Strange ip has been on my server -what do I do?

Socal Tom · 2014-07-24 10:59:43

I'm basically a Newb,
I ran top yesterday and discovered /user/sbin/httpd was running in several instances started by a guest account. I reviewed the auth.log and found long streams of login attempts with multiple different names. They finally discovered an account that was created without a password I forgot about.
I've removed that account, disabled my ssh port forward. Anything else I should do? Do I report this to the authorities? If so who?
How do I check and see what else they may have done?
Thanks
Tom

Cyrusm · 2014-07-24 15:25:15

If the access attempts were from the same IP address you can block that IP in httpd, and by configuring your iptables firewall.
http://httpd.apache.org/docs/2.2/howto/access.html
https://wiki.archlinux.org/index.php/Iptables

Last edited by Cyrusm (2014-07-24 15:30:36)

ewaller · 2014-07-24 15:38:32

Socal Tom wrote:

I'm basically a Newb,

Welcome to Arch Linux.

I ran top yesterday and discovered /user/sbin/httpd was running in several instances started by a guest account. I reviewed the auth.log and found long streams of login attempts with multiple different names. They finally discovered an account that was created without a password I forgot about.

How is your machine attached to the Internet? If you are behind a router on a private LAN, then you had to have opened ports and forwarded them to your machine. One of those would have to have been port 44322 for ssh. HTTP ports would have to be opened separately. Does your router have a password when you access it from your LAN? Is there a password set? If so, an intruder would have a more difficult time making a http server accessible from the Internet.

Also, (This is important) Do you know the port numbers on which those servers were running? I ask, because port numbers below 1024 require root access to open. If an intruder was able to open a privileged port, then that intruder acquired root privileges and you should consider your system to be completely compromised. Had that guest account, the one without a password, been a member of the 'wheel' group?

I've removed that account, disabled my ssh port forward. Anything else I should do? Do I report this to the authorities? If so who?

No. No one is going to care about an intrusion into a home server.

How do I check and see what else they may have done?

You need to determine whether they obtained root privilege. Positive evidence may exist in the logs. Lack of evidence cannot be trusted as the data cold have been tampered. If the account was a member of 'wheel', I would not trust your system. If you are sure they did not attain elevated privilege, you might be okay. Knowing the port numbers would be helpful in making that determination.
If you have a router, audit it for open ports or DMZs. Ensure that you know why and how each one is open.

Edit: Fixed port number for ssh. I had given the port for https

Last edited by ewaller (2014-07-25 14:47:40)

Socal Tom · 2014-07-24 16:59:46

They did not get root access as far as I can tell. The port forward was for port 22, which I believe is the default ssh port. The account was in the user group, and it appears they tried to use perl to start httpd, which is not installed on this machine. It appears they used perl to grand start httpd, sys/init was the parent process. .This is a pogoplug I use as an openvpn server/ plex server. BTW, there were multiple IPs, I looked up 2 of them and the were from China.
Thanks for the assistance
Tom

jasonwryan · 2014-07-24 17:10:14

Assume you are pwned. Nuke from orbit. Chalk it up as a learning experience.

ewaller · 2014-07-24 17:29:58

Socal Tom wrote:

BTW, there were multiple IPs, I looked up 2 of them and the were from China.
Tom

Imagine that. I average six attacks a day from China on my system.
I agree with Jasonwryan. Reinstall and lock it down

Socal Tom · 2014-07-24 17:36:25

ewaller wrote:

Socal Tom wrote:
BTW, there were multiple IPs, I looked up 2 of them and the were from China.
Tom
Imagine that. I average six attacks a day from China on my system.
I agree with Jasonwryan. Reinstall and lock it down

Will do, easy enough to do, especially with archlinux arm.
Tom

graysky · 2014-07-24 19:03:26

jasonwryan wrote:

Assume you are pwned. Nuke from orbit. Chalk it up as a learning experience.

+1. If the person has access via ssh for example, he/she can reverse tunnel anything out of your box, vnc, http, whatever.

czubek · 2014-07-25 10:53:54

Based on the OP, can it be concluded that Mr. Tom's mishap occured as a result of a forgotten guest account?

ewaller · 2014-07-25 14:51:29

czubek wrote:

Based on the OP, can it be concluded that Mr. Tom's mishap occured as a result of a forgotten guest account?

I would say so. Based upon what he wrote, It would appear the shell history file was intact. Either that, or unsuccessful attempts to do things were logged and tagged with the user ID.

czubek · 2014-07-25 15:24:17

@ ewaller. It makes sense that guest accounts are typically disabled by default and conscious effort is required to enable them. I did many of the recommendations contained in the "lock it down list", after reading this.

Arch Linux

#1 2014-07-24 10:59:43

Strange ip has been on my server -what do I do?

#2 2014-07-24 15:25:15

Re: Strange ip has been on my server -what do I do?

#3 2014-07-24 15:38:32

Re: Strange ip has been on my server -what do I do?

#4 2014-07-24 16:59:46

Re: Strange ip has been on my server -what do I do?

#5 2014-07-24 17:10:14

Re: Strange ip has been on my server -what do I do?

#6 2014-07-24 17:29:58

Re: Strange ip has been on my server -what do I do?

#7 2014-07-24 17:36:25

Re: Strange ip has been on my server -what do I do?

#8 2014-07-24 19:03:26

Re: Strange ip has been on my server -what do I do?

#9 2014-07-25 10:53:54

Re: Strange ip has been on my server -what do I do?

#10 2014-07-25 14:51:29

Re: Strange ip has been on my server -what do I do?

#11 2014-07-25 15:24:17

Re: Strange ip has been on my server -what do I do?

Board footer