Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: Have I been hacked?

  1. #1

    Default Have I been hacked?

    TO preface this i have been noticing alot of attempts to login from China. I have been looking into ways to block an ip after a certain amount of invalid attempts or just block china all together. Also to preface, I was not awake at 8am this morning.

    Found a file .ssh and within is a file called known_hosts
    Code:
    122.117.8.14 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsLW3V2jo1SGiVZMLam2Z2/7TK3LhGuFW1gkZMdQbun0OkfH7hS4fiBbiEfHLkxnYZMmrxUhB5wBky4JuYnG3634HdxCcrz6l+yBS0YBcg+y9flVopaaW1xHA36dlVhzK62dnAFf1OO3pDlZv/ukMKP5WPoYaacsMGalYQUHFZUR/vVY+yqgb+bDj0Z0tXOBTUhuER/vYN54S77orZxMaCekWVvu5EqqApFx052zM5I+4dX8C01F0e4S/mqakru4VMpDe2AWoKaukfYWWQ4J81kAgjDbTBIJnYVcp5Tz8Kugy5NQdLZvrUFV00dxxv+VpoLPwKuYwqBwSPWTZ7GD91Q==
    the ip address is a chineese one, does this mean they got access? So i go check other logs.

    .. log to big post... here is link to dl if interested

    messages


    Second Line,
    Code:
    Jul 24 08:09:50 SHATTERED sshd[7289]: Accepted keyboard-interactive/pam for root from 192.168.1.135 port 1611 ssh2




    The ip address listed is that of my laptop, but like i said i was not awake and the laptop was on my desk in my room

    Also if you read threw the entire log you can see that routes were added and then my firewall was disabled ( and it looks like the could have even restarted the box)

    So after noticing this i turn off box as i had to give roomate ride to work, come back and turn on and it wont boot up. Turned on the monitor and its just a black screen. Restart again, Now in grup there is the usual SUSE linux and Failsafe options, But now there is also

    Windows 1
    Windows 2

    I tried to boot them to see if anything would come up and it looks like vmware booting, but then says no boot disk... I do not have vmware installed and those options were never there..

    The server will not boot unless booted in failsafe mode.

    Im pretty sure i know the answer but, have i been hacked? and if so why does it look like my laptop gained access and not some internet IP

    also some of the ip's in the log i ran a whois on and it returns black hole

  2. #2

    Default Re: Have I been hacked?

    going threw reinstall now. get to the partions and there is a dev/sda5 that is a little over a gig... I dont remember there ever being a /dev/sda5 before.. Kinda curious as to what is in there but im not trying to boot this infected pc again

  3. #3
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    32,324
    Blog Entries
    15

    Default Re: Have I been hacked?

    Hi
    That is from your machine logging into 122.117.8.14 not them logging
    into your machine.

    Have a look at your history;

    Code:
    --------------------
    history
    --------------------

    --
    Cheers Malcolm (Linux Counter #276890)
    SLED 10 SP2 i586 Kernel 2.6.16.60-0.25-default
    up 7:07, 2 users, load average: 0.30, 0.50, 0.53
    GPU GeForce Go 6600 TE/6200 TE Version: 173.14.09


  4. #4
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    32,324
    Blog Entries
    15

    Default Re: Have I been hacked?

    Hi
    /dev/sda5/ was probably your swap partition?

    When you get the system re-installed have a look at installing nessus;

    http://www.nessus.org/nessus/

    --
    Cheers Malcolm (Linux Counter #276890)
    SLED 10 SP2 i586 Kernel 2.6.16.60-0.25-default
    up 7:11, 2 users, load average: 0.48, 0.36, 0.45
    GPU GeForce Go 6600 TE/6200 TE Version: 173.14.09


  5. #5
    Join Date
    Jun 2008
    Location
    The Netherlands
    Posts
    1,273

    Default Re: Have I been hacked?

    There is a post in the archives that has some good pointers on where to look and how to do things... : Am I Being Hacked? - openSUSE Forums
    Have a lot of fun!

  6. #6

    Default Re: Have I been hacked?

    the swap was /dev/sda3

    also, i did not notice that that was my cpu connecting to 122.117.8.14 but when i do a whois that is also a china ip, so they must have logged into another box from mine or at least attempted to

  7. #7

    Default Re: Have I been hacked?

    thank u. I thin i will follow advise of the post and use keys rather than passwords.

    i just used passwords cause the persons who's site i am hosting is not that tech savy and they were using ssh to upload html and php files

  8. #8
    Join Date
    Jun 2008
    Location
    Finland, European Union
    Posts
    1,879

    Default Re: Have I been hacked?

    Things to improve:

    1. Do not allow anything inside from the outside network.
    - If you absolutely MUST allow ssh, setup a Public Key Authentication system.

    2. Change the ssh port if you cannot setup PKI.
    - Setup blocking script for SSH brute force attacks (Google magic words ssh brute force block)

    3. Keep up to date and strong passwords.

    Incidentally , what distribution version were you using on this machine?

  9. #9

    Default Re: Have I been hacked?

    i am running OpenSUSE 11.0

    Can anyone instruct me on how to block china from accessing my network. From what i read there is alot of shady things going on and sending emails to abuse does not seem to do anything because there network admins do not seem to care. Due to this, i would like to block them all together


    In reguards to nessus. I seen that there is a windows version so i put that on my laptop first. I also see there is a client and a server. Would i be able to just install the server on linux and then use the windows client to access it?

  10. #10
    ab@novell.com NNTP User

    Default Re: Have I been hacked?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I think a better question is why you have China able to reach your box
    at all. If you are hosting a website then providing some access to your
    box may be necessary but if not your computer probably shouldn't be
    accessible via the Internet at all. If you can't help that then perhaps
    block ranges of IP addresses assigned to somewhere in China but, while
    you can do this, I don't think you're considering the full problem.
    Just because somebody from China can't reach you directly doesn't mean
    they can't bounce through one of a million boxes they've taken over to
    reach you from another country. Also, China may have crackers who may
    have accessed your box but they're definitely not alone in that
    tradition and blocking them should give you just about no extra sleep at
    night if that is your primary defense.

    Good luck.





    geoffmcc wrote:
    | i am running OpenSUSE 11.0
    |
    | Can anyone instruct me on how to block china from accessing my network.
    | From what i read there is alot of shady things going on and sending
    | emails to abuse does not seem to do anything because there network
    | admins do not seem to care. Due to this, i would like to block them all
    | together
    |
    |
    | In reguards to nessus. I seen that there is a windows version so i put
    | that on my laptop first. I also see there is a client and a server.
    | Would i be able to just install the server on linux and then use the
    | windows client to access it?
    |
    |
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFIiNQY3s42bA80+9kRAiY0AKCGDdp0urhdlOdBaNeEgQ/xhde5lQCePvq6
    pOKADcQFi9DslIT/r5HK7W0=
    =RuAd
    -----END PGP SIGNATURE-----

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •