machine hacked - want to see if i can find entry point

[dwjs1974]

Hi,

Sorry to post this I have a little brother that uses one of my machines that runs linux he is mentally handicapped and i try to keep the machine uptodate.

Over the past couple of days someone from a group http://www.xtronic.net/

I did have the ip address the only worry i have my system uses the codes it shows on the site

http://www.xtronic.net/





Kred Krew:
Waging the war against burnout SysAdmins



got root?
sh-2.05b$ whoami
uid= 0 (root) gid= 0 (root)







New found Disorder, Day of darkness has arrived
Are You Ready ?


root@xtronic.net

Greetz to all of DARPANET
"Krashed, Founder of Kred Krew"

uid= 0 (root) gid= 0 (root)

I enjoy trying to get on my machines using vms but thats all ive used.

normally i cant gain access to my vms unless i click a link.....

Because someone has gained root access on the machine I will be doing a clean install but does the above mean i will be vulnerable again when its finnished

Thanks

no so raver

[daedalus1776]

Hi,
Over the past couple of days someone from a group http://www.xtronic.net/

Someone from that group did what? You kinda didn't finish your sentence there...

I did have the ip address the only worry i have my system uses the codes it shows on the site
uid= 0 (root) gid= 0 (root)

You had the ip address for what? And everyone's root uid and gid is 0.. not just yours. Furthermore, xtronic.net is just a website that seems to display that message... It has nothing to do with you personally... Unless you own xtronic.net and someone's hacked it... I'm not sure what you're asking.

normally i cant gain access to my vms unless i click a link.....

...What? what link?..

So essentially, from what I can tell, you have nothing to worry about. But in saying that, I'm not really sure what you're asking/implying. What makes you think your computer has been hacked?

Cheers,

[dwjs1974]

Hi Sorry,

yes I was more into getting the machine going than posting correctly... I was in a rush to get the machine to a useable state..

As i said i keep my machine upto date I rarely use as my little brother uses it on the internet.

The Machine was hacked as in the root password was cracked or hacked however they got the password I still dont actually know.
The root password was changed as I couldnt do the updates when i wanted too.. I then discovered an ip address on the machine unfortuantely I didnt take it down at the time but the webpage from the above was linked in the browser of the users.

As i couldnt log into root I used a hack to reset the root password which worked so the machine is running.. However I want to take a snapshot of the machine to see if i can find how they got in before the machine is freshly installed...

I am sorry that I didnt post all details i was very weary of what had happened and wanted to get the machine sorted ASAP.

I saw the gid 0 and paniced as I know this is standard...


The Reference with the link is me whenever I try exploiting my vms I normally have to click a link for the exploit to work.

What i should of asked is if i clone the machine would i be able to use this to find out how they got in?

Many thanks for your patience

Cheers

[daedalus1776]

To be perfectly honest, I'm not exactly qualified to answer this question. If it were me though, I'd do a port scan, or find any service that was running on my machine that is facing the internet. Then I'd check the logs on all of those services. If you find a service with a heap of authentication failures, then you can probably guess that it was brute forced, etc...
Hope that helps at all.

[aerokid240]

In addition to what daedalus1776 said, using the "last" command should show you a listing if the last logged on users and the duration they were logged in. If you can identify an unusal root login here, you can use the date and time as a reference for greping through the logs. However, always keep in mind that a good hacker will modify your logs in some way (but not all script kiddes will do this) so you can't always trust the logs.

[ShadowMaster]

If you dont have any internet facing ports besides 22 and 80 then make sure those are UP TO DATE!! also, make sure you have strong root passwords. The best setup would be to run bastille-linux on your machine (google it) then disallow root login through ssh, set up ssh to only use ssl keys and then SU into root whenever you need it. That way it will be MUCH harder for someone to penetrate and escalate. Meaning to gain root on your server one would have to crack your DSA or RSA private key AFTER finding out a valid user name to try that is not root, then login in with the cracked key and username, then somehow find a way to esc, which is semi difficult without kernel exploits and up to date services. Not impossible by a very long shot, just semi difficult.

iptables, strong su passes, and disallowing sudo access are all your friend here, my friend.