Educause Security Discussion mailing list archives
Re: i think i'm hacked - is this the right place to ask ?
From: "Lentes, Bernd" <0000002c1fd0e2c2-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Thu, 17 Nov 2016 05:05:00 +0100
----- On Nov 17, 2016, at 4:09 AM, Adam Maynard AMaynard () CLARKU EDU wrote:
If it were one of my systems, I'd be able to check the traffic log in the public facing firewall, not sure if you have the same setup. Maybe something for your network folks?
I'm doing that already.
As far as those tty's, idk. You can try 'who -a' or 'last', they might contain IP info. You can look through your logs 'sudo less /var/log/auth.log'
Yes. /var/log/auth.log has information related to the time last indicates: Nov 13 14:17:01 xxxxx CRON[15571]: pam_unix(cron:session): session opened for user root by (uid=0) Nov 13 14:17:01 xxxxx CRON[15571]: pam_unix(cron:session): session closed for user root Nov 14 14:17:01 xxxxx CRON[20856]: pam_unix(cron:session): session opened for user root by (uid=0) Nov 14 14:17:01 xxxxx CRON[20856]: pam_unix(cron:session): session closed for user root Nov 15 14:17:01 xxxxx CRON[27104]: pam_unix(cron:session): session opened for user root by (uid=0) Nov 15 14:17:01 xxxxx CRON[27104]: pam_unix(cron:session): session closed for user root Nov 16 14:17:01 xxxxx CRON[32647]: pam_unix(cron:session): session opened for user root by (uid=0) Nov 16 14:17:01 xxxxx CRON[32647]: pam_unix(cron:session): session closed for user root Nov 16 14:17:03 xxxxx useradd[32670]: new group: name=guest-gidnis, GID=999 Nov 16 14:17:03 xxxxx useradd[32670]: new user: name=guest-gidnis, UID=999, GID=999, home=/tmp/guest-gidnis, shell=/bin/bash Nov 16 14:17:03 xxxxx su[32679]: Successful su for guest-gidnis by root Nov 16 14:17:03 xxxxx su[32679]: + ??? root:guest-gidnis Nov 16 14:17:03 xxxxx su[32679]: pam_unix(su:session): session opened for user guest-gidnis by (uid=0) Nov 16 14:17:03 xxxxx systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth Nov 16 14:17:03 xxxxx systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth Nov 16 14:17:03 xxxxx systemd-logind[948]: New session c3 of user guest-gidnis. Nov 16 14:17:03 xxxxx su[32679]: pam_unix(su:session): session closed for user guest-gidnis Nov 16 14:17:03 xxxxx systemd-logind[948]: Removed session c3. Nov 16 14:17:03 xxxxx lightdm: pam_unix(lightdm-autologin:session): session opened for user guest-gidnis by (uid=0) Nov 16 14:17:03 xxxxx systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth Nov 16 14:17:03 xxxxx systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth Nov 16 14:17:03 xxxxx systemd-logind[948]: New session c4 of user guest-gidnis. Nov 16 15:13:05 xxxxx lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Nov 16 15:13:05 xxxxx lightdm: PAM adding faulty module: pam_kwallet.so Nov 16 15:13:05 xxxxx lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory Nov 16 15:13:05 xxxxx lightdm: PAM adding faulty module: pam_kwallet5.so Nov 16 15:13:05 xxxxx lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "dietrich" Nov 16 15:13:05 xxxxx lightdm: pam_unix(lightdm:auth): conversation failed Nov 16 15:13:05 xxxxx lightdm: pam_unix(lightdm:auth): auth could not identify password for [dietrich] Nov 16 15:13:05 xxxxx lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Nov 16 15:13:05 xxxxx lightdm: PAM adding faulty module: pam_kwallet.so Nov 16 15:13:05 xxxxx lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory Nov 16 15:13:05 xxxxx lightdm: PAM adding faulty module: pam_kwallet5.so Nov 16 15:13:05 xxxxx lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0) Nov 16 15:13:05 xxxxx systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth Nov 16 15:13:05 xxxxx systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth Nov 16 15:13:05 xxxxx systemd-logind[948]: New session c5 of user lightdm. Nov 16 15:13:05 xxxxx lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Nov 16 15:13:05 xxxxx lightdm: PAM adding faulty module: pam_kwallet.so Nov 16 15:13:05 xxxxx lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory Nov 16 15:13:05 xxxxx lightdm: PAM adding faulty module: pam_kwallet5.so Nov 16 15:13:05 xxxxx lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "dietrich" Nov 16 15:13:28 xxxxx lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm Nov 16 15:13:28 xxxxx useradd[1661]: new group: name=guest-icosuj, GID=998 Nov 16 15:13:28 xxxxx useradd[1661]: new user: name=guest-icosuj, UID=998, GID=998, home=/tmp/guest-icosuj, shell=/bin/bash Nov 16 15:13:28 xxxxx su[1672]: Successful su for guest-icosuj by root Nov 16 15:13:28 xxxxx su[1672]: + ??? root:guest-icosuj Nov 16 15:13:28 xxxxx su[1672]: pam_unix(su:session): session opened for user guest-icosuj by (uid=0) Nov 16 15:13:29 xxxxx systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth Nov 16 15:13:29 xxxxx systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth Nov 16 15:13:29 xxxxx systemd-logind[948]: New session c6 of user guest-icosuj. Nov 16 15:13:29 xxxxx su[1672]: pam_unix(su:session): session closed for user guest-icosuj Nov 16 15:13:29 xxxxx systemd-logind[948]: Removed session c6. Nov 16 15:13:29 xxxxx lightdm: pam_unix(lightdm-autologin:session): session opened for user guest-icosuj by (uid=0) Nov 16 15:13:29 xxxxx systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth Nov 16 15:13:29 xxxxx systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth Nov 16 15:13:29 xxxxx systemd-logind[948]: New session c7 of user guest-icosuj. Nov 16 15:13:52 xxxxx lightdm: pam_unix(lightdm-autologin:session): session closed for user guest-icosuj Nov 16 15:13:52 xxxxx systemd-logind[948]: Removed session c7. Nov 16 15:13:53 xxxxx userdel[2568]: delete user 'guest-icosuj' Nov 16 15:13:53 xxxxx userdel[2568]: removed group 'guest-icosuj' owned by 'guest-icosuj' Nov 16 15:13:53 xxxxx userdel[2568]: removed shadow group 'guest-icosuj' owned by 'guest-icosuj' Nov 16 15:13:53 xxxxx lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Nov 16 15:13:53 xxxxx lightdm: PAM adding faulty module: pam_kwallet.so Nov 16 15:13:53 xxxxx lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory Nov 16 15:13:53 xxxxx lightdm: PAM adding faulty module: pam_kwallet5.so Nov 16 15:13:53 xxxxx lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0) Nov 16 15:13:53 xxxxx systemd-logind[948]: New session c8 of user lightdm. Nov 16 15:13:58 xxxxx lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Nov 16 15:13:58 xxxxx lightdm: PAM adding faulty module: pam_kwallet.so Nov 16 15:13:58 xxxxx lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory Nov 16 15:13:58 xxxxx lightdm: PAM adding faulty module: pam_kwallet5.so Nov 16 15:13:58 xxxxx lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "xxx" I don't know a user guest-gidnis or guest-icosuj. User guest-gidnis is still in /etc/passwd and /etc/shadow, the other not.
After you stop the bleeding, you've got to find and clean up the mess they made. Is this a critical system? Is there sensitive data on this system? Is it feasible to perform a clean install?
No, it's neither critical nor important nor containing sensitive data. A clean install is not feasible, but that's what i have to do. It has a ton of software. But i'd like to know how he came into my system. When not knowing and performing a fresh install i think i will face the same proplem. I need to know the vulnerability to fix it.
If you want to get a full sense of what's going on with your system lynis is great. https://cisofy.com/lynis/ https://cisofy.com/documentation/lynis/
I will check that later on.
I would just go with 'audit system'. What you get is a log lover's dream. After you audit and clean-up, you have to harden. Restrict access with a system firewall (ufw, iptables, etc.), limit users with sudoer rights, disable or at least restrict root login. whatever framework you want to use, CIS, NIST, etc. Think layered security. -Adam -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Lentes, Bernd Sent: Wednesday, November 16, 2016 9:23 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] i think i'm hacked - is this the right place to ask ? ----- On Nov 17, 2016, at 2:55 AM, Adam Maynard AMaynard () CLARKU EDU wrote:Not exactly. This is mostly Information sharing, collaboration, and advice for security professionals in Higher Education.But any who... maybe I can assist anyway. Can you describe it some more? What are your symptoms? What have you done so far? Any clue of the cause?…Now that I think about it, the better questions are:Does your research institute not have anyone with information Security knowledge?Does your research institute have an incident responses plan?-AdamOk. I will try to describe a bit more detailed. It's an Ubuntu 16.06 system, kernel is 4.4.0-45-generic (most recent, including dirty-cow patch). We realized that sometimes access via ssh is possible, sometimes not. I tried with nmap, sometimes the port was closed, sometimes not (trying from different hosts) ! We managed to establish several ssh connections, but some of them broke down, some not. The host should not be accessible from the internet (i trust our firewall admin ...). What i found out until now: /etc/passwd and /etc/shadow were changed today, although no one created a user ! We have now a user guest-gid-nis: guest-gidnis:x:999:999:Guest:/tmp/guest-gidnis:/bin/bash Homedirectory in a tmp folder ? I googled guest-gidnis, no match. last says(ip addresses deleted for the root logins): root pts/8 Wed Nov 16 16:22 still logged in root pts/50 Wed Nov 16 15:20 still logged in root pts/49 Wed Nov 16 15:14 still logged in guest-ic tty9 :2 Wed Nov 16 15:13 - 15:13 (00:00) guest-gi tty8 :1 Wed Nov 16 14:17 gone - no logout root pts/25 Wed Nov 16 13:51 - 16:02 (02:11) root pts/23 Wed Nov 16 13:49 - 14:44 (00:55) root pts/21 Wed Nov 16 13:35 - 14:44 (01:09) Tty8 and tty9 ? Sounds strange to me. I will provide you with further information. To the others: my questions are not law related, and i try to avoid revealing sensitive information. Thanks. Bernd Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Dr. Alfons Enhsen Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 129521671
Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Dr. Alfons Enhsen Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 129521671
Current thread:
- i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Adam Maynard (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Valdis Kletnieks (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Adam Maynard (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - SOLVED Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - SOLVED Ken Connelly (Nov 17)
- DocuSign security concerns Penn, Blake (Nov 17)
- Re: DocuSign security concerns Campoe, Alex (Nov 17)
- Re: i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Adam Maynard (Nov 16)