Hacked, now trying to disinfect

Unruh · External Since: May 27, 2005 Posts: 2192

Dave Uhring <daveuhring.TakeThisOut@yahoo.com> writes:

>On Thu, 02 Aug 2007 21:02:47 +0000, Unruh wrote:

>> Dave Uhring <daveuhring.TakeThisOut@yahoo.com> writes:
>>
>>>On Thu, 02 Aug 2007 14:06:59 -0400, Randy Yates wrote:
>>
>>>> Also, it's much more likely that the username will susceptible to a
>>>> dictionary attack.
>>
>>>There is *no* dictionary attack required for the root account and the
>>>ease of cracking root's password is the same as for a user. Now how
>>>difficult is that to understand?
>>
>> Eitehr you are very confused or you express yourself badly. Dictionary
>> attacks are always the first choice of the attacker.

>I was discussing the attack against user account *names* there. No
>attack can succeed even against a user account unless the attacker can
>first guess a valid account name. The root name requires no guessing.

>In *every* attack recorded in my log the root account was attacked first.
>And no, I cannot post the log since it was rotated out long ago. In
>addition to disabling root login I also have enabled tcpwrappers on sshd
>to limit, indeed put an end to, the ssh attacks.

Well, that is not true in my logs. They try a whole bunch of user type
accounts first, and then do a determined attack on root.
tcpwrapper helps not at all if you need to log onto your system from all
over the world.

>> People tend to
>> choose words as passwords, and any cracker would be an idiot to launch a
>> full scale brute force without doing dictionary first. And users are
>> more likely to use easy words simply because they are not as security
>> concious.

>Again, the usernames must be guessed, at least those which have shells.
>After failure to attack root the typical attack goes after usual system
>accounts, which gets them nowhere without a shell. Next they go after
>common names in what one might describe as a dictionary attack against
>user account names.

Sure, And I have seen it happen in th eopposite order as well.

>Your order of attack is bass ackwards from reality.

Depends on whose bass we are talking about.

>>>Have you ever examined the logs of some of those ssh attacks?

>The question applies also to you, Bill.

Yes.

Dave Uhring · External Since: Apr 17, 2004 Posts: 633

On Fri, 03 Aug 2007 01:51:31 +0000, Unruh wrote:

> Dave Uhring <daveuhring DeleteThis @yahoo.com> writes:

>>In *every* attack recorded in my log the root account was attacked
>>first. And no, I cannot post the log since it was rotated out long ago.
>>In addition to disabling root login I also have enabled tcpwrappers on
>>sshd to limit, indeed put an end to, the ssh attacks.
>
> Well, that is not true in my logs. They try a whole bunch of user type
> accounts first, and then do a determined attack on root. tcpwrapper
> helps not at all if you need to log onto your system from all over the
> world.

With your own system you can more easily enforce good passwords on
yourself. It's somewhat more difficult with a system with many users, at
least not without accusations of being a dictatorial bastard.

>>Again, the usernames must be guessed, at least those which have shells.
>>After failure to attack root the typical attack goes after usual system
>>accounts, which gets them nowhere without a shell. Next they go after
>>common names in what one might describe as a dictionary attack against
>>user account names.
>
> Sure, And I have seen it happen in th eopposite order as well.

Regardless of the order in which it occurs, an attack against a user
account, at least one with a good password is more difficult than an
attack against root. The attacker has to guess the user's name; he
already knows "root".

>>>>Have you ever examined the logs of some of those ssh attacks?
>
>>The question applies also to you, Bill.
>
> Yes.

How many times was the account 'bunruh' or whatever you use actually
guessed and attacked?

Randy Yates · External Since: Sep 07, 2006 Posts: 159

Dave Uhring <daveuhring.RemoveThis@yahoo.com> writes:

> On Fri, 03 Aug 2007 01:51:31 +0000, Unruh wrote:
>
>> Dave Uhring <daveuhring.RemoveThis@yahoo.com> writes:
>
>>>In *every* attack recorded in my log the root account was attacked
>>>first. And no, I cannot post the log since it was rotated out long ago.
>>>In addition to disabling root login I also have enabled tcpwrappers on
>>>sshd to limit, indeed put an end to, the ssh attacks.
>>
>> Well, that is not true in my logs. They try a whole bunch of user type
>> accounts first, and then do a determined attack on root. tcpwrapper
>> helps not at all if you need to log onto your system from all over the
>> world.
>
> With your own system you can more easily enforce good passwords on
> yourself. It's somewhat more difficult with a system with many users, at
> least not without accusations of being a dictatorial bastard.
>
>>>Again, the usernames must be guessed, at least those which have shells.
>>>After failure to attack root the typical attack goes after usual system
>>>accounts, which gets them nowhere without a shell. Next they go after
>>>common names in what one might describe as a dictionary attack against
>>>user account names.
>>
>> Sure, And I have seen it happen in th eopposite order as well.
>
> Regardless of the order in which it occurs, an attack against a user
> account, at least one with a good password is more difficult than an
> attack against root. The attacker has to guess the user's name; he
> already knows "root".

The point I was making earlier about the difference being quite small
could be valid or invalid depending on the operation of sshd.

If the sshd provides a method to determine when an invalid username is
issued independent of the password (for example, if it immediately
rejects the login attempt if an invalid username is entered), then the
worst-case time to crack is (Nu + Np)*T, where Nu is the number of
username combinations, Np is the total number of password
combinations, and T is the time to query.

However, if the username and password are required together
simultaneously, then the worst-case time to crack is Nu*Np*T.

I think most authentication systems these days do the latter, so
the difference between cracking root and cracking an general
username is significant.
--
% Randy Yates % "The dreamer, the unwoken fool -
%% Fuquay-Varina, NC % in dreams, no pain will kiss the brow..."
%%% 919-577-9882 %
%%%% <yates.RemoveThis@ieee.org> % 'Eldorado Overture', *Eldorado*, ELO
http://home.earthlink.net/~yatescr

Andy Furniss · External Since: May 12, 2006 Posts: 28

Randy Yates wrote:

> Also, the OP's lesson leads me to believe that assigning ssh to a
> different port number is not worth too much security-wise. If the
> access rate to the machine is fast enough, all 65536 ports could be
> scanned first for a hot ssh connection in a matter of minutes or even
> seconds, no?

There is something called port knocking, where your ssh port is closed
by iptables until you try the correct sequence of other ports first.

Andy.

Dave Uhring · External Since: Apr 17, 2004 Posts: 633

On Thu, 02 Aug 2007 22:21:17 -0400, Randy Yates wrote:

> Dave Uhring <daveuhring RemoveThis @yahoo.com> writes:

>> Regardless of the order in which it occurs, an attack against a user
>> account, at least one with a good password is more difficult than an
>> attack against root. The attacker has to guess the user's name; he
>> already knows "root".
>
> The point I was making earlier about the difference being quite small
> could be valid or invalid depending on the operation of sshd.
>
> If the sshd provides a method to determine when an invalid username is
> issued independent of the password (for example, if it immediately
> rejects the login attempt if an invalid username is entered), then the
> worst-case time to crack is (Nu + Np)*T, where Nu is the number of
> username combinations, Np is the total number of password combinations,
> and T is the time to query.
>
> However, if the username and password are required together
> simultaneously, then the worst-case time to crack is Nu*Np*T.

The improper login is rejected -after- both username and password are
entered.

> I think most authentication systems these days do the latter, so the
> difference between cracking root and cracking an general username is
> significant.

Which is the reason IME that root always gets attacked first.

Chris Davies · External Since: Apr 13, 2004 Posts: 267

Randy Yates <yates.RemoveThis@ieee.org> wrote:
> Also, the OP's lesson leads me to believe that assigning ssh to a
> different port number is not worth too much security-wise.

It appears to knock out a significant number of automated probes, so I'd
still recommend it as a first line of defence. (Port knocking may help,
too, if you really need open ssh.)

Chris

Joern Bredereck · External Since: Jul 25, 2007 Posts: 2

Captain Dondo <yan.RemoveThis@nsoesipnaemr.com> wrote:

> That's the only time a system I've worked on got hacked. Multiple layers,
> multiple defenses - but I learned and now disable root logins by default
> on any exposed system. What I really would like to see is a two-password
> option for root, with a timeout for entering the second password and a
> timed lockout if multiple attemps fail.

why don't you just use RSA-Keys for SSH?

--
jb

Unruh · External Since: May 27, 2005 Posts: 2192

Dave Uhring <daveuhring.TakeThisOut@yahoo.com> writes:

>On Fri, 03 Aug 2007 01:51:31 +0000, Unruh wrote:

>> Dave Uhring <daveuhring.TakeThisOut@yahoo.com> writes:

>>>In *every* attack recorded in my log the root account was attacked
>>>first. And no, I cannot post the log since it was rotated out long ago.
>>>In addition to disabling root login I also have enabled tcpwrappers on
>>>sshd to limit, indeed put an end to, the ssh attacks.
>>
>> Well, that is not true in my logs. They try a whole bunch of user type
>> accounts first, and then do a determined attack on root. tcpwrapper
>> helps not at all if you need to log onto your system from all over the
>> world.

>With your own system you can more easily enforce good passwords on
>yourself. It's somewhat more difficult with a system with many users, at
>least not without accusations of being a dictatorial bastard.

"My own system" has loads of users who all need to log in from all over the
world.

>Regardless of the order in which it occurs, an attack against a user
>account, at least one with a good password is more difficult than an
>attack against root. The attacker has to guess the user's name; he
>already knows "root".

User's names are usually easy to discover or sniff.

>>>>>Have you ever examined the logs of some of those ssh attacks?
>>
>>>The question applies also to you, Bill.
>>
>> Yes.

>How many times was the account 'bunruh' or whatever you use actually
>guessed and attacked?

With x ( a large number) of users, finding one of them is not that hard.

And since for most people their email address on a linux system is also
their username, it is not very hard to find the usernames.

phil-news-nospam · External Since: Nov 16, 2006 Posts: 329

On Wed, 01 Aug 2007 21:07:45 -0000 joe t. <thookerov RemoveThis @gmail.com> wrote:

| The www and mail servers are running FC6 and Cent4.4, respectively,
| and the other is running Slack 10. Suggesting a different distro for
| the Slackware box isn't an option at this point. The software that
| runs on it is 20+ years old and barely runs even on that OS. The
| others seem to work fine aside from the password logger and any other,
| more subtle infections present.

My general suggestion without knowing the details of your setup, which
I won't know unless I am on-site and examining things, is to save all
the data and applications and re-install from scratch after wiping out
the disks. You can keep the same distribution. All that you have used,
when installed and configured properly, with a few package upgrades, are
safe and secure at least from outsiders.

| i've been looking around, and can't find any references to "/etc/
| host" (most links refer to the valid "/etc/hosts" or "host.conf" or
| "host.allow/deny" ... Does anyone have any info on this type of
| logger? It's clear enough that whoever is doing this is managing to
| catch other credentials beyond just the ssh sessions, and the worst
| actual damage we've seen has been creating phishing pages. We're
| trying to beef up security, but now it's an even steeper uphill battle
| with the enemy already inside.

They could have completely infected the daemons and libraries. Available
root kits are next to impossible to remove when accessing via programs
that are already infected, or even in general. Wipe off and re-install
is the only sure answer, for any OS.

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2007-08-08-0659 RemoveThis @ipal.net |
|------------------------------------/-------------------------------------|

phil-news-nospam · External Since: Nov 16, 2006 Posts: 329

On Wed, 01 Aug 2007 16:38:22 -0700 CptDondo <yan.RemoveThis@nsoesipnaemr.com> wrote:
| Unruh wrote:
|> Dave Uhring <daveuhring.RemoveThis@yahoo.com> writes:
|>
|>> On Wed, 01 Aug 2007 21:07:45 +0000, joe t. wrote:
|>
|>>> Yeah, i know, it can't happen in Linux. But it has been happening to our
|>>> work servers for several months.
|>
|>> Sure it can. Most, probably all, Linux distros are shipped with *root*
|>> login enabled in sshd. If you expose such a system to the Internet you
|>> are almost certain to get successfully attacked.
|>
|> Now that is nonesense. You will get attacked, but with a proper password,
|> the guessing can go on forever.
|
| Not forever. I had a "strong password" on a system I installed. The
| sysadmin failed to notice an attack that started on a Friday afternoon;
| by Sunday the system had been compromised. The attack used a
| coordinated approach from compromised machines in Romania and Korea, mostly.

Password not strong enough? What was its complexity level?

| Unfortunately the sysadmin also removed the local firewall on that
| machine as they had just installed a new hardware firewall, which did
| not include a rate-limiter for ssh connections.
|
| *Any* machine can be compromised, given slack enough security in other
| areas, even with a strong password, if your pipe is big enough, your CPU
| fast enough, and you don't rate-limit new connections.

And hackers dedicated enough.

I do turn mine off, but more so the logs don't get flooded.

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2007-08-08-0718.RemoveThis@ipal.net |
|------------------------------------/-------------------------------------|