[SOLVED] Internet security (urgent) - system being attacked

[Was_Just19]

Thanks, have done.  The router is a Netgear 834G.

With the wireless and the remote admin disabled, and the NAT and SPI firewall active, your Linux PC is safe as can be .......  unless you install something deliberately yourself which compromises it.

Worst case ......  the router got hacked through the remote admin port when available.

Most likely ........  your wireless connection was being used by someone in close proximity to you without your knowledge and they were the ones spamming.

regards.

[OldJimbo]

Checking the wireless settings, I unticked "Enable Wireless Access Point" and "Allow Broadcast of Name (SSID)".  Not sure what to do with "Wireless Isolation".  I am not using wifi.

Remote management is not enabled.  I changed remote access to "Only This Computer".  What is 'WPA'?

I can find no setting for Web Administration.  I cannot change the ISP account password because it is set by the ISP.  I have turned off upnp.  I cannot find port forwards.

I have unchecked iptables and iptables6 to start at boot.  I have selected Firestarter to start at boot.

I  am downloading the latest PCL installation iso.  It seems I will have to start again (again).

We're going to confuse you with so many (really good) guesses and solutions. Let's go right to basics. You have Firestarter running so anything getting past the router now will be dropped and shown. So you'd have to set Firestarter to allow things to enter if they aren't a legitimate response to a request from a web browser or mail client. You are safe, and local security setup can come later. Yep most people will now be thinking that this was a simple exploit of your router - but that has implications, too.

Your router acts as a firewall because it has something like IPTables built in. Even if the firewall is disabled, it still translates web addresses into local addresses on information sent to computer. Setting up an ssh server on the computer will typically set up listening on port 22. That wouldn't work from the Internet side unless the router had been set up to forward any port 22 requests to the computer. SSH logins would reach the router and be dropped.
If spam was recorded as coming from your Internet IP, then it could have come from your computer - or another hooked in to your router. The bad news is that anyone inside your network (the person using your router) could attack your ssh port.

The facts do not seem to fit the interpretation of your computer being hacked. Hacking is work and demands knowledge. Sending spam is a routine thing done from a Windows box which was taken over in a trivial manner because it was unpatched. So someone hacking your computer to send spam - which would lead to ISP immediate action - does not fit. That would be like breaking into a bank to leave some garbage on the floor. I see someone using your unsecured wifi with an infected windows machine.
Files on your machine will change as you do updates.

But:
1. Your ISP password and logon might have been held in the router. If your phone line connects directly with no password required, then no problem. If it needs a password and logon (PPPoE) - (On router go to setup tab, and the first thing you would see is a username and password - if none then you are fine) then you must recognize that it could have been read from the router if it is set up there. If you have an ISP provided router with their generic ROUTER password (which should be possible to change) - then someone could know your ISP login.
If so FIRST set up the router securely with new ROUTER password if possible and with that wireless off (done) and watching the wifi LED like a hawk for a while - then change your ISP password.
Then unplug the router for 3 minutes, plug in again, and go in to make sure that it kept your changes. Then you will feel secure after power outages, too. Some routers have been known to set to open defaults after power outages WITHOUT pushing the reset button. Now we have lots of people feeling insecure because they didn't check that!

2. Are you running a web server or bittorrent which start services at boot? Check in PCC - services.

So I'm pretty sure from what I've read here, that you simply got a good wake-up call with someone hooking into your router with an infected computer. Generally hackers don't use computers which are infected or send spam: or at least we don't think so...
But if people can access your router, you might have gotten an early morning wake up from a bunch of people wearing strange vests, if the connection had been used for something really bad and not spam.
It's a good wake-up call for us all because only when we think about security do we have any hope of being fairly secure.

[ternor]

you are the only person who can install programs on your computer. Did you install any program off the internet receantly?

The computer is primarily used for what?

i dont see how your computer can be infected, this is linux after all. Did you ask them for more info on how they detected problems with your connection?

The remaster made on 10th July was also affected.  Umpteen downloads before that and since.  I use the computer for creating files, amending files, downloading data and some software (through synaptic).  Ask whom about problems on the connection?  There were spam reports from other people.

I have copied oldjimbo's and chuck's posts to a text file.  Will get back here later.

Yesterday firestarter reported the following:

Time:Jul 31 17:31:02 Direction: Unknown In:eth0 Out: Port:137 Source:192.168.0.1 Destination:192.168.0.2 Length:78 TOS:0x00 Protocol:UDP Service:Samba (SMB)

The source is the router, the destination is the computer.

ifconfig returns the following:

Code: [Select]

$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:01:6C:E4:02:F6 
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::201:6cff:fee4:2f6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:654 errors:0 dropped:0 overruns:0 frame:0
          TX packets:705 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:536845 (524.2 KiB)  TX bytes:150483 (146.9 KiB)
          Interrupt:20 Base address:0x8000

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:50 errors:0 dropped:0 overruns:0 frame:0
          TX packets:50 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2420 (2.3 KiB)  TX bytes:2420 (2.3 KiB)

[OldJimbo]

Well the good part is that Firestarter not only blocked but gave you information. And now you know it works!

192.168.0.1 will be your router and 192.168.0.2 will be your machine.

Do you have samba enabled on your computer? Port 137 is from the old networking days of Win95/8 when this port was used for sending requests for netbios name which could then be used with ports 138/9 for windows print and file sharing.

I haven't needed to use Samba in years since I don't have any Windows machines hooked up, but I'm sure others will have information. It seems strange to me unless you have set up a samba server or client - that this would come up. Stuff from outside the network would be blocked by the router, and wouldn't be seen by Firestarter on ports under 1024.
Samba client and server are installed by default, but shouldn't be working unless you have set them up. If you've installed autoscan-network, then it could be doing a scan - but only if you've started it.
Unless you have third party firmware, it's unlikely that the router would have file sharing. If someone had still managed in some way to get access to the router then you would have seen an address other than (192.168). 1,2.

So really strange but not dangerous. It's communication between your machine and router. If it were potentially dangerous, then Firestarter stopped it at the potentially part!

[ternor]

Hi.  Thanks everyone for your help.

This may sound odd but you aren't running as root are you?

No, I'm not running as root.

Do you have samba enabled on your computer?

I don't know, it isn't listed in the services section of PCC.  I have been wondering whether to remove all Samba files.  Are they of any use?

I have just discovered that SSHD is running.  Is that a problem?  I don't know why it is running.  I have enabled MSEC again so the SSH configuration will keep allowing a root log in without password.

I have checked every page of the router settings.  There are instructions on each page.  I have tightened the settings to ensure wireless isolation and that only my computer can use the router.

grc.com has given the same results as previously.

I am now considering installing 2010 yet again.  Before I do that, I want to get more information about the changes of system file properties.  The changes do not seem to be inconsequential.  I want to find out how they were made and how, if possible, I can restore the original settings.  There seems to be no way to test my data files for viruses (I understand that there is a small number of Linux viruses).  There used to be an application called BitDefender, but it is not in in the PCL repository.  I have run clamscan but I am told that it only tests for Windows viruses.   Perhaps I should start a separate thread about changes to system files' properties.

[YouCanToo]

Hi.  Thanks everyone for your help.

This may sound odd but you aren't running as root are you?

No, I'm not running as root.

Do you have samba enabled on your computer?

I don't know, it isn't listed in the services section of PCC.  I have been wondering whether to remove all Samba files.  Are they of any use?

no, not if your not trying to talk to a Windows machine on your network

I have just discovered that SSHD is running.  Is that a problem?  I don't know why it is running.

If you are not using ssh then you should disable it.

  I have enabled MSEC again so the SSH configuration will keep allowing a root log in without password.

Why would you need to do that? It is better to not allow root logins. Login as a normal user and than su!  Much Much safer.

I have checked every page of the router settings.  There are instructions on each page.  I have tightened the settings to ensure wireless isolation and that only my computer can use the router.

grc.com has given the same results as previously.

I am now considering installing 2010 yet again.  Before I do that, I want to get more information about the changes of system file properties.  The changes do not seem to be inconsequential.  I want to find out how they were made and how, if possible, I can restore the original settings.  There seems to be no way to test my data files for viruses (I understand that there is a small number of Linux viruses).  There used to be an application called BitDefender, but it is not in in the PCL repository.  I have run clamscan but I am told that it only tests for Windows viruses.  Perhaps I should start a separate thread about changes to system files' properties.
[/quote]

[Was_Just19]

I am now considering installing 2010 yet again.  Before I do that, I want to get more information about the changes of system file properties.  The changes do not seem to be inconsequential.  I want to find out how they were made and how, if possible, I can restore the original settings.  There seems to be no way to test my data files for viruses (I understand that there is a small number of Linux viruses).  There used to be an application called BitDefender, but it is not in in the PCL repository.  I have run clamscan but I am told that it only tests for Windows viruses. Huh  Perhaps I should start a separate thread about changes to system files' properties.

Your system files should not change except when you update or install something new, as far as I am aware.
rkhunter takes a snapshot of the files so if you change the files by updating you need to update the rkhunter database so it will know if anything has changed when you run it in future.

There are NO Linux viruses in the wild. There are some 'proof of concept' viruses in laboratories but none that replicate themselves in users PCs and infect others.
At this point in time you can completely forget about any Linux virus or any application that might look for one.

All anti-virus applications that run on Linux (that I know of) are designed to catch Windows viruses .... which do not run on Linux .... .

There has been no indication from what you posted that your OS install got hacked.
It is likely that your wireless facility in your router was being used by someone else in close proximity, as apparently you did not have it secured.
There is also the possibility that the router itself got hacked, but that is a possibility, and not probable. Resetting the router to defaults, and changing the passwords should fix that if it happened.

regards.

[uncleV]

There has been no indication from what you posted that your OS install got hacked.
It is likely that your wireless facility in your router was being used by someone else in close proximity, as apparently you did not have it secured.

One of my friends used to do that when out of money. But he thought he was hijacking blank accounts of the ISP-router. Or something like this, I don't know much of.

[kjpetrie]

Did you run rkhunter --propupd when you first installed it? Did you run it again after every upgrade?

If you did then the changes are worrying. If you didn't they're to be expected.

[OldJimbo]

I am now considering installing 2010 yet again.  Before I do that, I want to get more information about the changes of system file properties.  The changes do not seem to be inconsequential.  I want to find out how they were made and how, if possible, I can restore the original settings.  There seems to be no way to test my data files for viruses (I understand that there is a small number of Linux viruses).

Start synaptic and get Awesum
Beside the iso file which you downloaded there will be an md5sumRelease Date: 07-05-2010
Size: 689 MB
Md5Sum:7413d998641e28e2a5688fd75f6eeea8
Produced by: Texstar
User Level: Beginner, Intermediate, Advanced

Release Date: 07-05-2010
KDE-minime
Size: 454 MB
Md5Sum:079143a6393ebf49c6e01206d148e2dc
User Level:  Intermediate, Advanced

So if you downloaded the 689mb version you would use 7413d998641e28e2a5688fd75f6eeea8 leaving off the Md5Sum:

Start Awesum (start -archiving- awesum and paste in that Md5Sum. Next you will have to click on Go! and go looking for your iso wherever you saved it.
AweSum will work and tell you if the sums match. If they do then no-one can have tampered with your iso and it can't be corrupt.
K3B and Brasero can be set to check for Md5Sum on burning abnd to verify burns. So you would be 100% sure of a clean system if you reinstall.
You install only stuff from repositories - so that is checked and fine. Then you run rkhunter so that it can run for the first time and make a database of files and attributes. These can change with future updates - but as long as you only install stuff from repositories then you are fine.

Did you run rkhunter --propupd when you first installed it? Did you run it again after every upgrade?
If you did then the changes are worrying. If you didn't they're to be expected.

Install Firestarter and set it up - now it's more than a little hard to get into computer - and you get warnings!
Install ClamTK virus scanner which is an easy to use scanner for clam. Freshclam is part which does updates of virus definitions. More involved setup and a person can use Avast, etc.
We're pretty sure that you will only find Windows malware in mail directory because we check, too. Windows viruses have no relevance to your Linux OS

Unless your close neighbors wear T shirts with 2600 etc, and talk in strange hacker talk, then for sure we're having trouble believing that a Linux computer could be easily compromised. We'd be hearing of more exploits, otherwise.
You could well have hard drive issues which are changing file attributes.
Yes it's worth checking PCC-System-services and unchecking and stopping stuff like sshd, bittorrent, etc. Ask if unsure of what things are.

You should be confident of your install, but that a Linux system is being hacked is difficult to believe. If you do $1000000 banking deals online then we'd think otherwise and maybe you could get targeted.
What we need is more info on the spamming from your ISP. If it's possible to determine the MAC address of sending computer, then some evidence might be present other than the MAC of your router. But we're all sure by now that only your router was compromised.

[Was_Just19]

Install Firestarter and set it up - now it's more than a little hard to get into computer - and you get warnings!
Install ClamTK virus scanner which is an easy to use scanner for clam. Freshclam is part which does updates of virus definitions. More involved setup and a person can use Avast, etc.
We're pretty sure that you will only find Windows malware in mail directory because we check, too. Windows viruses have no relevance to your Linux OS

So for someone who is running Linux only (as is the case here) what is the point of installing such antivirus programmes?
What is the point of firestarter if the PC is behind a hardware firewall ....  which it is?

All any of those will do is waste PC resources ......  of course some might like to have belt AND braces and maybe some baling twine too   

[OldJimbo]

What is the point of firestarter if the PC is behind a hardware firewall ....  which it is?

Reassurance to some degree, but not entirely. I was using KTorrent on high numbered ports and with a private tracker and was able to upload lots despite Firestarter blocking a huge amount of attempts to access that port. It seems to me that scanning of even high numbered ports is happening. A router firewall only works on low numbered ports. I also find it interesting to see just what gets past the router firewall - usually my news service, but other stuff too. Yes the port has to be open to get so much attention - but if that happens inadvertently, then a person is warned.
Yesterday on Slashdot you'll see a big discussion about ISP's remotely changing passwords on routers through (a very secure) backdoor. This is to avoid the latest rebind exploit. You must have heard about the DD-WRT exploit last year and various others. I prefer to be called cautious in stead of paranoid, but either will do, in that I prefer layers of security. And Firestarter consumes so little in the way of resources. When UPNP etc is activated on the router or the firewall is disabled, I'd have to be blind not to notice Firestarter.
I'd actually be interested in seeing Linux malware - but I'm sure that in being cautious, I'll be one of the first. Then everyone who doesn't have a firewall on the machine, etc. will benefit.
I think I've done my best to reassure someone who is suspecting an install. The reassurance is hopefully well taken as I hope I come across as being very cautious.

[ternor]

I have just discovered that SSHD is running.  Is that a problem?  I don't know why it is running.

If you are not using ssh then you should disable it.

How do I do that?

I have enabled MSEC again so the SSH configuration will keep allowing a root log in without password. Huh

Why would you need to do that? It is better to not allow root logins. Login as a normal user and than su!  Much Much safer.

If you enable MSEC, it sets SSH configuration with the root log in without password.  If you change the SSH configuration and have MSEC enabled, MSEC will reverse your changes.  See the topic I cited in my original post.

Start Awesum (start -archiving- awesum and paste in that Md5Sum. Next you will have to click on Go! and go looking for your iso wherever you saved it.  AweSum will work and tell you if the sums match.

Thanks.  I don't have awesum but I checked the MD5sum and it matched.  The installation disk I burnt has the same MD5sum.

Did you run rkhunter --propupd when you first installed it? Did you run it again after every upgrade?

If you did then the changes are worrying. If you didn't they're to be expected.

I ran that command when I first installed rkhunter.  I did not run rkhunter again after every upgrade.  Evidently, one should install tripwire and rkhunter immediately after installing the O.S. and run tripwire before running rkhunter.  I didn't know that of course.  I am going to try to read all the affected files.  I tried to read one and was unable to because numbers or symbols were absent.  I tried to view the file in Midnight Commander and also to open it with a text editor.

Firestarter has twice reported an "unknown" service from 149.6.136.82 using protocol ICMP.  I was unable to get the name of the server using two DNS lookup tools, so I have told Firestarter to disable events from that source.
http://www.dnsstuff.com/tools/ipall/?tool_id=67&token=&toolhandler_redirect=0&ip=149.6.136.82
http://www.dnswatch.info/dns/dnslookup?la=en&host=149.6.136.82&type=A&submit=Resolve

I have now reset the router and configured the settings again to restrict access to my computer.  grc.com has reported again that the computer has received a 'perfect' rating.

[Was_Just19]

It seems to me that scanning of even high numbered ports is happening. A router firewall only works on low numbered ports. I also find it interesting to see just what gets past the router firewall - usually my news service, but other stuff too.

A firewall blocks all ports, not deliberately opened from the LAN side ..... low or high numbered.

Scanning of ports is a consequence of being connected to the internet, and is a normal daily activity. With a firewall between the PC and the net it is the firewall that gets scanned.

Nothing gets past the firewall that is not invited in (unless it gets compromised).

That is my belief. If you have info to the contrary I would be most interested in reading it as it would put  everything 'security' in a totally different light for me.

Thanks.

[kjpetrie]

I have just discovered that SSHD is running.  Is that a problem?  I don't know why it is running.

If you are not using ssh then you should disable it.

How do I do that?

Open PCC ->System->Manage system services... and untick the run on root box next to ssh. While you're there check other services set to start on boot and make sure you need them. If you don't, turn them off too.

Did you run rkhunter --propupd when you first installed it? Did you run it again after every upgrade?

If you did then the changes are worrying. If you didn't they're to be expected.

I ran that command when I first installed rkhunter.  I did not run rkhunter again after every upgrade.  Evidently, one should install tripwire and rkhunter immediately after installing the O.S. and run tripwire before running rkhunter.  I didn't know that of course.  I am going to try to read all the affected files.  I tried to read one and was unable to because numbers or symbols were absent.  I tried to view the file in Midnight Commander and also to open it with a text editor.

Then the changes reported by rkhunter are almost certainly the result of upgrading and not an indication of an intruder replacing commands.

The most likely cause of the problem looks like a neighbour with a vulnerable computer using your Wireless LAN to connect to the Internet. Now you've toughened that up let's hope you won't have any further trouble.