Security Issue

Thu Feb 12 19:23:46 UTC 2009

I had already checked the SSH logs, and just checked 'em again using the grep lines you suggested.  The last time anyone sshed in was 3 days prior, and it was me :-). Su was not used at all.
The open services on the machine are:
SSH - which we covered
IMAPS (Dovecot) - Showed no unusual activity, just the usual spam from my filters
STMP/STMPS (Sendmail) - Also showed no unusual activity
MySQL - Shows only logins from Wordpress and PHPBB
HTTP/HTTPS (Apache) - Just googlebot (my page doesn't get many visitors), and me checking vnstat.

All other ports are closed both on the router and by the firestarter firewall.  A port scan confirms this.

The bandwidth is being recorded for eth1 by vnstat, (I wish it could all be explained away by loopback).

I am noticing something else strange though, I just checked collectd, and it's not showing any significant bandwidth on the interface for that time. Could vnstat have gone crazy? (God I wish it was that easy, but it never is :-)).

Any more thoughts?
Thanks again!
Walton

From: ubuntu-users-bounces at lists.ubuntu.com [mailto:ubuntu-users-bounces at lists.ubuntu.com] On Behalf Of Guy Thouret
Sent: Thursday, February 12, 2009 11:55 AM
To: Ubuntu user technical support, not for general discussions
Subject: Re: Security Issue

On Thu, 2009-02-12 at 13:43 -0500, H.S. wrote: 

Walton Hoops wrote:
> I could use some help from the Ubuntu wizards out there.
> I run a home server, using Ubuntu 8.10.  It very low traffic, with most of
> the traffic being e-mail.  Last night, over the course of an hour it
> recorded roughly 8 GB (4 up and 4 down) of traffic over the course of 2
> hours (monitoring with vnstat) and then dropped back to normal. Looking at
> the logs, the traffic did not come through apache, sendmail,or SSH.  Judging
> from the fact that the up/down are equal, I'm guessing I've was used as a
> proxy for something (I don't have a proxy server installed), but I know not
> what.  So, I have two questions.
> 1.) Any suggestions on how to further investigate this?  At this point I'm
> at a loss.
> 2.) How would you suggest further hardening my security, since it seems it
> was compromised? I use Firestarter to lock down my ports, Fail2Ban to stop
> those pesky SSH brute force attacks, and Snort to keep an eye out for other
> attacks.
> Any input would be appreciated.
> Walton
> 
> 

I am no security expert, but I would suggest you take out the network
cable of that machine till you are sure it has not been compromised.

Are there other machines on this network?

First place I would start is to check your logs for successful ssh connections: 

grep Accepted /var/log/auth.log
This will show you date/time and IP address of successful SSH connections.
To check if any of these have gained root permissions through su: 

grep Successful /var/log/auth.log
What services are open on the machine in question?
I would then check the logs for each of the services in question around the time of the activity to see in detail exactly which service generated/consumed the traffic.
At what point are you observing the bandwidth, is this on a router, on the eth0 interface of the machine or an aggregate of all interfaces?
Is it theoretical that 4G out and then in could be on a loopback interface?

Guy. 