I am embarrassed to say that my home system has been hacked into just
last night, an hour or two before Steve's first message on this subject.

For some reason I su'd to root for a maintenance task, and noted with
alarm that the last login by root had been over ssh earlier in the day
from an address that ended "aol.com".

I quickly shut down sshd and made sure that the connection was no longer
active.

I then grepped my auth.log (and the copies that had been log rotated)
for root logins and discovered that there had been two on the same day 
(ie the one I had already spotted and one about 20 minutes before, from
a different but equally suspicious address.) The funny thing was that
there didn't seem to have been a whole lot of attempts, just a simple
login like they knew the password.

I then used netstat -tap and noted that there were several connections being 
made by the syslogd binary to port 6667 (irc) on various undernet
irc servers. I have found instances via google of crackers logging into
irc via "owned" machines, but I'm not sure what syslogd's role in this
is, perhaps its just a way of sending my logs to irc for other crackers
to view and use as a basis for further criminal activity.

I quickly killed all instances of syslogd and restarted the "real" one.
I also closed down all network based services.

I thought I had better start taking a look around and tried to emerge
chkrootkit, but this bombed telling me it failed to untar the source
code :(

I tried to su to root in another xterm and was given a seg fault.

I ssh'd into my work machine and pulled chkrootkit off it (already
compiled) and managed to make it work on the home machine. Strangely tar
worked when installing the binary version via emerge. chkrootkit
reported nothing untoward. I am not 100% sure how chkrootkit works, and
whether it can be run for the "first" time on an already compromised
network.

I am now worried that it is extremely likely that something has been
compromised (besides my root password, which I will change). The machine
is "taking stress leave and won't be in the internet today". But this
weekend I have the choice of doing further tests, or doing a complete
re-install (/home is on a separate partition). What do people recommend?

I guess the real concern is how they managed to log in in the first
place. Yes, I should not have  had the (default) option of allowing root
login via ssh. I do however keep my system up to date and perhaps
naively assumed that I didn't have any insecure software versions (as
opposed to insecure setups for the software).

I am just glad that I happened to notice within a few hours.


On Fri, 16 Sep 2005 06:31:58 +1200 (NZST)
Steve Holdoway wrote:

> Yes, I couldn't agree more - the 'default permit' approach is evil and
> stupid. However, when requiring ssh access from sites with dynamic ip
> addresses it's a good first line of defence.
> 
> Cheers,
> 
> Steve
> 

-- 
Nick Rout <[EMAIL PROTECTED]>

Reply via email to