Linux Security *Need Help, got cracked*

[idea]

I was running a VNC server on a standard port, apparently someone broke in. I wouldn't have known it unless I hit CTRL+V where the cracker left a URL that he copied to the clipboard. The URL pointed to this site which contains 2 Trojan files Trojan.BAT.Zapchast (win32 exe's). He definitely downloaded one of the files but he then deleted it because its not there anymore. He may have hijacked my computer to scan for other computers for vulnerabilities.

http://www.promisance.co.uk/crawlers/

Anyone know of a forum I can ask for help at? I shut down the vnc server, I don't know what the next steps are.

 

[kalster]

run a port scanner to see what ports he may have opened up, also check your /var/log files (for example /var/log/secure , etc)

 

[creedog]

find a forum dedicated to the distro of linux that you are running. Or a general linux forum like linuxquestions.org

 

[idea]

$ nmap localhost

Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2006-07-12 17:14 EDT
Interesting ports on localhost (127.0.0.1):
(The 1657 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
37/tcp open time
85/tcp open mit-ml-dev
113/tcp open auth
139/tcp open netbios-ssn
445/tcp open microsoft-ds
587/tcp open submission
631/tcp open ipp
901/tcp open samba-swat

secure log file is 0 bytes

 

[EKKC]

if this is a corporate server i would disconnect the network connection to that server and physically work on the console

 

[TGS]

Why take the chance? Wipe the box and restore from a backup. You are only putting the rest of your network in danger of being compromised unless you unlpug from the network and wipe that machine right now.

Edit: Next time use SSH for remote connectivity.

 

[Platypus]

If you feel you've been compromised then flatten and reinstall.

 

[Platypus]

Originally posted by: TGS
Why take the chance? Wipe the box and restore from a backup. You are only putting the rest of your network in danger of being compromised unless you unlpug from the network and wipe that machine right now.

Yep.

 

[Reel]

There was a recent VNC vulnerability that allowed you to bypass authentication. It was a flaw in the authentication process that didn't require you to complete all the steps. Which VNC version did you use? Here is some discussion on the vulnerability:
http://www.securityfocus.com/archive/1/433994/30/0/threaded

 

[QED]

Before you wipe clean, take a look to see exactly under what account he logged in as.

Run "last -100" and look for any suspicious log ins.
Check out the /var/log/sudolog or /var/log/sulog, or /var/log/secure (depending on your platform) for suspicious entries.
Look at the process table for any entries that should not be there.
Run "find / -mtime +10 -print" or some such to find all the files created or modified in the last ten days or so.

Knowing this information will help you prevent another break in...

 

[kalster]

for starters bring down your network interfaces, and try to find from logs what he may have modified ,changed, see logs for services like ftp, ssh, telnet to see what connections were made/attempted , even if you have load the os again later you atleast know what you should keep in mind in the future

 

[DaiShan]

Originally posted by: TGS
Why take the chance? Wipe the box and restore from a backup. You are only putting the rest of your network in danger of being compromised unless you unlpug from the network and wipe that machine right now.

Edit: Next time use SSH for remote connectivity.

Sound advice. OP why were you using VNC anyways? Are you familiar with iptables (the linux firewall) It's free and there are tons of tutorials on creating secure firewalls.

 

[idea]

Thanks for all the help !!!

Reel, thats definitely the exploit he used to get in. I can't figure out how to check my RealVNC version though (it came with 4 bin files and when I run --version or -v it is an unknown option).

QED,
- I already sifted through the logs, no suspicious activity other than denied SSH attempts
- I deny ALL sshd except for attempts made from four IPs (home, work, and 2 backup shells)
- Nothing funny in sudo log
- secure log is 0 bytes
- I don't see any weird processes
- I'm sifting through the "find -mtime" log right now

 

[idea]

Originally posted by: DaiShan

Originally posted by: TGS
Why take the chance? Wipe the box and restore from a backup. You are only putting the rest of your network in danger of being compromised unless you unlpug from the network and wipe that machine right now.

Edit: Next time use SSH for remote connectivity.

Sound advice. OP why were you using VNC anyways? Are you familiar with iptables (the linux firewall) It's free and there are tons of tutorials on creating secure firewalls.

I use SSH 99% of the time. I have VNC just for a GUI when I need it, and yes I do need it at times.

 

[idea]

Found one

$ sudo find / -mtime 8 -print
/home/sean/Desktop/eek/winnt.exe

eek is a folder on my Desktop that I created. winnt.exe is certainly not something I downloaded 8 days ago.

 

[idea]

Same day.

/home/sean/.mozilla/firefox/15pcn71n.default/extensions/{DDC359D1-844A-42a7-9AA1-88A850A938A8}/history.xml
/home/sean/.mozilla/firefox/15pcn71n.default/Cache/8E56ECEEd01

 

[Platypus]

Originally posted by: idea

Originally posted by: DaiShan

Originally posted by: TGS
Why take the chance? Wipe the box and restore from a backup. You are only putting the rest of your network in danger of being compromised unless you unlpug from the network and wipe that machine right now.

Edit: Next time use SSH for remote connectivity.

Sound advice. OP why were you using VNC anyways? Are you familiar with iptables (the linux firewall) It's free and there are tons of tutorials on creating secure firewalls.

I use SSH 99% of the time. I have VNC just for a GUI when I need it, and yes I do need it at times.

Are you saying you use a windows machine to connect to the Linux server and you use VNC for gui purposes?

If so get something like exceed if you need access to those graphical programs.

What do you need VNC for?

 

[idea]

I just realized winnt.exe is still there on the desktop. How can I find which apps are accessing it?

 

[idea]

VNC is a freeware application and easy to install. I run it through sshd for security with PuTTY.exe. I won't be using it anymore.

 

[idea]

My router has logged a crapload of attempts for connections go to my VNC server in the past week or two

 

[idea]

I found who I was cracked by...

___________________________________________
- = ] *~*~*~*~*WAREZ OWNS YOU*~*~*~*~* [ = -
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
!~!~ !~!~!~#MP3-WONDERLAND~!~!~!~!~!

 

[tami]

Originally posted by: idea

$ nmap localhost

Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2006-07-12 17:14 EDT
Interesting ports on localhost (127.0.0.1):
(The 1657 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
37/tcp open time
85/tcp open mit-ml-dev
113/tcp open auth
139/tcp open netbios-ssn
445/tcp open microsoft-ds
587/tcp open submission
631/tcp open ipp
901/tcp open samba-swat

secure log file is 0 bytes

that may not necessarily help you

your best bet is to do

# nmap -p 1-65535 localhost

just to see if they're running ftp or any other services on higher numbered ports (nmap only checks up to port 1024 by default)

now, add a bunch of IPs to your firewall

# /sbin/iptables -A INPUT -s ip.address.goes.here -j DROP

and they won't come back, or at least, they can't for awhile

 

[cmetz]

idea, you need to reinstall this box, NOW.

If you really really want to do the forensic analysis, boot from a live CD like Knoppix and make an image of the box before hand. That's okay to do, but should be done offline. You cannot have a compromised box continue on your network.

In the future, I'd suggest that you use SSH port redirection to securely wrap VNC. Last I checked, VNC sends passwords as well as all screen updates in cleartext, you need to add SSL or SSH or IPsec or something else to get crypto and authentication security.

I do have to wonder... why are you using VNC at all? It's a *IX box, we use X.

 

[nweaver]

xnest, or tunneling X is better then VNC

nuke this box from orbit to be sure

 

[Nothinman]

QED,
- I already sifted through the logs, no suspicious activity other than denied SSH attempts
- I deny ALL sshd except for attempts made from four IPs (home, work, and 2 backup shells)
- Nothing funny in sudo log
- secure log is 0 bytes
- I don't see any weird processes
- I'm sifting through the "find -mtime" log right now

None of that is relevant if you're doing it from the kernel that was broken into, he could have loaded a kernel module to hide everything he's done. To do any type of forensics you'll have to analyze the filesystems in a known-good machine.