Am i beeing hacked?

[goahead]

My system got slower and slowe and slower, thought i should reboot to see if it got any better.. but after reboot my root passwd was changed.

Checked the log and found ALOT of weird stuff.

Dec 17 19:46:34 localhost sshd[4807]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=164.77.226.155 user=root
Dec 17 19:46:36 localhost sshd[4807]: Failed password for root from 164.77.226.155 port 41903 ssh2
Dec 17 19:46:37 localhost sshd[4808]: Received disconnect from 164.77.226.155: 11: Bye Bye
Dec 17 19:46:38 localhost sshd[4809]: Invalid user sifak from 164.77.226.155
Dec 17 19:46:38 localhost sshd[4810]: input_userauth_request: invalid user sifak
Dec 17 19:46:38 localhost sshd[4809]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 19:46:38 localhost sshd[4809]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=164.77.226.155
Dec 17 19:46:38 localhost sshd[4809]: pam_succeed_if(sshd:auth): error retrieving information about user sifak
Dec 17 19:46:40 localhost sshd[4809]: Failed password for invalid user sifak from 164.77.226.155 port 42132 ssh2
Dec 17 19:46:40 localhost sshd[4810]: Received disconnect from 164.77.226.155: 11: Bye Bye
Dec 17 19:46:42 localhost sshd[4811]: Invalid user slasher from 164.77.226.155
Dec 17 19:46:42 localhost sshd[4812]: input_userauth_request: invalid user slasher
Dec 17 19:46:42 localhost sshd[4811]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 19:46:42 localhost sshd[4811]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=164.77.226.155
Dec 17 19:46:42 localhost sshd[4811]: pam_succeed_if(sshd:auth): error retrieving information about user slasher
Dec 17 19:46:44 localhost sshd[4811]: Failed password for invalid user slasher from 164.77.226.155 port 42322 ssh2
Dec 17 19:46:45 localhost sshd[4812]: Received disconnect from 164.77.226.155: 11: Bye Bye
Dec 17 19:46:47 localhost sshd[4813]: Invalid user fluffy from 164.77.226.155
Dec 17 19:46:47 localhost sshd[4814]: input_userauth_request: invalid user fluffy
Dec 17 19:46:47 localhost sshd[4813]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 19:46:47 localhost sshd[4813]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=164.77.226.155
Dec 17 19:46:47 localhost sshd[4813]: pam_succeed_if(sshd:auth): error retrieving information about user fluffy
Dec 17 19:46:49 localhost sshd[4813]: Failed password for invalid user fluffy from 164.77.226.155 port 42593 ssh2
Dec 17 19:46:50 localhost sshd[4814]: Received disconnect from 164.77.226.155: 11: Bye Bye
Dec 17 19:46:52 localhost sshd[4815]: Invalid user admin from 164.77.226.155
Dec 17 19:46:52 localhost sshd[4816]: input_userauth_request: invalid user admin
Dec 17 19:46:52 localhost sshd[4815]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 19:46:52 localhost sshd[4815]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=164.77.226.155
Dec 17 19:46:52 localhost sshd[4815]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Dec 17 19:46:53 localhost sshd[4815]: Failed password for invalid user admin from 164.77.226.155 port 42856 ssh2
Dec 17 19:46:54 localhost sshd[4816]: Received disconnect from 164.77.226.155: 11: Bye Bye
Dec 17 19:46:55 localhost sshd[4817]: Invalid user test from 164.77.226.155
Dec 17 19:46:56 localhost sshd[4818]: input_userauth_request: invalid user test
Dec 17 19:46:56 localhost sshd[4817]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 19:46:56 localhost sshd[4817]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=164.77.226.155
Dec 17 19:46:56 localhost sshd[4817]: pam_succeed_if(sshd:auth): error retrieving information about user test
Dec 17 19:46:57 localhost sshd[4817]: Failed password for invalid user test from 164.77.226.155 port 43081 ssh2
Dec 17 19:46:57 localhost sshd[4818]: Received disconnect from 164.77.226.155: 11: Bye Bye
Dec 17 19:46:59 localhost sshd[4820]: Invalid user guest from 164.77.226.155
Dec 17 19:46:59 localhost sshd[4821]: input_userauth_request: invalid user guest
Dec 17 19:46:59 localhost sshd[4820]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 19:46:59 localhost sshd[4820]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=164.77.226.155
Dec 17 19:46:59 localhost sshd[4820]: pam_succeed_if(sshd:auth): error retrieving information about user guest
Dec 17 19:47:01 localhost sshd[4820]: Failed password for invalid user guest from 164.77.226.155 port 43295 ssh2
Dec 17 19:47:01 localhost sshd[4821]: Received disconnect from 164.77.226.155: 11: Bye Bye
Dec 17 19:47:03 localhost sshd[4822]: Invalid user webmaster from 164.77.226.155
Dec 17 19:47:03 localhost sshd[4823]: input_userauth_request: invalid user webmaster
Dec 17 19:47:03 localhost sshd[4822]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 19:47:03 localhost sshd[4822]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=164.77.226.155
Dec 17 19:47:03 localhost sshd[4822]: pam_succeed_if(sshd:auth): error retrieving information about user webmaster
Dec 17 19:47:05 localhost sshd[4822]: Failed password for invalid user webmaster from 164.77.226.155 port 43533 ssh2
Dec 17 19:47:05 localhost sshd[4823]: Received disconnect from 164.77.226.155: 11: Bye Bye
Dec 17 19:47:07 localhost sshd[4824]: Invalid user mysql from 164.77.226.155
Dec 17 19:47:07 localhost sshd[4825]: input_userauth_request: invalid user mysql
Dec 17 19:47:07 localhost sshd[4824]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 19:47:07 localhost sshd[4824]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=164.77.226.155
Dec 17 19:47:07 localhost sshd[4824]: pam_succeed_if(sshd:auth): error retrieving information about user mysql
Dec 17 19:47:10 localhost sshd[4824]: Failed password for invalid user mysql from 164.77.226.155 port 43787 ssh2
Dec 17 19:47:10 localhost sshd[4825]: Received disconnect from 164.77.226.155: 11: Bye Bye
Dec 17 19:47:12 localhost sshd[4827]: Invalid user oracle from 164.77.226.155
Dec 17 19:47:12 localhost sshd[4828]: input_userauth_request: invalid user oracle
Dec 17 19:47:12 localhost sshd[4827]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 19:47:12 localhost sshd[4827]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=164.77.226.155
Dec 17 19:47:12 localhost sshd[4827]: pam_succeed_if(sshd:auth): error retrieving information about user oracle
Dec 17 19:47:14 localhost sshd[4827]: Failed password for invalid user oracle from 164.77.226.155 port 44055 ssh2
Dec 17 19:47:15 localhost sshd[4828]: Received disconnect from 164.77.226.155: 11: Bye Bye
Dec 17 19:47:17 localhost sshd[4829]: Invalid user library from 164.77.226.155
Dec 17 19:47:17 localhost sshd[4830]: input_userauth_request: invalid user library
Dec 17 19:47:17 localhost sshd[4829]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 19:47:17 localhost sshd[4829]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=164.77.226.155
Dec 17 19:47:17 localhost sshd[4829]: pam_succeed_if(sshd:auth): error retrieving information about user library
Dec 17 19:47:19 localhost sshd[4829]: Failed password for invalid user library from 164.77.226.155 port 44335 ssh2
Dec 17 19:47:19 localhost sshd[4830]: Received disconnect from 164.77.226.155: 11: Bye Bye



List goes on forever with lots of nicks and login failures etc.

What to do?

[jim]

are you behind a router?
if not buy one
do you have the firewall turned on ?
if not turn it on

turn off ssh

chconfig shd off
service sshd stop

fyi a quick google search
http://www.google.com/search?q=164.7...ient=firefox-a

[techmatt]

If you don't want to disable ssh then simply change the port
I don't remember off the top of my head how but you search the forum I'm sure it is here

[CD-RW]

Obviously someone is trying to break into your system with all those failed login attempts. I would disable the ssh port 22.

Got to http://www.grc.com and take the ShieldsUP security scan to see what your firewall looks like from the outside.

Using the following site http://www.hcidata.info/host2ip.cgi and inputting the IP address of 164.77.226.155, tells me that your attacker probably lives in Chile.

************************************************** ****************************
This page can be used to find the IP of a host machine (convert host to IP) or domain name (convert domain name to ip address) or find the name of one of the hosts at an IP address (convert ip address).
It will also show the location of IP address. The country data is about 94% accurate.
Details of 164.77.226.155
IP Address : 164.77.226.155
Location : Chile (95% accuracy)
Host Name : Unable to contact the host at IP Address 164.77.226.155
************************************************** ****************************

You only need SSH running with port 22 open in your firewall if you want to connect to your machine remotely over the internet, which I doubt very much.

If someone has managed to alter your root password, then the best thing to do IMHO is to re-install Linux from scratch, formatting the drive completely before doing the fresh installation. Make sure the firewall is up and running as well, which it should be by default for an FC6 installation IIRC.

[rrkss]

I agree with what was stated above. If someone was able to compromise the root account they will have probably installed a rootkit into the kernel to cover up their future tracks and leave a method to get into your system regardless of what you do from now on. If this was my computer I would reinstall the operating system and follow the advice given above by installing a firewall I like firestarter since it is easy to configure or otherwise set iptables to block port 22 which is unblocked in fedora by default. I happen to use ssh for remote administration in my network but take some precautions such as disabling remote root login and using very long complex passwords (for example md5 hashes of an easier to remember yet still complex password). Changing the ssh port helps (can be done by editing /etc/ssh/sshd_config). I also setup a specific group called sshusers and only allow them to login remotely.

Good luck

[Zotter]

First off, if your root password indeed has changed then yes, You've been cracked.

You need to take that machine offline - archive any data and configurations you want to keep - then wipe that drive to factory null and re-install from known clean sources. There is NO WAY to know you've cleaned this system and you're now a risk to everyone else on the Inet.

Now, when you get your box re-built, configure SSH to only allow protocol V2, setup and use netfilter/iptables (something like http://easyfwgen.morizot.net/gen/ can help) and install and use this little proggy called denyhosts:
http://denyhosts.sourceforge.net/

It will detect crack attempts on your sshd server and then block the source IP via hosts.deny. VERY effective. It can also report these attack sources to a central database as well as update your blocked IPs from that same database.

I suspect your root password was cracked with a dictionary attack - basicly a script run by a kiddie against you. Use denyhosts to limit the number of attempts an attacker has. 3 to 5 is a good number. It'll allow you to make the occasional mistake logging in and prevent future cracks. Of course, using strong passwords helps too.

Using non-standard ports is called 'security by obscurity' and is bound to eventually fail. Sadly, it's becoming a rather common 'suggestion' these days - a symptom of the large influx of new *nix users - but should be avoided at almost all costs. Setup your system correctly instead. It's trivial to find a 'non-standard' port that's in use. Read up on things like nessus, nmap and the like to see how easy it is to do.

[jhetrick62]

I agree with Zotter. You can "grep" your logs for successful logins to check on this but if your root password changed, I would re-install. I would definitely install denyhosts. It works pretty good and has limited my attack attempts. They happen and get blocked after three failed attempts. I also don't allow root login and use what I would consider to be a strong password with two different capitals letters at different points and two numbers.

They say that special characters are extremely effective, but with a limit of (3) login attempts allowed, that should not be necessary.

Goodluck,
Jeff

[pete_1967]

For ssh, first thing is to disable password authentication and use only key based authentication, even if you're on the move/ use several machines, you can either use same private key (save it in usb stick) or generate and add all required public keys to authorized_keys.

Use password authentication only if there is no other way (how could that be?).

[stanjam]

ok. First: disable the ability to log in as root through ssh.

Second: Install denyhosts

Third: Change your root password, just to be sure.

Fourth: If you don't need ssh, turn it OFF.

[AlexThomson_NZ]

Have you tried a whois of the IP address, seems to resolve to a University campus in Chile. Has got contact information if you want to report it.

[hiberphoptik]

nobody mentioned this which surprises me... dissalow root logins to ssh

[goahead]

Okay guys, thx for all your answers.

Ill reinstall my system.

How do i turn off ssh?

[Plossl]

Quote:

Originally Posted by goahead

Okay guys, thx for all your answers.

Ill reinstall my system.

How do i turn off ssh?

The GUI method is System > Administration > Services. Turn off sshd and don't forget to save afterwards.

[CD-RW]

Once you have got ssh sorted out, you might also like to take alook at the following GUI for SELinux:

http://fedoraproject.org/wiki/SELinux/setroubleshoot

SELinux Trouble Shooting Tool (setroubleshoot)

Click on the : Read this white paper on setroubleshoot: attachment:setroubleshoot_whitepaper.pdf

It describes in detail the new GUI for using SELinux.

[stanjam]

turning off ssh interface:

service sshd stop
chkconfig service sshd off

then make sure to check the firewall to make sure it isn't allowing sshd through.