After putting up my RH 7.0 box 3 months ago and leaving it open to the world I go hacked.

I had no security.

I believe they got in using Telnet. My Root password while not cased on anything was made up of alpha characters only.

I logged into the Box using a Shell account i had created and NOticed the MOTD had been changed to Mwa mwa.....

I left a note asking the person contact me as i has intrested in how they got in.

They Changed my Root password, disabled shell access and System logging and went to town.

I had to shut down the box to ensure that it was'nt being used for anything untoward.

When I first discovered the attack, I laughed... i found it highly amusing that it took that long. But when they shut off the services,

I got a little annoyed..

Now I will re-install and try locking down the box. I want to see how long it takes....

:(

Sorry to hear abut that MikeM

Well, It was'nt a production box...which is why i found it funny in the beginning....

It's more of a learning experiance for me. No i get to try to lock it down to stop the cracks.

All i can say is thank god for WHT and the experts who reside here.

I honestly believe that a better group of people for hosting and security do not exist.

I just gotta get to the box, format and re-install a few hours for that and i'll be back up. then I get to learn some more....

Whooo hoooo

MikeM do you know linux good or just new to it? Is this a leased dedicated server or your own running from home?

It's a box from home.... If it was a leased box I'd be wild.


I'm just learning how to use it, so i set it up at home and let it connect...

I really only used it for shell access to do NSlookup ( my windows stuff would'nt allow me to connect to some namesservers)

Mostly I am using this as a Learning experiance.... trying to figure out Li/unix security.

I left it open to see what would happen, now i will see if i can lockit down securely. I'm not holding my breath, but we'll see..

Thank god for Google and WHT.

hmm funny someone hacked it :eek:

If you do find out how you were hacked, let us know :)

Originally posted by MikeM
I believe they got in using Telnet.

Do you think it was a packet sniffer that grabbed your password? I thought Telnet was only a security problem because of the clear text password passing, not a vulnerability in itself?

Just tryng to understand the security implications of telnet, and if there is more security problems with telnet besides clear text passwords.

- John C.

Why would someone want to hack your box :confused:

Because there sad.

Originally posted by Darth
Because there sad.
Exactly.

Heh. Hope you didn't have anything sensitive on there.

Nothing better to do than to cause trouble. Sorry to hear that! :uhh:

Heh. Hope you didn't have anything sensitive on there

What sensitive?

I would swap the hard drive, take the hacked one home and dissect it. The intruder probably did not wipe their footprints and it would be a good excercise in sleuth training.

Can't get no better (safer?) hacked experience than what you got now :D

I done the same thing about a year ago, i built a box, put it on a static IP on a DSL line. didnt patch it or put a complicated password or firewall or anything of it, and it took about a month to get hacked.

Kinda amusing when they get into the box and find there is nothing there except a fresh install of the OS. I left it open about a week then started noticing anomalies on the router the box was connected to so had to shut it down.

I never used telnet on it.... always used SSH, but i never closed port 23.

A packet sniffer is likely for the first time, or a root kit of some sort.
The logs were erased and disabled, so unless i learn real quick, how to disect... I'lll probably never know.

Sensitive? no.... there was nothing on it other than the OS and some software...

Finally Got hacked

Congrats...:D

Why didn't you installed an unseal logging daemon which do not log on standard logging directories, in this way you must have discovered how and from where he came in.

also what else can be done to track down how the hacker came in?

was it a brute force attack, dictionary attack or he just guessed the password, was the passwords open in passed file or he kicked in through an software vulnerability like apache or php vulnerability or what!

good idea though :)

Instead of leaving it completely open to be compromised, why wouldn't you do like you said you wanted and learn something? Just leaving a box there to be exploited isn't going to teach you anything and you should better spend your time learning, like you said, by reading documentation and books about how to secure the box. That's where you'd learn.

Instead, try and get it secure and then if anyone breaks in you can try and figure out why and how. Also ask for people you can trust to help you out testing it, not just anyone that can do damaging things with a compromised system! Otherwise doing what you did, you left a box sitting there as a target to be exploited and allowed anyone that found it to use it as a launch pad to create denial of service attacks on people or networks, a way for people to spam, use your box to crack into other boxes, etc.

That's just a bad idea (for those and many other reasons) and it's going to cause other people problems. Don't do that, for the sake of the rest of the people that your box can be used to harass. There's nothing to learn from that sort of thing, don't do it.

Originally posted by 2host.com
Instead of leaving it completely open to be compromised, why wouldn't you do like you said you wanted and learn something? Just leaving a box there to be exploited isn't going to teach you anything


Your right it wont' teach you much but its rather entertaining to watch someone break in on monday, have control all day, then secure the box that night, and watch them bash their head's against the wall trying to get back in :D

Originally posted by The Prohacker



Your right it wont' teach you much but its rather entertaining to watch someone break in on monday, have control all day, then secure the box that night, and watch them bash their head's against the wall trying to get back in :D

Won't teach them much? How about "Won't teach them anything"? What is the point even in regards to entertainment reasons, to allow them in in the first place? And once they are in, what makes you think you can have that same system up that night for them to try again (unless you plan to format and reinstall), since they "had control all day"? What about root kits and them creating backdoors you might never find?

What a waste of time to reinstall and let someone use your system all day, while they are "in control all day" which they can use to do the above actions I mentioned in my previous post (spam, crack other systems, launch attacks, etc.)? I don't think that's entertaining and that's likely what would come of allowing such a thing in most cases.

Fun is cracking a secure system of your own on your own home network and trying to circumvent your own security methods, etc. That's fun, that's where you learn. Opening a box up to any person that wants to crack a system is never a smart thing. I'd not leave my door unlocked on my house just to watch someone walk out with my valuables, use my phone and credit card, just to have it locked the next time they might try to come back.

Originally posted by 2host.com


Won't teach them much? How about "Won't teach them anything"? What is the point even in regards to entertainment reasons, to allow them in in the first place? And once they are in, what makes you think you can have that same system up that night for them to try again (unless you plan to format and reinstall), since they "had control all day"? What a waste of time to reinstall and let someone use your system all day, while they are "in control all day"?


Oh please, it only takes me 10 min to ghost a system...

And the pure entertainment some prick thought he owned your box is now denied is great...

And it can teach you something, if you want, you can look at how the rooted the box, what they installed, etc...

Never say 'Won't teach them anything' because, you can almost always learn something from anything....

This was supposed to be an edit and I mistakenly posted a reply, so I'll remove this post and leave the one below.

Originally posted by The Prohacker
Oh please, it only takes me 10 min to ghost a system...


Perhaps if you don't have much on it, sure. But so? It's still a waste of time and a bad idea because they can do more than waste _your time_.


And the pure entertainment some prick thought he owned your box is now denied is great...


Or he's not bothered because he thinks it's macho for owning your box. Do you think it's great entertainment to let someone break into your box and use it all day to do whatever they want (possibly spam, launch attacks, break into other systems on the web from your box), just because you can restore the system and then secure it so he can't get in later? Likely s/he'd never try again. Most cracks are hit and run. It would be more fun to see him try and fail and never get in or feel the satisfaction, don't you think?


And it can teach you something, if you want, you can look at how the rooted the box, what they installed, etc...


That won't teach you anything. Watching someone destroy a system is not educational. If you want to see what a root kit does, then just look at the code. I know plenty of ways to root a box, but I wouldn't be foolish enough to leave it sitting there with that obvious exploit just to see if other people did. Having your box compromised will not teach you anything. You'll likely not know how they got in, and if you did, it would be because you left it intentionally open for that reason.


Never say 'Won't teach them anything' because, you can almost always learn something from anything....

Hardly. I'm not going to learn anything by letting someone burn down my house. If I want to see how it'll fall and what is inherently structurally weak, I'll join the fire department and work in a lab where we study those things in a controlled environment and have things happen within the defined parameters so things don't get out of control and no one gets hurt (yet still learn what we need). This is not something you gain knowledge of by leaving a system insecure by default just to see who gets in. A learning process would be to try and keep them out initially and then if they try to get in you can rule things out or find flaws in your methods. Just leaving a box up you know is insecure would have no educational value.

We are starting to digress a bit here. :)

Although we're not sure just why the box was left wide open, good observations have been made to show that it is not a good thing do. If one does want to setup a "honey pot" then one should diligently watch it so it undue repercussions cannot happen to themselves and to others.

The thread starter even mentioned that they "were annoyed" when the intruder shut off the services. Imagine how "annoyed" people would be if while the intruder had control of the box, they used for DDoS attack or sent out thousands of Spam. As all footprints seemed to have been removed the box owner cannot say for sure just what purposes the box was used for.

Checking Data Transfer during that time may give some indications, but for all we know, the box owner may be facing some "annoying" repercussions depending upon what the intruder did while in control.

Methinks the thread starter probably got off light this time and through this post, not only have they learned not to do something like this again, others will learn not to do it in the first place.

Well said. That's the issue at hand. I did have to laugh a little though when people posted saying how sorry they were to hear it. I mean, wasn't that the point of him leaving it open to be cracked? Messing with services and worse, are all part of the process of having a system cracked. :0)

Just to clarify.....

Originally when the box was set up, it was behind a router. Ports 22 and 10000 were passed to it from the router. nothing else.

Then said router took a flying lead off the TCP/ip cliff and died a flaming death.

I did'nt have time to do anything other than open the network to the world, as i was using it for remote SSH.

It was compromised for about 24 hours before I discovered it.

To my knowledge the only services running were:
SSH
Telnet
Web

in addition:

Mysql and PHP were installed but not configured.

I had not thought of spamming, (altho i was aware if it was compromised it could be used for DOS,) and it's entirely possible that who ever rooted the box did that by configuring sendmail or one of the other mail clients.

Originally I really did find it kind of funny, But thanks to
2host.com & Website Rob Its not as humerous as it seemed.

The box has been offline for 3 days now and will remain so until i can secure it to the best of my ability.

Good clarification Mike and I'm sure we all like to help and were glad to -- know I was in my small way. ;)

Although, "we will learn, whatever it is we need to" it is sometimes more painful than it should be. :eek:

Originally posted by mahinder
Why didn't you installed an unseal logging daemon which do not log on standard logging directories, in this way you must have discovered how and from where he came in.

also what else can be done to track down how the hacker came in?

was it a brute force attack, dictionary attack or he just guessed the password, was the passwords open in passed file or he kicked in through an software vulnerability like apache or php vulnerability or what!

good idea though :)

You can configure syslogd to log to another system. That's even better than unseal, as there's nothing on the system that the hacker could wipe.

Originally posted by Darth
Because there sad.

or maybe their pissed off at him..

Damn that sucks