Vern > > > > Jonathan Bartels wrote: > > > Damn it. > > > > > > Given a choice I would prefer to take the longer, slightly riskier route > > > of repairing rather than reinstalling. > > > > > > The only other machines on the network are my wifes Mac (how can I > > > review logins on that?) and my throwaway laptop (will be rebuilt). > > > > > > What I'm expecting is that from the postgres account the user would have > > > full access to anything running on postgres as well as whatever read > > > access a normal user would have. The only "sensitive" operations I do on > > > that machine are online banking, so I'll generate some new passwords at > > > work and wipe out my keepass file at home. > > > > > > On Sun, Aug 3, 2008 at 10:39 PM, Rob Ludwick <[EMAIL PROTECTED] > > > <mailto:[EMAIL PROTECTED]>> wrote: > > > > > > Yeah I agree and run the root kit detector from a bootable cdrom or > > > usb > > > key, using a known linux kernel that has not been corrupted. > > > > > > There are rootkits that hide the existence of themselves by loading a > > > special kernel module that prevents root from seeing certain files, > > > processes, and other things necessary to detect their presence. > > > > > > --R > > > > > > On Sun, 2008-08-03 at 22:09 -0400, Vern Ceder wrote: > > > > Don't forget to check for a rootkit, or to be even safer, just > > > resintall > > > > the OS from scratch and the data from a back up. > > > > > > > > There is a chkrootkit and a rkhunter, I believe, that will check > > > for > > > > rootkits. > > > > > > > > Vern > > > > > > > > Rob Ludwick wrote: > > > > > Jon, > > > > > > > > > > 92.55.82.121 <http://92.55.82.121> is listed in Dshield.org > > > database, as an attacker 3 times. > > > > > Possibly from Macedonia. > > > > > > > > > > 62.162.164.116 <http://62.162.164.116> is in a block assigned > > > to Macedonia, it appears 0 times > > > > > in the Dshield.org database. > > > > > > > > > > Considering that both came from Macedonia, one with a hit on > > > Dshield, I > > > > > would say that yes. It's safe to assume you've been hacked. > > > > > > > > > > If you've noticed, there may have been a lot of activity on > > > port 22, > > > > > with a lot of rejections on the same IP within maybe within a > > > span of 30 > > > > > minutes. Then there's another IP address that scans the next > > > day with > > > > > another set of usernames and passwords. That's been pretty > > > standard for > > > > > about 2 or 3 years now. > > > > > > > > > > So I would figure out if they had any access to boxes on that > > > network as > > > > > well. Putting nologin in /etc/passwd is good, but they may > > > have been > > > > > going on for a while, and that may not be their only avenue of > > > entry. > > > > > > > > > > And when you determine the list of boxes they had entered on your > > > > > network, reformat them and put a fresh install of software on. > > > > > > > > > > And if you did any banking with those boxes, it would be wise > > > to change > > > > > account passwords. As well as any other account you consider > > > > > confidential that you accessed from those machines. > > > > > > > > > > --R > > > > > > > > > > On Sun, 2008-08-03 at 11:20 -0400, Jon wrote: > > > > >> In the last few weeks I poked a hole through my router to SSH > > > into my > > > > >> box at home from the road. > > > > >> > > > > >> I was just scrounging thru the auth.log with `grep 'Accepted > > > password > > > > >> for' ./auth.log* | less` > > > > >> > > > > >> And got this: > > > > >> > > > > >> ./auth.log.0:Jul 28 12:03:39 nichtscheissen sshd[24906]: > > > Accepted > > > > >> password for jon from 216.155.176.39 <http://216.155.176.39> > > > port 5873 ssh2 > > > > >> ./auth.log.0:Jul 28 13:04:40 nichtscheissen sshd[25857]: > > > Accepted > > > > >> password for jon from 216.155.176.39 <http://216.155.176.39> > > > port 4689 ssh2 > > > > >> ./auth.log.0:Jul 28 21:41:34 nichtscheissen sshd[1839]: Accepted > > > > >> password for jon from 192.168.1.104 <http://192.168.1.104> > > > port 40752 ssh2 > > > > >> ./auth.log.0:Jul 28 21:43:27 nichtscheissen sshd[2138]: Accepted > > > > >> password for jon from 192.168.1.104 <http://192.168.1.104> > > > port 40755 ssh2 > > > > >> ./auth.log.0:Jul 28 21:44:07 nichtscheissen sshd[2155]: Accepted > > > > >> password for jon from 192.168.1.104 <http://192.168.1.104> > > > port 40757 ssh2 > > > > >> ./auth.log.0:Jul 28 22:01:27 nichtscheissen sshd[2440]: Accepted > > > > >> password for jon from 192.168.1.104 <http://192.168.1.104> > > > port 43941 ssh2 > > > > >> ./auth.log.0:Jul 28 22:01:50 nichtscheissen sshd[2452]: Accepted > > > > >> password for jon from 192.168.1.104 <http://192.168.1.104> > > > port 43942 ssh2 > > > > >> ./auth.log.0:Jul 28 22:09:36 nichtscheissen sshd[2726]: Accepted > > > > >> password for jon from 192.168.1.104 <http://192.168.1.104> > > > port 46126 ssh2 > > > > >> ./auth.log.0:Jul 29 21:17:35 nichtscheissen sshd[18658]: > > > Accepted > > > > >> password for jon from 192.168.1.104 <http://192.168.1.104> > > > port 42032 ssh2 > > > > >> ./auth.log.0:Jul 31 08:34:03 nichtscheissen sshd[26223]: > > > Accepted > > > > >> password for jon from 216.155.176.39 <http://216.155.176.39> > > > port 21045 ssh2 > > > > >> ./auth.log.0:Jul 31 08:34:09 nichtscheissen sshd[26227]: > > > Accepted > > > > >> password for jon from 216.155.176.39 <http://216.155.176.39> > > > port 21283 ssh2 > > > > >> ./auth.log.0:Jul 31 08:38:42 nichtscheissen sshd[26243]: > > > Accepted > > > > >> password for jon from 216.155.176.39 <http://216.155.176.39> > > > port 20307 ssh2 > > > > >> ./auth.log.0:Jul 31 08:39:21 nichtscheissen sshd[26257]: > > > Accepted > > > > >> password for jon from 216.155.176.39 <http://216.155.176.39> > > > port 20229 ssh2 > > > > >> ./auth.log.0:Jul 31 08:39:44 nichtscheissen sshd[26262]: > > > Accepted > > > > >> password for jon from 216.155.176.39 <http://216.155.176.39> > > > port 17171 ssh2 > > > > >> ./auth.log.0:Jul 31 18:13:22 nichtscheissen sshd[6258]: Accepted > > > > >> password for postgres from port 63075 ssh2 > > > > >> ./auth.log.0:Aug 1 03:20:35 nichtscheissen sshd[11115]: > > > Accepted > > > > >> password for postgres from 62.162.164.116 > > > <http://62.162.164.116> port 1283 ssh2 > > > > >> ./auth.log.0:Aug 1 03:31:04 nichtscheissen sshd[11368]: > > > Accepted > > > > >> password for postgres from 62.162.164.116 > > > <http://62.162.164.116> port 1685 ssh2 > > > > >> ./auth.log.0:Aug 1 11:04:02 nichtscheissen sshd[18404]: > > > Accepted > > > > >> password for postgres from 62.162.164.116 > > > <http://62.162.164.116> port 3262 ssh2 > > > > >> ./auth.log.0:Aug 1 13:41:06 nichtscheissen sshd[20845]: > > > Accepted > > > > >> password for postgres from 92.55.82.121 <http://92.55.82.121> > > > port 64237 ssh2 > > > > >> > > > > >> The logins for me from the 216 address are kosher. Thats me > > > from work. > > > > >> > > > > >> Its the logins for postgres that concern me. > > > > >> > > > > >> What I've done so far is changed the postgres users shell > > > > >> to /usr/sbin/nologin. > > > > >> > > > > >> Any ideas whats going on here? How concerned should I be about > > > these > > > > >> successful logins? > > > > >> > > > > > > > > > > > > > > > _______________________________________________ > > > > > Fwlug mailing list > > > > > [email protected] <mailto:[email protected]> > > > > > http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org > > > > > > > > > > > > > _______________________________________________ > > > Fwlug mailing list > > > [email protected] <mailto:[email protected]> > > > http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org > > > > > > > > > > > > > > > -- > > > ----- > > > Jonathan Bartels > > > > > > > > > ------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > Fwlug mailing list > > > [email protected] > > > http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org > > > > > _______________________________________________ > Fwlug mailing list > [email protected] > http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org _______________________________________________ Fwlug mailing list [email protected] http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org
