Re: i think i'm hacked - is this the right place to ask ?

["Lentes, Bernd" <0000002c1fd0e2c2-dmarc-request () LISTSERV EDUCAUSE EDU>]

----- On Nov 17, 2016, at 4:09 AM, Adam Maynard AMaynard () CLARKU EDU wrote:

> If it were one of my systems, I'd be able to check the traffic log in the public
> facing firewall, not sure if you have the same setup. Maybe something for your
> network folks?

I'm doing that already.

> As far as those tty's, idk. You can try 'who -a' or 'last', they might contain
> IP info. You can look through your logs 'sudo less /var/log/auth.log'

Yes. /var/log/auth.log has information related to the time last indicates:
Nov 13 14:17:01 xxxxx CRON[15571]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 13 14:17:01 xxxxx CRON[15571]: pam_unix(cron:session): session closed for user root
Nov 14 14:17:01 xxxxx CRON[20856]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 14 14:17:01 xxxxx CRON[20856]: pam_unix(cron:session): session closed for user root
Nov 15 14:17:01 xxxxx CRON[27104]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 15 14:17:01 xxxxx CRON[27104]: pam_unix(cron:session): session closed for user root
Nov 16 14:17:01 xxxxx CRON[32647]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 14:17:01 xxxxx CRON[32647]: pam_unix(cron:session): session closed for user root
Nov 16 14:17:03 xxxxx useradd[32670]: new group: name=guest-gidnis, GID=999
Nov 16 14:17:03 xxxxx useradd[32670]: new user: name=guest-gidnis, UID=999, GID=999, home=/tmp/guest-gidnis, 
shell=/bin/bash
Nov 16 14:17:03 xxxxx su[32679]: Successful su for guest-gidnis by root
Nov 16 14:17:03 xxxxx su[32679]: + ??? root:guest-gidnis
Nov 16 14:17:03 xxxxx su[32679]: pam_unix(su:session): session opened for user guest-gidnis by (uid=0)
Nov 16 14:17:03 xxxxx systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
Nov 16 14:17:03 xxxxx systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
Nov 16 14:17:03 xxxxx systemd-logind[948]: New session c3 of user guest-gidnis.
Nov 16 14:17:03 xxxxx su[32679]: pam_unix(su:session): session closed for user guest-gidnis
Nov 16 14:17:03 xxxxx systemd-logind[948]: Removed session c3.
Nov 16 14:17:03 xxxxx lightdm: pam_unix(lightdm-autologin:session): session opened for user guest-gidnis by (uid=0)
Nov 16 14:17:03 xxxxx systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
Nov 16 14:17:03 xxxxx systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
Nov 16 14:17:03 xxxxx systemd-logind[948]: New session c4 of user guest-gidnis.

Nov 16 15:13:05 xxxxx lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared 
object file: No such file or directory
Nov 16 15:13:05 xxxxx lightdm: PAM adding faulty module: pam_kwallet.so
Nov 16 15:13:05 xxxxx lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared 
object file: No such file or directory
Nov 16 15:13:05 xxxxx lightdm: PAM adding faulty module: pam_kwallet5.so
Nov 16 15:13:05 xxxxx lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user 
"dietrich"
Nov 16 15:13:05 xxxxx lightdm: pam_unix(lightdm:auth): conversation failed
Nov 16 15:13:05 xxxxx lightdm: pam_unix(lightdm:auth): auth could not identify password for [dietrich]
Nov 16 15:13:05 xxxxx lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared 
object file: No such file or directory
Nov 16 15:13:05 xxxxx lightdm: PAM adding faulty module: pam_kwallet.so
Nov 16 15:13:05 xxxxx lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared 
object file: No such file or directory
Nov 16 15:13:05 xxxxx lightdm: PAM adding faulty module: pam_kwallet5.so
Nov 16 15:13:05 xxxxx lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
Nov 16 15:13:05 xxxxx systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
Nov 16 15:13:05 xxxxx systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
Nov 16 15:13:05 xxxxx systemd-logind[948]: New session c5 of user lightdm.
Nov 16 15:13:05 xxxxx lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared 
object file: No such file or directory
Nov 16 15:13:05 xxxxx lightdm: PAM adding faulty module: pam_kwallet.so
Nov 16 15:13:05 xxxxx lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared 
object file: No such file or directory
Nov 16 15:13:05 xxxxx lightdm: PAM adding faulty module: pam_kwallet5.so
Nov 16 15:13:05 xxxxx lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user 
"dietrich"
Nov 16 15:13:28 xxxxx lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm
Nov 16 15:13:28 xxxxx useradd[1661]: new group: name=guest-icosuj, GID=998
Nov 16 15:13:28 xxxxx useradd[1661]: new user: name=guest-icosuj, UID=998, GID=998, home=/tmp/guest-icosuj, 
shell=/bin/bash
Nov 16 15:13:28 xxxxx su[1672]: Successful su for guest-icosuj by root
Nov 16 15:13:28 xxxxx su[1672]: + ??? root:guest-icosuj
Nov 16 15:13:28 xxxxx su[1672]: pam_unix(su:session): session opened for user guest-icosuj by (uid=0)
Nov 16 15:13:29 xxxxx systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
Nov 16 15:13:29 xxxxx systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
Nov 16 15:13:29 xxxxx systemd-logind[948]: New session c6 of user guest-icosuj.
Nov 16 15:13:29 xxxxx su[1672]: pam_unix(su:session): session closed for user guest-icosuj
Nov 16 15:13:29 xxxxx systemd-logind[948]: Removed session c6.
Nov 16 15:13:29 xxxxx lightdm: pam_unix(lightdm-autologin:session): session opened for user guest-icosuj by (uid=0)
Nov 16 15:13:29 xxxxx systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
Nov 16 15:13:29 xxxxx systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
Nov 16 15:13:29 xxxxx systemd-logind[948]: New session c7 of user guest-icosuj.
Nov 16 15:13:52 xxxxx lightdm: pam_unix(lightdm-autologin:session): session closed for user guest-icosuj
Nov 16 15:13:52 xxxxx systemd-logind[948]: Removed session c7.
Nov 16 15:13:53 xxxxx userdel[2568]: delete user 'guest-icosuj'
Nov 16 15:13:53 xxxxx userdel[2568]: removed group 'guest-icosuj' owned by 'guest-icosuj'
Nov 16 15:13:53 xxxxx userdel[2568]: removed shadow group 'guest-icosuj' owned by 'guest-icosuj'
Nov 16 15:13:53 xxxxx lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared 
object file: No such file or directory
Nov 16 15:13:53 xxxxx lightdm: PAM adding faulty module: pam_kwallet.so
Nov 16 15:13:53 xxxxx lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared 
object file: No such file or directory
Nov 16 15:13:53 xxxxx lightdm: PAM adding faulty module: pam_kwallet5.so
Nov 16 15:13:53 xxxxx lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
Nov 16 15:13:53 xxxxx systemd-logind[948]: New session c8 of user lightdm.
Nov 16 15:13:58 xxxxx lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared 
object file: No such file or directory
Nov 16 15:13:58 xxxxx lightdm: PAM adding faulty module: pam_kwallet.so
Nov 16 15:13:58 xxxxx lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared 
object file: No such file or directory
Nov 16 15:13:58 xxxxx lightdm: PAM adding faulty module: pam_kwallet5.so
Nov 16 15:13:58 xxxxx lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user 
"xxx"

I don't know a user guest-gidnis or guest-icosuj. User guest-gidnis is still in /etc/passwd and /etc/shadow, the other 
not.

> After you stop the bleeding, you've got to find and clean up the mess they made.
>
> Is this a critical system? Is there sensitive data on this system? Is it
> feasible to perform a clean install?

No, it's neither critical nor important nor containing sensitive data. A clean install is not feasible,
but that's what i have to do. It has a ton of software. But i'd like to know how he came into my system. When not 
knowing and performing a fresh install
i think i will face the same proplem. I need to know the vulnerability to fix it.

> If you want to get a full sense of what's going on with your system lynis is
> great. https://cisofy.com/lynis/      https://cisofy.com/documentation/lynis/

I will check that later on.

> I would just go with 'audit system'. What you get is a log lover's dream.
>
>
> After you audit and clean-up, you have to harden. Restrict access with a system
> firewall (ufw, iptables, etc.), limit users with sudoer rights, disable or at
> least restrict root login. whatever framework you want to use, CIS, NIST, etc.
> Think layered security.
>
>
> -Adam
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Lentes, Bernd
> Sent: Wednesday, November 16, 2016 9:23 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] i think i'm hacked - is this the right place to ask ?
>
> ----- On Nov 17, 2016, at 2:55 AM, Adam Maynard AMaynard () CLARKU EDU wrote:
>
> > Not exactly. This is mostly Information sharing, collaboration, and
> > advice for security professionals in Higher Education.
>
> > But any who... maybe I can assist anyway. Can you describe it some
> > more? What are your symptoms? What have you done so far? Any clue of the cause?
>
> > …Now that I think about it, the better questions are:
>
> > Does your research institute not have anyone with information Security
> > knowledge?
>
> > Does your research institute have an incident responses plan?
>
> > -Adam
>
>
> Ok. I will try to describe a bit more detailed.
> It's an Ubuntu 16.06 system, kernel is 4.4.0-45-generic (most recent, including
> dirty-cow patch).
> We realized that sometimes access via ssh is possible, sometimes not. I tried
> with nmap, sometimes the port was closed, sometimes not (trying from different
> hosts) !
>
> We managed to establish several ssh connections, but some of them broke down,
> some not.
> The host should not be accessible from the internet (i trust our firewall admin
> ...).
>
> What i found out until now:
>
> /etc/passwd and /etc/shadow were changed today, although no one created a user !
> We have now a user guest-gid-nis:
> guest-gidnis:x:999:999:Guest:/tmp/guest-gidnis:/bin/bash
> Homedirectory in a tmp folder ? I googled guest-gidnis, no match.
>
> last says(ip addresses deleted for the root logins):
>
> root     pts/8             Wed Nov 16 16:22   still logged in
> root     pts/50            Wed Nov 16 15:20   still logged in
> root     pts/49            Wed Nov 16 15:14   still logged in
> guest-ic tty9         :2               Wed Nov 16 15:13 - 15:13  (00:00)
> guest-gi tty8         :1               Wed Nov 16 14:17    gone - no logout
> root     pts/25            Wed Nov 16 13:51 - 16:02  (02:11)
> root     pts/23            Wed Nov 16 13:49 - 14:44  (00:55)
> root     pts/21            Wed Nov 16 13:35 - 14:44  (01:09)
>
> Tty8 and tty9 ? Sounds strange to me.
>
>
> I will provide you with further information.
> To the others: my questions are not law related, and i try to avoid revealing
> sensitive information.
>
> Thanks.
>
> Bernd
>
>
> Helmholtz Zentrum Muenchen
> Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter
> Landstr. 1
> 85764 Neuherberg
> www.helmholtz-muenchen.de
> Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
> Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Dr. Alfons Enhsen
> Registergericht: Amtsgericht Muenchen HRB 6466
> USt-IdNr: DE 129521671


Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671