Educause Security Discussion mailing list archives

Re: i think i'm hacked - is this the right place to ask ?

From: "Lentes, Bernd" <0000002c1fd0e2c2-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Thu, 17 Nov 2016 03:22:41 +0100

----- On Nov 17, 2016, at 2:55 AM, Adam Maynard AMaynard () CLARKU EDU wrote:

Not exactly. This is mostly Information sharing, collaboration, and advice for
security professionals in Higher Education.

But any who... maybe I can assist anyway. Can you describe it some more? What
are your symptoms? What have you done so far? Any clue of the cause?

…Now that I think about it, the better questions are:

Does your research institute not have anyone with information Security
knowledge?

Does your research institute have an incident responses plan?

-Adam

Ok. I will try to describe a bit more detailed.
It's an Ubuntu 16.06 system, kernel is 4.4.0-45-generic (most recent, including dirty-cow patch).
We realized that sometimes access via ssh is possible, sometimes not. I tried with nmap, sometimes the port was closed,
sometimes not (trying from different hosts) !

We managed to establish several ssh connections, but some of them broke down, some not.
The host should not be accessible from the internet (i trust our firewall admin ...).

What i found out until now:

/etc/passwd and /etc/shadow were changed today, although no one created a user !
We have now a user guest-gid-nis: guest-gidnis:x:999:999:Guest:/tmp/guest-gidnis:/bin/bash
Homedirectory in a tmp folder ? I googled guest-gidnis, no match.

last says(ip addresses deleted for the root logins):

root pts/8 Wed Nov 16 16:22 still logged in
root pts/50 Wed Nov 16 15:20 still logged in
root pts/49 Wed Nov 16 15:14 still logged in
guest-ic tty9 :2 Wed Nov 16 15:13 - 15:13 (00:00)
guest-gi tty8 :1 Wed Nov 16 14:17 gone - no logout
root pts/25 Wed Nov 16 13:51 - 16:02 (02:11)
root pts/23 Wed Nov 16 13:49 - 14:44 (00:55)
root pts/21 Wed Nov 16 13:35 - 14:44 (01:09)

Tty8 and tty9 ? Sounds strange to me.

I will provide you with further information.
To the others: my questions are not law related, and i try to avoid revealing sensitive information.

Thanks.

Bernd

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671

Current thread:

i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Adam Maynard (Nov 16)
  - Re: i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
    - Re: i think i'm hacked - is this the right place to ask ? Valdis Kletnieks (Nov 16)
    - Re: i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
    - Re: i think i'm hacked - is this the right place to ask ? Adam Maynard (Nov 16)
    - Re: i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
    - Re: i think i'm hacked - SOLVED Lentes, Bernd (Nov 16)
    - Re: i think i'm hacked - SOLVED Ken Connelly (Nov 17)
    - DocuSign security concerns Penn, Blake (Nov 17)
    - Re: DocuSign security concerns Campoe, Alex (Nov 17)