SSH hacked?

Knapp magick.crow at gmail.com
Tue Jan 13 06:41:38 UTC 2009 

On Mon, Jan 12, 2009 at 11:21 PM, NoOp <glgxg at sbcglobal.net> wrote:

> On 01/12/2009 01:49 PM, Knapp wrote:
> > Today I was sitting next to my computer and I could hear the HD going on
> and
> > on, like I was doing a torrent or something. I was not doing anything, so
> I
> > looked to see what was running in the background. Nothing like that was.
> > Then I looked at my firewall and saw one connection that was uploading to
> my
> > computer with ssh. At this point firestarted crashed so I could not copy
> > down the senders address but it was odd and ended in www.?????????????.NL
> >
> > I have about 4 people that can use SSH with my computer and the whole
> system
> > is set for using only gpg type passwords. So my questions are; How can I
> > find out what was uploaded? How could I have been hacked? And, how can I
> > stop it from happing again? For now the ssh port is closed. This is not a
> > problem because it is only used about one time a quarter.
> > Thanks!
> >
> >
>
> For where it came from have a look in /var/log/auth.log
>
> It should show something along the lines of:
>
> Jan 12 14:06:22 <user> sshd[12412]: Accepted password for <username>
> from 192.168.4.103 port 54921 ssh2
> Jan 12 14:06:22 <user> sshd[12414]: pam_unix(sshd:session): session
> opened for user <username> by (uid=0)
> Jan 12 14:06:32 <user> sshd[12414]: pam_unix(sshd:session): session
> closed for user <username>
>
> $ cat /var/log/auth.log |grep sshd
>
> To stop it happening again, I'd recommend looking into denyhosts &
> changing your ssh port number from the default 22. Note: changing the
> port number from 22 won't stop someone that is determined to scan all of
> your system for ssh, however it will stop a lot of the random script
> kiddies that only scan for standard ports.
>
>
Jan 12 22:20:56 frog sshd[16221]: warning: /etc/hosts.deny, line 120: host
name/name mismatch: www.kpnglasvezelaanvragen.nl != hosted.by.pcextreme
Jan 12 22:20:56 frog sshd[16221]: Address 85.92.138.150 maps to
www.kpnglasvezelaanvragen.nl, but this does not map back to the address -
POSSIBLE BREAK-IN ATTEMPT!
Jan 12 22:20:56 frog sshd[16221]: User root not allowed because account is
locked
Jan 12 22:20:56 frog sshd[16222]: input_userauth_request: invalid user root
Jan 12 22:20:56 frog sshd[16224]: warning: /etc/hosts.deny, line 120: host
name/name mismatch: www.kpnglasvezelaanvragen.nl != hosted.by.pcextreme
Jan 12 22:20:57 frog sshd[16224]: Address 85.92.138.150 maps to
www.kpnglasvezelaanvragen.nl, but this does not map back to the address -
POSSIBLE BREAK-IN ATTEMPT!
Jan 12 22:20:57 frog sshd[16224]: User root not allowed because account is
locked
Jan 12 22:20:57 frog sshd[16225]: input_userauth_request: invalid user root
Jan 12 22:20:57 frog sshd[16226]: warning: /etc/hosts.deny, line 120: host
name/name mismatch: www.kpnglasvezelaanvragen.nl != hosted.by.pcextreme
Jan 12 22:20:57 frog sshd[16226]: Address 85.92.138.150 maps to
www.kpnglasvezelaanvragen.nl, but this does not map back to the address -
POSSIBLE BREAK-IN ATTEMPT!
Jan 12 22:20:57 frog sshd[16226]: User root not allowed because account is
locked
Jan 12 22:20:57 frog sshd[16228]: input_userauth_request: invalid user root
Jan 12 22:20:58 frog sshd[16229]: warning: /etc/hosts.deny, line 120: host
name/name mismatch: www.kpnglasvezelaanvragen.nl != hosted.by.pcextreme
Jan 12 22:20:58 frog sshd[16229]: Address 85.92.138.150 maps to
www.kpnglasvezelaanvragen.nl, but this does not map back to the address -
POSSIBLE BREAK-IN ATTEMPT!
Jan 12 22:20:58 frog sshd[16229]: User root not allowed because account is
locked
Jan 12 22:20:58 frog sshd[16230]: input_userauth_request: invalid user root
Jan 12 22:20:58 frog sshd[16232]: warning: /etc/hosts.deny, line 120: host
name/name mismatch: www.kpnglasvezelaanvragen.nl != hosted.by.pcextreme

Looks to me like he did not get in. I am running Denyhost. Perhaps the disk
noise was the logging? But it did say connected in the firewall. Maybe it
said that to accept the password?
Yes, by gpg I do mean strong key.  I use port 22 because that is the
standard and I have read many people saying the changing it does help.

Here is my settings file, are there mistakes?
# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120 # change to 20 seconds latter if all is well
PermitRootLogin no
StrictModes yes
MaxAuthTries 1 # key validation never fails

RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys

AllowGroups sshusers

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for
RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
MaxStartups 2 # only 2 people can perform login at the same time.
Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM no


Can this Cracker be tracked down?
-- 
Douglas E Knapp

Amazon Gift Cards; let them choose!!
http://www.amazon.com/gp/product/B001078FFE?ie=UTF8&tag=seattlebujinkand&linkCode=as2&camp=1789&creative=9325&creativeASIN=B001078FFE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20090113/2b6b04d2/attachment.html>

More information about the ubuntu-users mailing list