I am embarrassed to say that my home system has been hacked into just last night, an hour or two before Steve's first message on this subject.
For some reason I su'd to root for a maintenance task, and noted with alarm that the last login by root had been over ssh earlier in the day from an address that ended "aol.com". I quickly shut down sshd and made sure that the connection was no longer active. I then grepped my auth.log (and the copies that had been log rotated) for root logins and discovered that there had been two on the same day (ie the one I had already spotted and one about 20 minutes before, from a different but equally suspicious address.) The funny thing was that there didn't seem to have been a whole lot of attempts, just a simple login like they knew the password. I then used netstat -tap and noted that there were several connections being made by the syslogd binary to port 6667 (irc) on various undernet irc servers. I have found instances via google of crackers logging into irc via "owned" machines, but I'm not sure what syslogd's role in this is, perhaps its just a way of sending my logs to irc for other crackers to view and use as a basis for further criminal activity. I quickly killed all instances of syslogd and restarted the "real" one. I also closed down all network based services. I thought I had better start taking a look around and tried to emerge chkrootkit, but this bombed telling me it failed to untar the source code :( I tried to su to root in another xterm and was given a seg fault. I ssh'd into my work machine and pulled chkrootkit off it (already compiled) and managed to make it work on the home machine. Strangely tar worked when installing the binary version via emerge. chkrootkit reported nothing untoward. I am not 100% sure how chkrootkit works, and whether it can be run for the "first" time on an already compromised network. I am now worried that it is extremely likely that something has been compromised (besides my root password, which I will change). The machine is "taking stress leave and won't be in the internet today". But this weekend I have the choice of doing further tests, or doing a complete re-install (/home is on a separate partition). What do people recommend? I guess the real concern is how they managed to log in in the first place. Yes, I should not have had the (default) option of allowing root login via ssh. I do however keep my system up to date and perhaps naively assumed that I didn't have any insecure software versions (as opposed to insecure setups for the software). I am just glad that I happened to notice within a few hours. On Fri, 16 Sep 2005 06:31:58 +1200 (NZST) Steve Holdoway wrote: > Yes, I couldn't agree more - the 'default permit' approach is evil and > stupid. However, when requiring ssh access from sites with dynamic ip > addresses it's a good first line of defence. > > Cheers, > > Steve > -- Nick Rout <[EMAIL PROTECTED]>
