Results 1 to 6 of 6

Thread: machine hacked - want to see if i can find entry point

  1. #1
    Junior Member
    Join Date
    Mar 2007
    Posts
    32

    Default machine hacked - want to see if i can find entry point

    Hi,

    Sorry to post this I have a little brother that uses one of my machines that runs linux he is mentally handicapped and i try to keep the machine uptodate.

    Over the past couple of days someone from a group http://www.xtronic.net/

    I did have the ip address the only worry i have my system uses the codes it shows on the site
    http://www.xtronic.net/





    Kred Krew:
    Waging the war against burnout SysAdmins



    got root?
    sh-2.05b$ whoami
    uid= 0 (root) gid= 0 (root)







    New found Disorder, Day of darkness has arrived
    Are You Ready ?


    root@xtronic.net

    Greetz to all of DARPANET
    "Krashed, Founder of Kred Krew"
    uid= 0 (root) gid= 0 (root)

    I enjoy trying to get on my machines using vms but thats all ive used.

    normally i cant gain access to my vms unless i click a link.....

    Because someone has gained root access on the machine I will be doing a clean install but does the above mean i will be vulnerable again when its finnished

    Thanks

    no so raver

  2. #2
    Senior Member daedalus1776's Avatar
    Join Date
    Jan 2012
    Location
    Australia
    Posts
    112

    Default Re: machine hacked - want to see if i can find entry point

    Quote Originally Posted by dwjs1974 View Post
    Hi,
    Over the past couple of days someone from a group http://www.xtronic.net/
    Someone from that group did what? You kinda didn't finish your sentence there...

    Quote Originally Posted by dwjs1974 View Post
    I did have the ip address the only worry i have my system uses the codes it shows on the site
    uid= 0 (root) gid= 0 (root)
    You had the ip address for what? And everyone's root uid and gid is 0.. not just yours. Furthermore, xtronic.net is just a website that seems to display that message... It has nothing to do with you personally... Unless you own xtronic.net and someone's hacked it... I'm not sure what you're asking.

    Quote Originally Posted by dwjs1974 View Post
    normally i cant gain access to my vms unless i click a link.....
    ...What? what link?..

    So essentially, from what I can tell, you have nothing to worry about. But in saying that, I'm not really sure what you're asking/implying. What makes you think your computer has been hacked?

    Cheers,

  3. #3
    Junior Member
    Join Date
    Mar 2007
    Posts
    32

    Default Re: machine hacked - want to see if i can find entry point

    Hi Sorry,

    yes I was more into getting the machine going than posting correctly... I was in a rush to get the machine to a useable state..

    As i said i keep my machine upto date I rarely use as my little brother uses it on the internet.

    The Machine was hacked as in the root password was cracked or hacked however they got the password I still dont actually know.
    The root password was changed as I couldnt do the updates when i wanted too.. I then discovered an ip address on the machine unfortuantely I didnt take it down at the time but the webpage from the above was linked in the browser of the users.

    As i couldnt log into root I used a hack to reset the root password which worked so the machine is running.. However I want to take a snapshot of the machine to see if i can find how they got in before the machine is freshly installed...

    I am sorry that I didnt post all details i was very weary of what had happened and wanted to get the machine sorted ASAP.

    I saw the gid 0 and paniced as I know this is standard...


    The Reference with the link is me whenever I try exploiting my vms I normally have to click a link for the exploit to work.

    What i should of asked is if i clone the machine would i be able to use this to find out how they got in?

    Many thanks for your patience

    Cheers

  4. #4
    Senior Member daedalus1776's Avatar
    Join Date
    Jan 2012
    Location
    Australia
    Posts
    112

    Default Re: machine hacked - want to see if i can find entry point

    To be perfectly honest, I'm not exactly qualified to answer this question. If it were me though, I'd do a port scan, or find any service that was running on my machine that is facing the internet. Then I'd check the logs on all of those services. If you find a service with a heap of authentication failures, then you can probably guess that it was brute forced, etc...
    Hope that helps at all.

  5. #5
    Senior Member
    Join Date
    Jul 2009
    Posts
    135

    Default Re: machine hacked - want to see if i can find entry point

    In addition to what daedalus1776 said, using the "last" command should show you a listing if the last logged on users and the duration they were logged in. If you can identify an unusal root login here, you can use the date and time as a reference for greping through the logs. However, always keep in mind that a good hacker will modify your logs in some way (but not all script kiddes will do this) so you can't always trust the logs.

  6. #6
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: machine hacked - want to see if i can find entry point

    If you dont have any internet facing ports besides 22 and 80 then make sure those are UP TO DATE!! also, make sure you have strong root passwords. The best setup would be to run bastille-linux on your machine (google it) then disallow root login through ssh, set up ssh to only use ssl keys and then SU into root whenever you need it. That way it will be MUCH harder for someone to penetrate and escalate. Meaning to gain root on your server one would have to crack your DSA or RSA private key AFTER finding out a valid user name to try that is not root, then login in with the cracked key and username, then somehow find a way to esc, which is semi difficult without kernel exploits and up to date services. Not impossible by a very long shot, just semi difficult.

    iptables, strong su passes, and disallowing sudo access are all your friend here, my friend.
    World Domination is such an ugly phrase. I prefer the term World Optimization.

Similar Threads

  1. Cant find my mac 80211driver BT5 Virtual Machine
    By RobinMarxxx in forum BackTrack 5 Beginners Section
    Replies: 0
    Last Post: 12-29-2011, 08:59 AM
  2. How to configure point to point protocol on backtrack
    By wankidoodo in forum Beginners Forum
    Replies: 1
    Last Post: 05-07-2011, 01:19 PM
  3. wicd can not find access point for wifi
    By bekir in forum Beginners Forum
    Replies: 6
    Last Post: 01-31-2010, 12:40 AM
  4. Airodumb-ng Cant find any Access Point
    By imported_KherKhere in forum OLD Newbie Area
    Replies: 21
    Last Post: 01-14-2010, 05:57 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •