[SOLVED] Internet security (urgent) - system being attacked

[ternor]

Part of this subject was dealt with in an earlier thread.  Two nights ago, I was banned by my ISP from connecting to the internet because spam was being sent from my IP address.  I ran rkhunter and found that 118 of 126 system files had been changed.  My remaster was also contaminated so I had to install from scratch.

I have looked for the man page sshd_config (5) and it is not installed.  I have gone to  PCLOS Control Center - Security -> Configure System Security -> Network Security and unticked "Enable Msec tool".  I have also tried to configure shorewall but don't know which boxes to tick.

I am worried that my system will be attacked again.  Can anyone tell me what to do to prevent that happening?  I have installed clamav and so far no files are infected but I get a warning that the virus database is more than 7 days out of date.

URGENT: rkhunter is telling me that the properties of several system files have been changed.

Code: [Select]

# rkhunter -c --noappend-log --nomow --novl --rwo --sk
Default temporary directory will be used (/var/lib/rkhunter/tmp).
Default database directory will be used (/var/lib/rkhunter/db).
Warning: The file properties have changed:
         File: /bin/awk
         Current hash: 7db27f39f72eb9c496be0e712f9103e730cb4e70
         Stored hash : b5666f228cebb57bac90a7b708ca8711b9a67061
         Current inode: 286838    Stored inode: 286724
         Current file modification time: 1280479144
         Stored file modification time : 1280478701
Warning: The file properties have changed:
         File: /bin/mail
         Current hash: 79c27b138d02efcc53969d4b23c878a417a7af35
         Stored hash : 20575350615808c1edc7fc216caf34835a2f1a3a
         Current inode: 286757    Stored inode: 286779
         Current size: 334460    Stored size: 351448
         Current file modification time: 1276662328
         Stored file modification time : 1162913535
Warning: The file properties have changed:
         File: /bin/gawk
         Current hash: 7db27f39f72eb9c496be0e712f9103e730cb4e70
         Stored hash : b5666f228cebb57bac90a7b708ca8711b9a67061
         Current inode: 286766    Stored inode: 286757
         Current size: 334548    Stored size: 352564
         Current file modification time: 1279321151
         Stored file modification time : 1254715812
Warning: The file properties have changed:
         File: /usr/bin/awk
         Current hash: 7db27f39f72eb9c496be0e712f9103e730cb4e70
         Stored hash : b5666f228cebb57bac90a7b708ca8711b9a67061
         Current inode: 478584    Stored inode: 477765
         Current file modification time: 1280479144
         Stored file modification time : 1280478749
Warning: The file properties have changed:
         File: /usr/bin/chattr
         Current hash: 545113911b4d6f9ae544231bfbd92fd974c7645a
         Stored hash : 4e5dcffa832129b5e1afe0b40a35416ae9f054df
         Current inode: 478603    Stored inode: 477829
         Current size: 7712    Stored size: 7744
         Current file modification time: 1276588553
         Stored file modification time : 1257723223                                                                                      
Warning: The file properties have changed:                                                                                              
         File: /usr/bin/curl                                                                                                            
         Current hash: 4194c96cd244a4e99226567ab34f18421cdcb9fc                                                                          
         Stored hash : 7d5525c3ec0c5977ac9819b066501bfa1677da59                                                                          
         Current inode: 479443    Stored inode: 477895                                                                                  
         Current size: 117724    Stored size: 116688                                                                                    
         Current file modification time: 1276840717
         Stored file modification time : 1271395740
Warning: The file properties have changed:
         File: /usr/bin/lsattr
         Current hash: e408817ebf47ecfa7368140a093bfbec048f7249
         Stored hash : 18ca56ebcf695fb5ad491166c1c8d13ca37d3cc6
         Current inode: 477829    Stored inode: 478629
         Current size: 6388    Stored size: 6428
         Current file modification time: 1276588553
         Stored file modification time : 1257723223
Warning: The file properties have changed:
         File: /usr/bin/gawk
         Current hash: 7db27f39f72eb9c496be0e712f9103e730cb4e70
         Stored hash : b5666f228cebb57bac90a7b708ca8711b9a67061
         Current inode: 477765    Stored inode: 478136
         Current file modification time: 1280479144
         Stored file modification time : 1280478749
Warning: The file properties have changed:
         File: /sbin/ifdown
         Current inode: 368693    Stored inode: 368717
         Current file modification time: 1275353852
         Stored file modification time : 1271243622
Warning: The file properties have changed:
         File: /sbin/ifup
         Current inode: 368700    Stored inode: 368723
         Current file modification time: 1275353852
         Stored file modification time : 1271243622
Warning: The command '/usr/sbin/rkhunter' has been replaced and is not a script: /usr/sbin/rkhunter: a /bin/sh script text executable
Warning: Found enabled xinetd service: /etc/xinetd.d/saned
Warning: Users have been added to the passwd file:
         usbmux:x:480:417:system user for usbmuxd:/proc:/sbin/nologin
Warning: Groups have been added to the group file:
         fuse:x:1001:mysql,terry
         usbmux:x:417:
Warning: Hidden file found: /etc/.aumixrc: ASCII text

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

[Village Idiot]

A few things you have to find out.

1) you need to identify how the attack is coming in. Is it that you don't have a firewall or is some software like a script running in a web browser causing the damage.

2) are your linux passwords secure, non-guessable and sufficient length?

3) is your router using the default name/passwords? if so change them now.

4) go through the "Current file modification time:" numbers to determine if you were doing anything at the computer.

5) what you can also do is set up a script to run every minute in cron that does a "ps aux" and "net stat" etc which you dump to a log file.

6) get a pristine copy of the OS. While anything is dirty on the network/harddrive you wont get past square one.

7) go to grc.com and do the shields up test.

Good luck.

[muungwana]

A few things you have to find out.

1) you need to identify how the attack is coming in. Is it that you don't have a firewall or is some software like a script running in a web browser causing the damage.

+10

Is your computer behind a firewall? if no, put a firewall btw it and the internet.

If you have a firewall but you need to have ports open to expose ssh daemon or a webserver or any other process to the open web then do they have proper security configurations?

How do you know whatever was sending those spams where not installed by someone who had physical access to the computer?

[OldJimbo]

The bases have been covered well, so not much to add! I would ask if you use a wireless router and if so how it is secured. It would be worthwhile to install Firestarter firewall from the repo. It will give you readily understood information on how someone is attempting to get in.
Have you installed a bittorrent client which might have set up upnp port forwarding on the router?

Something seems strange. Windows machines can be easily added to bot-nets to do do spam, so it seems like a lot of work to do a targeted attack on a Linux box just to send spam. Are you running Windows and could the issues with Linux have come by someone first compromising Windows. AV and firewall on that if you are running it?

2) are your linux passwords secure, non-guessable and sufficient length?

I've always generated my own ssh key pairs, but I believe that a unique set is generated on ssh install. So I can't see anyone getting in that way. Which brings us back to passwords.

[ternor]

Thanks for the replies.  I'm afraid I am not savvy enough to follow much of them.

1. I don't know how the attack is coming in.  I understand that my router serves as a firewall.  I don't know which options to tick in shorewall.  I will install firestarter.
2. I believe my passwords are adequate.
3. I am using my own password on the router.
4.

go through the "Current file modification time:" numbers to determine if you were doing anything at the computer.

  I don't know what that means.
5.

what you can also do is set up a script to run every minute in cron that does a "ps aux" and "net stat" etc which you dump to a log file.

I don't know how to do that.
6. I reinstalled 2010 from scratch yesterday, yet a number of files' properties have been changed.
7. I will try grc.com

If you have a firewall but you need to have ports open to expose ssh daemon or a webserver or any other process to the open web then do they have proper security configurations?

I don't know.  I have been relying on the O.S. installed.

No one else has access to the computer and is the only computer I have.

I am not running Windows.  For two days, I used library computers using windows to download two small files which I later obtained from my pc.  Neither rkhunter nor clamscan has reported anything amiss with those files.

Could it be a problem that I stay signed in to webmail accounts?

[OldJimbo]

Let's start at the beginning of security - the router.

Could you log on and:
1. check that web administration is disabled.
2. Change your password.
3 Is wifi enabled as either open (no security) or WEP?
4 Hopefully you are using WPA. Have you got a good password for log on and key exchange? In short form - could anybody be accessing your router via wifi? A router with third party firmware ca be reversed to pick up wifi - so your router can be accessed from further than you would believe from using a wifi network card.
5. For now disable upnp and reset all port forwards.
6. Going to shields up should now show the first 1024 ports as stealthed (green and "pass") - by the router. Firestarter on the computer will log intrusion attempts on ports above that range, so keep an eye open for that blue button turning red.
I set firestarter to minimize to tray on close.
You can go to control panel services and uncheck iptables start at boot - but make sure Firestarter is set to load at boot. It will ask for a root password to see the gui on every start of the computer - but is working anyway.

Your IP address goes to the router - from there you will be on a dhcp local network - like 192.168.x.x or 10.1.x.x. I'm still wondering if someone is using your wifi and is/was infected and sending spam. That might not be from your Linux machine at all. Something very special is happening if your machine was hacked just to send spam.

[ternor]

Thanks.  I got the following result from GRC shields before adjusting settings in my router:

Your system has achieved a perfect "TruStealth" rating. Not a single packet  — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.

GRC Port Authority Report created on UTC: 2010-07-31 at 07:44:34

Results from scan of ports: 0-1055

    0 Ports Open
    0 Ports Closed
 1056 Ports Stealth
---------------------
 1056 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - NO Ping reply (ICMP Echo) was received.

Checking the wireless settings, I unticked "Enable Wireless Access Point" and "Allow Broadcast of Name (SSID)".  Not sure what to do with "Wireless Isolation".  I am not using wifi.

Remote management is not enabled.  I changed remote access to "Only This Computer".  What is 'WPA'?

I can find no setting for Web Administration.  I cannot change the ISP account password because it is set by the ISP.  I have turned off upnp.  I cannot find port forwards.

I have unchecked iptables and iptables6 to start at boot.  I have selected Firestarter to start at boot.

I  am downloading the latest PCL installation iso.  It seems I will have to start again (again).

[DBobb]

Sometimes you can log into your router and check what your computer is currently connected to. A clean test would involve rebooting PCLOS computer (making sure not to connect to any websites, or having any internet-connected plasma widgest running), and then logging into the router from another computer. If you see any connections listed for your PCLOS computer's IP, then you can reverse-dns those connections to see who they belong to. If you notice suspicious domains (like cialisdealz.info) and/or a multitude of home IP's, then it might be cause for alarm (By home IP's, I mean that when you reverse DNS, you find out that the IP addresses belong to another ISP (typically an IP given to its customers) instead of a website).

Also, it is advisable that if you're have enabled SSH on your machine, that you change the SSH port from the default port to a different one. Since security flaws are known to show up once in awhile on machines that have SSH installed (especially if its not kept up to date)

[uncleV]

7) go to grc.com and do the shields up test.
Good luck.

An useful site, thank you!

Attached is some report about my computer with firewall OFF

 

[Was_Just19]

Turn off the wireless facility in your router if you do not use it.

What is the make and model number of your router?

[ternor]

Thanks, have done.  The router is a Netgear 834G.

[Village Idiot]

4.

go through the "Current file modification time:" numbers to determine if you were doing anything at the computer.

  I don't know what that means.

This means you can use the date command to convert the filetime that is expressed as a number, the number of seconds since midnight Jan 1st 1970. For example, from the output of rkhunter :

Current file modification time: 1280479144

Use that number in this command line in a terminal:

Code: [Select]

date -d '1970-01-01 1280479144  sec' +"%Y-%m-%d %T %z"

Which gives:

Code: [Select]

2010-07-30 08:39:04 +1000
The time of the file modification. The +1000 is the timezone on -my- computer so yours might be different. Depending on how you interpret your timezones and if your clock time is correct, you might get some an idea when your system started to messed with. But remember there is nothing stopping a virus (or a hacker for that matter) setting the file modification times to something different anyhow, just to fool ya. So this type of forensic effort could very well be a waste of your time. And it wont fix the problem.

5. what you can also do is set up a script to run every minute in cron that does a "ps aux" and "net stat" etc which you dump to a log file.

I don't know how to do that.

Again, this is advanced stuff and something you set up prior the the system being hacked. It is a way of continually logging the programs running and the network connections activity, so you can identify the entry point of malicious code. You should get your system stable and perhaps discuss this topic further once the dust settles. There is hundreds of ways to log your system and it would be prudent to ask the whole community for their suggestions and tips in a new topic. 


hth

[menotu]

You should get your system stable and perhaps discuss this topic further once the dust settles.

+1

There is hundreds of ways to log your system and it would be prudent to ask the whole community for their suggestions and tips in a new topic

+1

[muungwana]

your system is behind a firewall

you are not running any web server or ssh server or any other publicly seen processes and hence dont have any opened ports on your firewall.

you are the only person who can install programs on your computer. Did you install any program off the internet receantly?

The computer is primarily used for what?

i dont see how your computer can be infected, this is linux after all. Did you ask them for more info on how they detected problems with your connection?

[rick0612]

Hi,

This may sound odd but you aren't running as root are you?