Re: i think i'm hacked - is this the right place to ask ?

[Adam Maynard <AMaynard () CLARKU EDU>]

If it were one of my systems, I'd be able to check the traffic log in the public facing firewall, not sure if you have 
the same setup. Maybe something for your network folks? 

As far as those tty's, idk. You can try 'who -a' or 'last', they might contain IP info. You can look through your logs 
'sudo less /var/log/auth.log'

After you stop the bleeding, you've got to find and clean up the mess they made. 

Is this a critical system? Is there sensitive data on this system? Is it feasible to perform a clean install?

 
If you want to get a full sense of what's going on with your system lynis is great. https://cisofy.com/lynis/   
https://cisofy.com/documentation/lynis/

I would just go with 'audit system'. What you get is a log lover's dream.


After you audit and clean-up, you have to harden. Restrict access with a system firewall (ufw, iptables, etc.), limit 
users with sudoer rights, disable or at least restrict root login. whatever framework you want to use, CIS, NIST, etc. 
Think layered security.


-Adam


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Lentes, 
Bernd
Sent: Wednesday, November 16, 2016 9:23 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] i think i'm hacked - is this the right place to ask ?

----- On Nov 17, 2016, at 2:55 AM, Adam Maynard AMaynard () CLARKU EDU wrote:

> Not exactly. This is mostly Information sharing, collaboration, and 
> advice for security professionals in Higher Education.

> But any who... maybe I can assist anyway. Can you describe it some 
> more? What are your symptoms? What have you done so far? Any clue of the cause?

> …Now that I think about it, the better questions are:

> Does your research institute not have anyone with information Security 
> knowledge?

> Does your research institute have an incident responses plan?

> -Adam


Ok. I will try to describe a bit more detailed. 
It's an Ubuntu 16.06 system, kernel is 4.4.0-45-generic (most recent, including dirty-cow patch).
We realized that sometimes access via ssh is possible, sometimes not. I tried with nmap, sometimes the port was closed, 
sometimes not (trying from different hosts) !

We managed to establish several ssh connections, but some of them broke down, some not.
The host should not be accessible from the internet (i trust our firewall admin ...).

What i found out until now:

/etc/passwd and /etc/shadow were changed today, although no one created a user !
We have now a user guest-gid-nis: guest-gidnis:x:999:999:Guest:/tmp/guest-gidnis:/bin/bash
Homedirectory in a tmp folder ? I googled guest-gidnis, no match.

last says(ip addresses deleted for the root logins):

root     pts/8             Wed Nov 16 16:22   still logged in
root     pts/50            Wed Nov 16 15:20   still logged in
root     pts/49            Wed Nov 16 15:14   still logged in
guest-ic tty9         :2               Wed Nov 16 15:13 - 15:13  (00:00)
guest-gi tty8         :1               Wed Nov 16 14:17    gone - no logout
root     pts/25            Wed Nov 16 13:51 - 16:02  (02:11)
root     pts/23            Wed Nov 16 13:49 - 14:44  (00:55)
root     pts/21            Wed Nov 16 13:35 - 14:44  (01:09)

Tty8 and tty9 ? Sounds strange to me.


I will provide you with further information.
To the others: my questions are not law related, and i try to avoid revealing sensitive information.

Thanks.

Bernd


Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671