Have I been hacked?

English Network/Internet
#1

TO preface this i have been noticing alot of attempts to login from China. I have been looking into ways to block an ip after a certain amount of invalid attempts or just block china all together. Also to preface, I was not awake at 8am this morning.

Found a file .ssh and within is a file called known_hosts

122.117.8.14 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsLW3V2jo1SGiVZMLam2Z2/7TK3LhGuFW1gkZMdQbun0OkfH7hS4fiBbiEfHLkxnYZMmrxUhB5wBky4JuYnG3634HdxCcrz6l+yBS0YBcg+y9flVopaaW1xHA36dlVhzK62dnAFf1OO3pDlZv/ukMKP5WPoYaacsMGalYQUHFZUR/vVY+yqgb+bDj0Z0tXOBTUhuER/vYN54S77orZxMaCekWVvu5EqqApFx052zM5I+4dX8C01F0e4S/mqakru4VMpDe2AWoKaukfYWWQ4J81kAgjDbTBIJnYVcp5Tz8Kugy5NQdLZvrUFV00dxxv+VpoLPwKuYwqBwSPWTZ7GD91Q==

the ip address is a chineese one, does this mean they got access? So i go check other logs.

… log to big post… here is link to dl if interested

messages

Second Line,

Jul 24 08:09:50 SHATTERED sshd[7289]: Accepted keyboard-interactive/pam for root from 192.168.1.135 port 1611 ssh2

The ip address listed is that of my laptop, but like i said i was not awake and the laptop was on my desk in my room

Also if you read threw the entire log you can see that routes were added and then my firewall was disabled ( and it looks like the could have even restarted the box)

So after noticing this i turn off box as i had to give roomate ride to work, come back and turn on and it wont boot up. Turned on the monitor and its just a black screen. Restart again, Now in grup there is the usual SUSE linux and Failsafe options, But now there is also

Windows 1
Windows 2

I tried to boot them to see if anything would come up and it looks like vmware booting, but then says no boot disk… I do not have vmware installed and those options were never there…

The server will not boot unless booted in failsafe mode.

Im pretty sure i know the answer but, have i been hacked? and if so why does it look like my laptop gained access and not some internet IP

also some of the ip’s in the log i ran a whois on and it returns black hole

#2

going threw reinstall now. get to the partions and there is a dev/sda5 that is a little over a gig… I dont remember there ever being a /dev/sda5 before… Kinda curious as to what is in there but im not trying to boot this infected pc again

#3

Hi
That is from your machine logging into 122.117.8.14 not them logging
into your machine.

Have a look at your history;

Code:

history


Cheers Malcolm °¿° (Linux Counter #276890)
SLED 10 SP2 i586 Kernel 2.6.16.60-0.25-default
up 7:07, 2 users, load average: 0.30, 0.50, 0.53
GPU GeForce Go 6600 TE/6200 TE Version: 173.14.09

#4

Hi
/dev/sda5/ was probably your swap partition?

When you get the system re-installed have a look at installing nessus;

http://www.nessus.org/nessus/


Cheers Malcolm °¿° (Linux Counter #276890)
SLED 10 SP2 i586 Kernel 2.6.16.60-0.25-default
up 7:11, 2 users, load average: 0.48, 0.36, 0.45
GPU GeForce Go 6600 TE/6200 TE Version: 173.14.09

#5

There is a post in the archives that has some good pointers on where to look and how to do things… : Am I Being Hacked? - openSUSE Forums

#6

the swap was /dev/sda3

also, i did not notice that that was my cpu connecting to 122.117.8.14 but when i do a whois that is also a china ip, so they must have logged into another box from mine or at least attempted to

#7

thank u. I thin i will follow advise of the post and use keys rather than passwords.

i just used passwords cause the persons who’s site i am hosting is not that tech savy and they were using ssh to upload html and php files

#8

Things to improve:

  1. Do not allow anything inside from the outside network.
  • If you absolutely MUST allow ssh, setup a Public Key Authentication system.
  1. Change the ssh port if you cannot setup PKI.
  • Setup blocking script for SSH brute force attacks (Google magic words ssh brute force block)
  1. Keep up to date and strong passwords.

Incidentally , what distribution version were you using on this machine?

#9

i am running OpenSUSE 11.0

Can anyone instruct me on how to block china from accessing my network. From what i read there is alot of shady things going on and sending emails to abuse does not seem to do anything because there network admins do not seem to care. Due to this, i would like to block them all together

In reguards to nessus. I seen that there is a windows version so i put that on my laptop first. I also see there is a client and a server. Would i be able to just install the server on linux and then use the windows client to access it?

#10

Hmm 11.0 has no open ssh/openssl holes so the only thing that comes to mind is a weak password.

#11

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think a better question is why you have China able to reach your box
at all. If you are hosting a website then providing some access to your
box may be necessary but if not your computer probably shouldn’t be
accessible via the Internet at all. If you can’t help that then perhaps
block ranges of IP addresses assigned to somewhere in China but, while
you can do this, I don’t think you’re considering the full problem.
Just because somebody from China can’t reach you directly doesn’t mean
they can’t bounce through one of a million boxes they’ve taken over to
reach you from another country. Also, China may have crackers who may
have accessed your box but they’re definitely not alone in that
tradition and blocking them should give you just about no extra sleep at
night if that is your primary defense.

Good luck.

geoffmcc wrote:
| i am running OpenSUSE 11.0
|
| Can anyone instruct me on how to block china from accessing my network.
| From what i read there is alot of shady things going on and sending
| emails to abuse does not seem to do anything because there network
| admins do not seem to care. Due to this, i would like to block them all
| together
|
|
| In reguards to nessus. I seen that there is a windows version so i put
| that on my laptop first. I also see there is a client and a server.
| Would i be able to just install the server on linux and then use the
| windows client to access it?
|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIiNQY3s42bA80+9kRAiY0AKCGDdp0urhdlOdBaNeEgQ/xhde5lQCePvq6
pOKADcQFi9DslIT/r5HK7W0=
=RuAd
-----END PGP SIGNATURE-----

#12

it was NoTaJunKY4YOURlove — i thought that would be secure

any links on securty that you guys may have greatly apreciated.

also, i kinda think there might be an unknown hole as there was no list of invalid attempts for today. Only logon i saw was to root at 8am (i belive was the second line of my log uploaded) and it said it came from an ip address that is in my local network (my laptop running winXP)

also

I think a better question is why you have China able to reach your box
at all. If you are hosting a website then providing some access to your
box may be necessary but if not your computer probably shouldn’t be
accessible via the Internet at all. If you can’t help that then perhaps
block ranges of IP addresses assigned to somewhere in China but, while
you can do this, I don’t think you’re considering the full problem.
Just because somebody from China can’t reach you directly doesn’t mean
they can’t bounce through one of a million boxes they’ve taken over to
reach you from another country. Also, China may have crackers who may
have accessed your box but they’re definitely not alone in that
tradition and blocking them should give you just about no extra sleep at
night if that is your primary defense.

the answer to that is not knowing any better. Im trying to take the approach that this is now a learning expierence for me…

#13

It came from your laptop running XP?

Well you know, perhaps someone was able to take control of your Windows laptop?

#14

that’s a good point. I wonder what they were able to connect to though. It is XP pro but i dont have any telnet or remote desktop access or anything like that installed.

It fully up to date and firewalled (time to check firewall logs on XP) - but in the world of microsoft that means nothing i guess

#15

First 2 lines:

Jul 24 08:09:47 SHATTERED sshd[7289]: Address 192.168.1.135 maps to bulletproof, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jul 24 08:09:50 SHATTERED sshd[7289]: Accepted keyboard-interactive/pam for root from 192.168.1.135 port 1611 ssh2

ok if i am readning this right, could it be that he spoofed ip to look like an internal IP as it does say it does not map back to bulletproof - POSSIBLE BREAK-IN ATTEMPT

then i keep reading cause i can kinda get a sence of what this person was doing and i find


Jul 24 08:23:30 SHATTERED kernel: martian source 192.168.1.120 from 125.65.112.217, on dev eth0
Jul 24 08:23:30 SHATTERED kernel: ll header: 00:13:20:97:42:45:00:1c:10:b7:6e:ce:08:00
Jul 24 08:23:33 SHATTERED kernel: martian source 192.168.1.120 from 125.65.112.217, on dev eth0
Jul 24 08:23:33 SHATTERED kernel: ll header: 00:13:20:97:42:45:00:1c:10:b7:6e:ce:08:00
Jul 24 08:23:39 SHATTERED kernel: martian source 192.168.1.120 from 125.65.112.217, on dev eth0

This ip traces back to asia pacific network and this comes up after they messed with firewall and rebooted 2 times

I found smartmontools Home Page (last updated $Date: 2008/06/16 17:31:16 $) within log file too- is this part of suse or was this something they installed cause then it goes looking for devices and finds my usb drive on /dev/sdb

Still going threw log and i find another

Jul 24 08:17:29 SHATTERED sshd[3021]: Address 192.168.1.135 maps to bulletproof, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jul 24 08:17:33 SHATTERED sshd[3021]: Accepted keyboard-interactive/pam for root from 192.168.1.135 port 1619 ssh2

So if this happens before each successful login is it safe to assume that my winxp laptop has nothing to do with this

#16

Do you have a NAT router / firewall box acting as your network connection? DSL/Cable?

#17

I am using custom firmware DD-WRT on a Linksys N router

Firewall is enabled, just to be safe i reset to defaults and set new username and password on router as well.
I am using cable

#18

I have been looking around for ways to block brute force attempts and found 2 options i am interested in

I found a tutorial here Block brute force attacks with iptables - JaDa’s blog about Opera and Linux

as well as Fail2ban, problem is Fail2ban says it monitors /var/log/pwdfail but on my system i dont have that log file. All logins are logged in the messages log. Will fail2ban work for me?

#19

Have you tried moving your ssh port to a significantly higher port ? This is easy to do, and has surprisingly effective results.

Just block port#22 on your router, and open a high port on your router (say port#38001) and map that high port (say 38001) to port#22 on your PC. Then for you to ssh in, it is something like:
ssh -X user@ip-address -p 38001

My experience with having received (failed) hack attempts of over 100/day, was that once I changed my ssh port to a higher number (and closed port#22) the hack attempts completely stopped. Not one in over a year since. In essence, the hackers running the bots don’t want their bots wasting time scanning 40,000+ ports on a user’s PC, in an effort to find one ssh port. There are easier fish in the ocean for them to find and hack.

#20

I have done that but was looking for a 2nd level of protection