Hijacked openSUSE??
in [Suse]
|
Prev: Shutdown
Next: Nedit in kde4
From: Sleepy on 22 Jan 2010 17:54 Hello group, I dual boot openSUSE 11.1 and Windows on my work PC and during this last week my University has blocked my IP twice due to port searching (this is a translation, I am not sure if this is what it is called). In both occasions, I was running openSUSE. I was wondering how I could find out what causes this. Apparentlysomeone/something tries to login to other computers from my IP. Following are some of the complaints from the admins with logs. Before I format (which is the advice I got from IT department) to solve the issue, I want to find out the root of the problem. Is it possible at all? I really appreciate your help, Thanks a lot in advance, Ufuk YILDIRIM ================================================================= This is one of the complaints Hi, We've had probes from host(s) on a network you are marked as a contact for (*MY IP ADDRESS HERE*) to unadvertised ssh ports on a host of ours: zaphod: 82.197.80.100 - 82.197.80.96/27 (C4L) cerryl: 82.197.80.126 - 82.197.80.96/27 (C4L) allanon: 82.197.80.125 - 82.197.80.96/27 (C4L) lerris: 84.12.252.174 - 84.12.252.168/29 (AI) Timestamps are synched with NTP in timezone GMT (UTC +0000). Logs are held for ~7 days. Let me know if you need more information. Logs for IP *MY IP ADDRESS*: --- Jan 17 08:43:42 zaphod sshd[19301]: Illegal user don from *MY IP ADDRESS* Jan 17 08:43:42 zaphod sshd[19303]: Illegal user don from *MY IP ADDRESS* Jan 17 08:43:42 zaphod sshd[19304]: Illegal user don from *MY IP ADDRESS* <snip more lines like these> Jan 17 08:43:44 zaphod sshd[19303]: error: PAM: Authentication service cannot retrieve authentication info. for illegal user don from *MY IP ADDRESS* Jan 17 08:43:44 zaphod sshd[19305]: error: PAM: Authentication service cannot retrieve authentication info. for illegal user don from *MY IP ADDRESS* <More lines like these> ======================================================================== Another coplaint has the following: Hello Abuse-Team, your Server with the IP: *MY IP ADDRESS HERE* has attacked one of our Server on the Service: "ssh". ======================================================================== Another one has the following info: Feedback-Type: other Service: ssh Version: 0.2 Source-IP: *MY IP ADDRESS* User-Agent: Fail2BanFeedbackAbuseScript Received-Date: Jan 17 2010 09:00:25 +0100 Unix-Timestamp: 1263715225 Timezone +0100 CET Lines containing IP:*MY IP ADDRESS* in /var/log/auth.log Jan 17 09:00:22 server3 sshd[2081]: Connection from *MY IP ADDRESS* port 56413 Jan 17 09:00:23 server3 sshd[2081]: Invalid user compta from *MY IP ADDRESS* Jan 17 09:00:23 server3 sshd[2081]: debug1: PAM: setting PAM_RHOST to "*MY IP ADDRESS*2" Jan 17 09:00:23 server3 sshd[2083]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=*MY IP ADDRESS* Jan 17 09:00:25 server3 sshd[2081]: error: PAM: User not known to the underlying authentication module for illegal user compta from *MY IP ADDRESS* Jan 17 09:00:25 server3 sshd[2081]: Failed keyboard-interactive/pam for invalid user compta from *MY IP ADDRESS* port 56413 ssh2
From: Stephen Horne on 22 Jan 2010 21:26 On Fri, 22 Jan 2010 14:54:20 -0800 (PST), Sleepy <ufuknews(a)gmail.com> wrote: >Apparentlysomeone/something tries to login to other >computers from my IP. Following are some of the complaints from the >admins with logs. I don't have the expertise to understand the rest of your post, but my guess would be that someone has been running manual exploits from a session on your machine. Once you're on the network, all anyone really needs to do this is your username and password. They can log into your machine as you, even while you're already logged in, and you probably won't see anything worrying unless you're looking for it. Then they can start trying exploits from that session on your machine, and your IP gets the blame. Obviously, a format won't fix this - at least not if you use the same passwords again. That said, who knows what else your intruder was doing? If he has your user account password, maybe he also has your root password? Maybe he has configured your system so he can get easy access? Reformatting and reinstalling might be a good idea. If you can find a local Linux expert, maybe he can check the logs on your machine. You may be able to find an IP address for the real culprit. More importantly, change all your passwords, and make sure you haven't got any kind of password-free anonymous login stuff enabled.
From: DenverD on 23 Jan 2010 03:31 Sleepy wrote: > I dual boot openSUSE 11.1 and Windows on my work PC unless you are certain the machine was booted into openSUSE at the exact time of the attacks, i would FIRST assume your Windows system has become a zombie netbot.. clean it first [i have no idea how, probably BUY a cleaner]...i reckon all those problems will then go away.. however, if your openSUSE is not up to date with all security patches, and/or you use unsafe practices (easy/dictionary passwords, run KDE/Gnome/etc as root, etc) you could have allowed your Linux box to be rooted, also.. -- DenverD (Linux Counter 282315) via Thunderbird 2.0.0.23 (20090817), KDE 3.5.7 "release 72-11", openSUSE Linux 10.3, 2.6.22.19-0.4-default #1 SMP i686 athlon
From: Günther Schwarz on 23 Jan 2010 05:50 Sleepy wrote: > I dual boot openSUSE 11.1 and Windows on my work PC and during this last > week my University has blocked my IP twice due to port searching (this > is > a translation, I am not sure if this is what it is called). From the log file information you provide these were simple attempts to log in on a ssh server. No port scanning was involved. > In both > occasions, I was running openSUSE. I was wondering how I could find out > what causes this. Apparentlysomeone/something tries to login to other > computers from my IP. Following are some of the complaints from the > admins with logs. > ================================================================= This > is one of the complaints > Hi, > > We've had probes from host(s) on a network you are marked as a contact > for (*MY IP ADDRESS HERE*) to unadvertised ssh ports on a host of ours: > > zaphod: 82.197.80.100 - 82.197.80.96/27 (C4L) cerryl: 82.197.80.126 - > 82.197.80.96/27 (C4L) allanon: 82.197.80.125 - 82.197.80.96/27 (C4L) > lerris: 84.12.252.174 - 84.12.252.168/29 (AI) > Logs for IP *MY IP ADDRESS*: > --- > Jan 17 08:43:42 zaphod sshd[19301]: Illegal user don from *MY IP > ADDRESS* > ======================================================================== > Another coplaint has the following: > Hello Abuse-Team, > > your Server with the IP: *MY IP ADDRESS HERE* has attacked one of our > Server on the Service: "ssh". > > ======================================================================== > Another one has the following info: > Lines containing IP:*MY IP ADDRESS* in /var/log/auth.log > > Jan 17 09:00:22 server3 sshd[2081]: Connection from *MY IP ADDRESS* port > 56413 > Jan 17 09:00:23 server3 sshd[2081]: Invalid user compta from *MY IP > ADDRESS* Provided there was no IP spoofing involved and your machine was indeed running Linux at the date and time in question somebody tried to log in to the machines 82.197.80.100 as user don and to a host named server3 as user compta from your machine. Which humans do have access to your system? What is the output of # getent passwd In case you are the only person who has an account on your system and you did not try to do a ssh login on the remote machines yourself this is fishy indeed. You might try tools like rkhunter which are searching for known malware. Run it from a live CD and not from the installation on the hard disk. You can configure iptables (SUSE firewall) to block outgoing ssh connections completely. But in case the installation is compromised this will not solve the problem. A new install after securing the user data will be the quickest fix. Do not reuse your old password on the new installation. Good luck. Günther
|
Pages: 1 Prev: Shutdown Next: Nedit in kde4 |