Help - I'm getting hacked

Help - I'm getting hacked

Post by Keit » Tue, 17 Jul 2001 00:35:24



I'm a Linux newbie, patience is appreciated.

I received 2 e-mails yesterday from people telling me to stop hacking
them, so I did some poking around. I've got a RedHat 6.1 box as a firewall
between my home network and my cable modem. It does DNS (BIND 8.2.1), www,
pop3, imap, and was running telnet and ftp. I noticed a lot of activity on my
cable modem and ps revealed these processes:
TTY     COMMAND
p0      -sh
p0      sh ./r00t 163 25
p0      ./scan 163 53 25
p0      bash ./try 163.25.114.10
p0      ./bind 163.25.114.10 -e

There's nothing of consequence in the messages file. The only thing in the
secure file is:
in.fingerd[16167]: refused connect from 24.8.15.218
in.fingerd[16167]: refused connect from 24.8.123.216
in.fingerd[16167]: refused connect from 217.9.228.25
in.fingerd[16167]: refused connect from 217.11.163.147

I disabled telnet in inetd.conf, sent a SIGHUP, verified that I could no longer
telnet in, killed every ttyp0 process, and a few minutes later they were back.
The last line above was replaced with:

What's going on?

Keith

 
 
 

Help - I'm getting hacked

Post by Hal Burgi » Tue, 17 Jul 2001 01:07:47



>I'm a Linux newbie, patience is appreciated.

>I received 2 e-mails yesterday from people telling me to stop hacking
>them, so I did some poking around. I've got a RedHat 6.1 box as a firewall
>between my home network and my cable modem. It does DNS (BIND 8.2.1), www,
>pop3, imap, and was running telnet and ftp. I noticed a lot of activity on my
>cable modem and ps revealed these processes:
>TTY     COMMAND
>p0      -sh
>p0      sh ./r00t 163 25
>p0      ./scan 163 53 25
>p0      bash ./try 163.25.114.10
>p0      ./bind 163.25.114.10 -e

>There's nothing of consequence in the messages file. The only thing in the
>secure file is:
>in.fingerd[16167]: refused connect from 24.8.15.218
>in.fingerd[16167]: refused connect from 24.8.123.216
>in.fingerd[16167]: refused connect from 217.9.228.25
>in.fingerd[16167]: refused connect from 217.11.163.147

>I disabled telnet in inetd.conf, sent a SIGHUP, verified that I could no longer
>telnet in, killed every ttyp0 process, and a few minutes later they were back.
>The last line above was replaced with:

>What's going on?

You are being used to scan for, and break into other peoples systems. In
short, you are "owned" as they say, probably because you are running
older versions with known holes. The standard recommendation is to:

backup critical data
pull plug
reformat
reinstall
apply security updates
restore backups

Are you running BIND in caching mode, or do you really need it to host
your own DNS? That one is a real bullseye.

--
Hal B




--

 
 
 

Help - I'm getting hacked

Post by JESUSInYo » Tue, 17 Jul 2001 02:52:05


Greetings!

Specifically, it appears that a cable-modem cracker is issuing commands via
script or from your cracked box manually in order to determine
vulnerabilities at a school in Taiwan:

Assuming that the 'finger' attempts are related to the break-in on your sys,
here is a short list:

Attack points:


   CableBG cable box in Asia Pacific
   Some box in Europe
   Your cracked box

Targets:
   2 boxes from the Ministry of Education Computer Center in Taiwan


> I'm a Linux newbie, patience is appreciated.

> I received 2 e-mails yesterday from people telling me to stop hacking
> them, so I did some poking around. I've got a RedHat 6.1 box as a firewall
> between my home network and my cable modem. It does DNS (BIND 8.2.1), www,
> pop3, imap, and was running telnet and ftp. I noticed a lot of activity on
my
> cable modem and ps revealed these processes:
> TTY     COMMAND
> p0      -sh
> p0      sh ./r00t 163 25
> p0      ./scan 163 53 25
> p0      bash ./try 163.25.114.10
> p0      ./bind 163.25.114.10 -e

> There's nothing of consequence in the messages file. The only thing in the
> secure file is:
> in.fingerd[16167]: refused connect from 24.8.15.218
> in.fingerd[16167]: refused connect from 24.8.123.216
> in.fingerd[16167]: refused connect from 217.9.228.25
> in.fingerd[16167]: refused connect from 217.11.163.147

> I disabled telnet in inetd.conf, sent a SIGHUP, verified that I could no
longer
> telnet in, killed every ttyp0 process, and a few minutes later they were
back.
> The last line above was replaced with:

> What's going on?

> Keith

 
 
 

Help - I'm getting hacked

Post by Rudolf Polz » Tue, 17 Jul 2001 01:42:26



>  TTY     COMMAND
>  p0      -sh
>  p0      sh ./r00t 163 25

              ^^^^^^

Quote:>  p0      ./scan 163 53 25
>  p0      bash ./try 163.25.114.10
>  p0      ./bind 163.25.114.10 -e

You are being 'rooted', that means, your computer was taken over.
Could I have a look at that file called r00t which must be somewhere
on your HDD (to tell you which program not to use any more and/or update
- such 'r00t' scripts often contain a clue about how the attacker came
in)? I do not think you could post it (such 'rootkits' are not too easy
to get and you should not make it easier for script kiddies to get them);
if the file contains comments at the top (starting with #), they often
suffice for identifying the hole.

Do you use a kernel <= 2.2.18 and have an open telnet account and/or an
insecure CGI script (that allows executing arbitrary perl code); you can
detect them in lines like

open FH, "| /usr/sbin/sendmail $address";

or

`cat Somefile | mail $adress`

(variable interpolation in an open, system or backtick command)? They
are widely used to get into a system.

Otherwise take a look at http://www.insecure.org and similar sites and
look at the described holes there.

--
2.4.5 in init/main.c(634):
  Tell the world that we're going to be the grim reaper of innocent
  orphaned children.

 
 
 

Help - I'm getting hacked

Post by Ian Jone » Tue, 17 Jul 2001 03:40:47


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

comments inline below...


Quote:> I received 2 e-mails yesterday from people telling me to stop hacking
> them, so I did some poking around. I've got a RedHat 6.1 box as a
> firewall  between my home network and my cable modem. It does DNS (BIND
> 8.2.1), www,  pop3, imap, and was running telnet and ftp.

It would be much closer to the truth to say that you were running a
"server" and not firewalling anything given the list of services above that
were wide open.

Quote:> cable modem and ps revealed these processes:
> TTY     COMMAND
> p0      -sh
> p0      sh ./r00t 163 25
> p0      ./scan 163 53 25
> p0      bash ./try 163.25.114.10
> p0      ./bind 163.25.114.10 -e

sheesh, I shudder to think of what your ps wasn't showing you. It looks
bad, my friend. You need to unplug pronto! There is a little bit of reading
you should start doing. The frequently posted FAQ for this group would be a
great start.

> I disabled telnet in inetd.conf, sent a SIGHUP, verified that I could no
> longer  telnet in, killed every ttyp0 process, and a few minutes later
> they were back.  The last line above was replaced with:


Suprise! You are now a cracker...running all over the net breaking into
people's machines and giving them grief.

You need to pull the plug. Wipe the disks (FORMAT!) and reinstall. Get your
vendor's latest updates and apply them before connecting. Learn how to turn
stuff off...especially things like bind, ftp, and just about everything
else you were offering to the net. Figure out how to implement a packet
filter using ipchains/iptables. Keep up with your vendor's updated
packages. Finally: plug back in and enjoy your fresh, new linux
installation.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Making the world safe for geeks.

iQA/AwUBO1HjrMAVSpfzXItKEQKpKwCgyf9k+HivjBbZwnMNMQqWMySyp7gAoLhZ
gf5VJ33ImBJrPrzP155ZBFnI
=Xp7I
-----END PGP SIGNATURE-----

 
 
 

Help - I'm getting hacked

Post by Rudolf Polz » Tue, 17 Jul 2001 04:30:18



>  -----BEGIN PGP SIGNED MESSAGE-----
>  Hash: SHA1

>  comments inline below...


> > I received 2 e-mails yesterday from people telling me to stop hacking
> > them, so I did some poking around. I've got a RedHat 6.1 box as a
> > firewall  between my home network and my cable modem. It does DNS (BIND
> > 8.2.1), www,  pop3, imap, and was running telnet and ftp.

>  It would be much closer to the truth to say that you were running a
>  "server" and not firewalling anything given the list of services above that
>  were wide open.

Such computers normally do not even need to be cracked - they are rooted
like this:

1. ssh <ip> -l root
2. try out some simple passwords:
     1234, aaa, 4711, 0815, abc, root and the empty line
3. enjoy

Quote:> > cable modem and ps revealed these processes:
> > TTY     COMMAND
> > p0      -sh
> > p0      sh ./r00t 163 25
> > p0      ./scan 163 53 25
> > p0      bash ./try 163.25.114.10
> > p0      ./bind 163.25.114.10 -e

>  sheesh, I shudder to think of what your ps wasn't showing you. It looks

You mean what he gets when doing this:

for x in `ls /proc | grep '^[0-9]*$'`; do cat /proc/$x/cmdline; echo; done

>  bad, my friend. You need to unplug pronto! There is a little bit of reading
>  you should start doing. The frequently posted FAQ for this group would be a
>  great start.

> > I disabled telnet in inetd.conf, sent a SIGHUP, verified that I could no
> > longer  telnet in, killed every ttyp0 process, and a few minutes later
> > they were back.  The last line above was replaced with:

>  Suprise! You are now a cracker...running all over the net breaking into
>  people's machines and giving them grief.

>  You need to pull the plug. Wipe the disks (FORMAT!) and reinstall. Get your
>  vendor's latest updates and apply them before connecting. Learn how to turn
>  stuff off...especially things like bind, ftp, and just about everything
>  else you were offering to the net. Figure out how to implement a packet
>  filter using ipchains/iptables. Keep up with your vendor's updated
>  packages. Finally: plug back in and enjoy your fresh, new linux
>  installation.

ACK.

--
#!/usr/bin/perl -- Forget the express prospect!#Which was the original text?
use LWP'Simple;use URI'Escape;print"e> ";<STDIN>=~/(.*)/;for(en_de=>'de_en')
{get("http://babelfish.altavista.com/tr?doit=done&tt=urltext&lp=$_&urltext="
.uri_escape$1)=~/(?:d bgcolor=white|q")>(.*?)</s;print"$1 - (c)babelfish\n"}

 
 
 

Help - I'm getting hacked

Post by lynx » Tue, 17 Jul 2001 08:01:20




Quote:> I received 2 e-mails yesterday from people telling me to stop hacking
> them, so I did some poking around. I've got a RedHat 6.1 box

*way* out of date. update to a recent version.

Quote:> as a firewall between my home network and my cable modem. It does DNS
> (BIND 8.2.1),

*way* out of date. update to a recent version.
do you own the cricket book (O'Reilly's _DNS and BIND_)? you should - if
you need DNS enough to run BIND, you can afford to get the book and read
it; if you can't afford the time and money for that, then you don't need
BIND enough to run it.

Quote:> www, pop3, imap,

why both pop3 *and* imap? get one or the other, and run it over SSL (or
run APOP only if SSL isn't an option); what possible reason for running
both?

Quote:> and was running telnet

no. don't. please tell me that was just a joke. there is *no* acceptable
reason for running telnet any longer. run ssh; run it with ssh2 as the
only enabled protocol.

Quote:> and ftp.

why exactly were you running www (apache) *and* ftp? are you *sure* you
couldn't have distributed whatever files you needed to distribute with
just one or the other? had you looked into that before you installed them
both? was ftpd running in a chroot jail?

Quote:> I noticed a lot
> of activity on my cable modem and ps revealed these processes:
> TTY     COMMAND
> p0      -sh
> p0      sh ./r00t 163 25
> p0      ./scan 163 53 25
> p0      bash ./try 163.25.114.10
> p0      ./bind 163.25.114.10 -e

unplug the box from the network. NOW. back up user data, reformat the
harddisk, install a newer version of linux, lock down the services,
disable everything unneeded, try to get any update packages off the 'net
using another box and update, configure whatever is running for minimal
privileges and minimal access, restore user data, look over your new
firewall configuration _really_ _closely_, and only *then* consider
bringing it back online. please do not try to do this any other way.

Quote:> There's nothing of consequence in the messages file.

there wouldn't be. it would have been deleted. you have been rooted; do
as i outlined above.

Quote:> I disabled telnet in inetd.conf, sent a SIGHUP, verified that I could no
> longer telnet in, killed every ttyp0 process, and a few minutes later
> they were back.

yes, they would be. you have been rooted; do as i outlined above.

--
   PGP/GnuPG key (ID 1024D/BFE0D6D0) available from keyservers everywhere
    Key fingerprint = 3EBC 97FC 68AA 65F1 65E6  3D36 35F6 4213 BFE0 D6D0
                             "...life goes on
                  long after the thrill of living is gone..."

 
 
 

Help - I'm getting hacked

Post by Antonomas » Tue, 17 Jul 2001 08:08:03


Quote:>harddisk, install a newer version of linux, lock down the services,
>disable everything unneeded, try to get any update packages off the 'net
>using another box and update, configure whatever is running for minimal
>privileges and minimal access, restore user data, look over your new
>firewall configuration _really_ _closely_, and only *then* consider
>bringing it back online. please do not try to do this any other way.

Good advice, but I'd also suggest looking at Immunix (http://www.immunix.org).
 
 
 

Help - I'm getting hacked

Post by Keit » Tue, 17 Jul 2001 08:22:28


Thanks to all for the help. Here's the additional info you asked for.

The box is the primary DNS server for my domain. The kernel is 2.2.12.

From the r00t file:
"Bind Mass Scanner/Rooter"
"Project started by em1nem and EponaRhi"
"*Exploitable versions: 8.2, 8.2.1, 8.2.2"
"                       8.2.2-REL, 8.2.2-P3"
"                       8.2.2-P5, 8.2.2-P7 and 4.9.6-REL"

Looks like formatting and upgrading will make me immune to this particular hack.

You're right Ian, the box was most definitely a server. It was also a firewall
in that it provided dynamic NAT for my privately IP'd internal network.

I understood that I was leaving myself open to attacks like this when I
configured the box. The services it was running were all things I was either
using or learning. Now I get to learn how to configure these services securely.

Thanks again, all.

Keith


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1

> comments inline below...


> > I received 2 e-mails yesterday from people telling me to stop hacking
> > them, so I did some poking around. I've got a RedHat 6.1 box as a
> > firewall  between my home network and my cable modem. It does DNS (BIND
> > 8.2.1), www,  pop3, imap, and was running telnet and ftp.

> It would be much closer to the truth to say that you were running a
> "server" and not firewalling anything given the list of services above that
> were wide open.

> > cable modem and ps revealed these processes:
> > TTY     COMMAND
> > p0      -sh
> > p0      sh ./r00t 163 25
> > p0      ./scan 163 53 25
> > p0      bash ./try 163.25.114.10
> > p0      ./bind 163.25.114.10 -e

> sheesh, I shudder to think of what your ps wasn't showing you. It looks
> bad, my friend. You need to unplug pronto! There is a little bit of reading
> you should start doing. The frequently posted FAQ for this group would be a
> great start.

> > I disabled telnet in inetd.conf, sent a SIGHUP, verified that I could no
> > longer  telnet in, killed every ttyp0 process, and a few minutes later
> > they were back.  The last line above was replaced with:

> Suprise! You are now a cracker...running all over the net breaking into
> people's machines and giving them grief.

> You need to pull the plug. Wipe the disks (FORMAT!) and reinstall. Get your
> vendor's latest updates and apply them before connecting. Learn how to turn
> stuff off...especially things like bind, ftp, and just about everything
> else you were offering to the net. Figure out how to implement a packet
> filter using ipchains/iptables. Keep up with your vendor's updated
> packages. Finally: plug back in and enjoy your fresh, new linux
> installation.

> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
> Comment: Making the world safe for geeks.

> iQA/AwUBO1HjrMAVSpfzXItKEQKpKwCgyf9k+HivjBbZwnMNMQqWMySyp7gAoLhZ
> gf5VJ33ImBJrPrzP155ZBFnI
> =Xp7I
> -----END PGP SIGNATURE-----

 
 
 

Help - I'm getting hacked

Post by Ian Jone » Tue, 17 Jul 2001 09:17:38


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Quote:

> The box is the primary DNS server for my domain. The kernel is 2.2.12.

> Looks like formatting and upgrading will make me immune to this
> particular hack.

> You're right Ian, the box was most definitely a server. It was also a
> firewall  in that it provided dynamic NAT for my privately IP'd internal
> network.

Keith, you should look into getting another box to act as a true firewall.
An actual firewall (not accepting *anything* for itself) is a must for
anyone running essential services. You can probably find enough hardware
for free or close to it.

If you are going to run a DNS server, it needs to live by itself...chroot
it, run it as a non-priv user, run something besides Bind, run it in a User
Mode processes. Put it in a DMZ by itself. Filter TCP access wherever you
can. Filter UDP to catch common exploits. Run something other than Bind. I
guess that one bears repeating :)

After you get up and running again, do not think that you can set and
forget. You should check with your OS vendor to see about subscription
updates. Also you should figure out some way of performing regular
automated system audits on the machine(s) that offer external services.

Every now and then dip in there and sniff some traffic and see what your
boxes are up to (and subjected to).

Good luck getting right again, Keith.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Making the world safe for geeks.

iQA/AwUBO1IyjMAVSpfzXItKEQLc/wCdExmWhH+rE1ERJlNJhSD0XJKeL54AnRoS
YgMGiBkBmoLlqa2NKfHH7uz9
=Qxbt
-----END PGP SIGNATURE-----

 
 
 

Help - I'm getting hacked

Post by Keit » Tue, 17 Jul 2001 09:58:04



> Such computers normally do not even need to be cracked - they are rooted
> like this:

> 1. ssh <ip> -l root
> 2. try out some simple passwords:
>      1234, aaa, 4711, 0815, abc, root and the empty line
> 3. enjoy

They didn't use my root password. Although I didn't mix cases I did use a >5
character assortment of letters and numbers. Not un-guessable by any means but
duly diligent, I think.

Keith

 
 
 

Help - I'm getting hacked

Post by Luke Voge » Tue, 17 Jul 2001 13:43:10




> > Such computers normally do not even need to be cracked - they are rooted
> > like this:

> > 1. ssh <ip> -l root
> > 2. try out some simple passwords:
> >      1234, aaa, 4711, 0815, abc, root and the empty line
> > 3. enjoy

> They didn't use my root password. Although I didn't mix cases I did use a >5
> character assortment of letters and numbers. Not un-guessable by any means but
> duly diligent, I think.

> Keith

It doesn't matter whether they used your root password or not ...

Whether they use it or not, they have a copy of your /etc/passwd and
/etc/shadow files ... Once they rooted your box, they will have
installed backdoors that allow them to enter your box at will without
needing a password, and without logging their entry.

The bad news is, that you may never know what backdoors, or how many
they have installed, let alone whether or not they have trojaned any of
your other system binaries.

As Ian has advised, you need to backup any vital data, format the disk
and start from scratch including updateing daemons firewalling and
hardening your box.

If you are up to it, keep the disk as is and slip a new one in so that
you can do some forensics on the hacked disk later, but it is important
to get it off line asap. :(
--
Regards
Luke
------
Q:  What does FAQ stand for?
A:  We are Frequently Asked this Question, and we have no idea.
------
PLEASE NOTE: Spamgard (tm) installed.

------

 
 
 

Help - I'm getting hacked

Post by Jessica Luedtk » Tue, 17 Jul 2001 02:01:27


: You are being used to scan for, and break into other peoples systems. In
: short, you are "owned" as they say, probably because you are running
: older versions with known holes. The standard recommendation is to:

: backup critical data
: pull plug
: reformat
: reinstall
: apply security updates
: restore backups

You're either forgetting a step in there, or getting them out of order
(pull plug is kind of ambiguous). The first step, especially since this
machine is known to be attacking other machines, is to get it offline.
Pulling the ethernet/modem cable will do the trick. Once that is done, you
can do backups (you may want to be more specific about what should be
backed up and what needs to be watched out for, so the system isn't
recompromised by the backups) without being a threat to the rest of the
world.

jessica

 
 
 

Help - I'm getting hacked

Post by Keit » Tue, 17 Jul 2001 23:36:25


Comments inline...




> > > Such computers normally do not even need to be cracked - they are rooted
> > > like this:

> > > 1. ssh <ip> -l root
> > > 2. try out some simple passwords:
> > >      1234, aaa, 4711, 0815, abc, root and the empty line
> > > 3. enjoy

> > They didn't use my root password. Although I didn't mix cases I did use a >5
> > character assortment of letters and numbers. Not un-guessable by any means but
> > duly diligent, I think.

> > Keith

> It doesn't matter whether they used your root password or not ...

> Whether they use it or not, they have a copy of your /etc/passwd and
> /etc/shadow files ... Once they rooted your box, they will have
> installed backdoors that allow them to enter your box at will without
> needing a password, and without logging their entry.

I understand that the box is hopelessly compromised. Rudolf's point
was that access could have been gained by simply guessing commonly
used root passwords. I was just saying that I didn't use one that could
be categorized as such, and that guessing it was not how the hacker
gained access.

Quote:> The bad news is, that you may never know what backdoors, or how many
> they have installed, let alone whether or not they have trojaned any of
> your other system binaries.

> As Ian has advised, you need to backup any vital data, format the disk
> and start from scratch including updateing daemons firewalling and
> hardening your box.

> If you are up to it, keep the disk as is and slip a new one in so that
> you can do some forensics on the hacked disk later, but it is important
> to get it off line asap. :(

I should let everyone know that the box was taken offline as soon
as I discovered the intruder. I had an lrp (Linux Router Project)
router-on-a-floppy handy so the box is back up as a router and DHCP
server until I get a chance to rebuild it. No hard disk, write-protected
floppy. No DNS, no telnet, no ftp, no pop3, no imap, no sendmail, no etc.
And a different root password than before ;)

Thanks again, everyone.

Keith

 
 
 

Help - I'm getting hacked

Post by Keit » Tue, 17 Jul 2001 23:49:30



> Keith, you should look into getting another box to act as a true firewall.
> An actual firewall (not accepting *anything* for itself) is a must for
> anyone running essential services. You can probably find enough hardware
> for free or close to it.
> If you are going to run a DNS server, it needs to live by itself...

So I need a box as a dedicated firewall, another box as a dedicated
DNS server, and another box for mail and web services. That's a lot
of dedication. How do I do all that with the single IP address the
cable company gave me?

Keith

 
 
 

1. Need kernel hack's help

  I have some different LRU algorithms that I would like to try out with
linux and I need the following information:

  How can I tell when a page in memory has been read from?  There is an
ACCESSED bit, but does the system set it automatically, or do I need
to do that?
  If I need to do it, where would it be at?

  How can I tell when a page has been written to. (I believe I can use
the DIRTY bit for this one.)  I did notice that the code in exec.c (I
believe that was the name) called a function and marked the page as
dirty.

I looked at the code for a couple of hours yesterday to try and figure
out how a page was marked as ACCESSED, but I couldn't find anything.

Any information at all would be greatly appreciated!

Terry Evans

PS: Just out of curiosity, wouldn't it be better to use the phrase
for(;;) instead of while(1) since it compiles into faster code?  I
noticed that sched.c uses the while(1).

2. Jukeboxes and Linux

3. HELP! Someone's hacked into...

4. Help on Mail Server ???

5. I think I've been hacked | help!?

6. running out of file descriptors

7. help! I've been hacked!!

8. XFree86 Modelines for HDTV

9. I've been hacked into, Please help me figure out how

10. I've been hacked! Please Help!

11. Help, I've fallen and am accused of hacking!

12. I've been hacked! help.

13. HELP! I've been hacked!!