[nSLUG] my system was cracked!
swalsh at aol.net
Sun Jun 4 01:06:34 ADT 2006
ricardd at mathstat.dal.ca wrote:
> Someone remotely cracked into my system on Thursday afternoon when I was
> at the CEOS conference and my laptop was running in my office at
> Dalhousie. Another machine running Ubuntu was cracked into last week as
> This is a first for me and it now makes me feel vulnerable. A few pros
> looked at my machine at the InstallFest yesterday and had various
> explanations for what happened.
> I discovered that something was wrong when I tried to login as user
> postgres and the password wasn't accepted. I then reset the password for
> postgres and logged in as user postgres. The history of command included
> things that I didn't type and were malicious (dowload an admin kit, etc).
> After that, I could not log in as root anymore, the "sudo" command must've
> be corrupted. We rebooted from a CD and noticed that the entries for sudo
> in /etc/passwd and /etc/shadows were indeed corrupted. The root password
> was reset by editing the files in a text editor and rebooting. The dudes
> also suggested a re-install of my whole system.
> So, short of hiring a sysadmin, what should I do to protect myself against
> this? I'd like to get a "checklist" of things that I should watch for
> after I reinstall. For example:
> - run a firewall
> - change the ssh listening port to something other than 22
> - use strong passwords for everything (the postgres password was weak)
> - ...
> Suggestions, comments? And, yes, I will get a "Security for Linux" book
> and read it.
> Dan (running my own InstallFest this weekend)
> nSLUG mailing list
> nSLUG at nslug.ns.ca
Ubuntu had a nasty exploit in 5.10 of anyone getting onto the system could read the first created account password in plaintext(the default
sudoer). If you have sshd running with the defualt install, you can get hammered by brute attacks until one rings true.(I had 684 one hour from
a single IP), simple 'cat' of the installer file(I can't find refrence to it right now) and you've got root.
I had this happen to me when I forwarded 22 to my Ubuntu machine that also had MythTv installed with mythtv/mythtv, and forgot about that
account allowing ssh access. Bad things happened...
Ip Tables are slick, but for nice and quick: hosts.deny needs ALL: ALL and hosts.allow needs sshd: <your allowed IPs>
It sucks that it happened, but you'll be surprised how much you learn in making it not happen again.
Scott Walsh, VEGAS NOC
Email: swalsh at aol.net
More information about the nSLUG