dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
16
share rss forum feed


firephoto
We the people
Premium
join:2003-03-18
Brewster, WA
reply to vue666

Re: Ubuntu computer hijacked by hacker

If it's the ISP provided router/switch it could be vulnerable or just have an easy backdoor in it to access. Since it's not wifi is it an older model? Maybe something specific about it that is detectable to outsiders on the network that lets them get past it.

The mentioned vulnerability with transmission would only affect you on Ubuntu Karmic (9.10) without any specific updates to it yourself. All newer releases of ubuntu have the fixed version or greater.

Also since you said you saw the mouse pointer moving around it really points to the network since someone exploiting the system isn't likely to to make a vnc connection for themselves then check uptime with the gui terminal.
--
Say no to JAMS!


vue666
Small block Chevies rule
Premium
join:2007-12-07
Halifax, NS
kudos:2
No...it's one I purchased locally and have the latest firmware on. It 's about 4 years old...


lugnut

@look.ca
A couple of serious pieces of advice I can offer. Install and run chkrootkit and rkhunter. There's maybe a 5% chance they'll find an identifiable rootkit.

BUT, rkhunter installs a utility called unhide. Run

sudo rkhunter brute

And that will at least tell you if there are any hidden processes on your box and provide some indication if you've been rooted or not.

All in all it sounds to me like you're probably rooted up the wazoo and the hacker finally got bored and decided to reveal himself to you for s#|||+s and giggles.

Anyway, no matter how you look at it once a linux box is compromised there simply are no decent tools out there to clean or detect malware so we're all SOL there.


vue666
Small block Chevies rule
Premium
join:2007-12-07
Halifax, NS
kudos:2
reply to vue666
In the auth.log logs I noticed these entries. Are they suspicious?

gnome-screensaver-dialog: pam_unix(gnome-screensaver:auth): authentication failure; logname= uid=1000 euid=1000 tty=:0.0 ruser= rhost= user=vetterider
Jan 30 18:05:04 VETTE gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): getting password (0x00000388)
Jan 30 18:05:04 VETTE gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): pam_get_item returned a password
Jan 30 18:05:04 VETTE gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Jan 30 18:05:09 VETTE gnome-screensaver-dialog: pam_unix(gnome-screensaver:auth): authentication failure; logname= uid=1000 euid=1000 tty=:0.0 ruser= rhost= user=vetterider
Jan 30 18:05:09 VETTE gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): getting password (0x00000388)
Jan 30 18:05:09 VETTE gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): pam_get_item returned a password
Jan 30 18:05:09 VETTE gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Jan 30 18:05:18 VETTE unix_chkpwd[15376]: password check failed for user (vetterider)
J


vue666
Small block Chevies rule
Premium
join:2007-12-07
Halifax, NS
kudos:2
rkhunter reported the following....

sudo rkhunter --brute reported no such option e....so I ran sudo rkhunter --check

[14:48:16]
[14:48:16] System checks summary
[14:48:17] =====================
[14:48:17]
[14:48:17] File properties checks...
[14:48:17] Files checked: 132
[14:48:17] Suspect files: 0
[14:48:17]
[14:48:17] Rootkit checks...
[14:48:17] Rootkits checked : 242
[14:48:17] Possible rootkits: 0
[14:48:17]
[14:48:17] Applications checks...
[14:48:17] All checks skipped
[14:48:17]
[14:48:17] The system checks took: 5 minutes and 19 seconds
[14:48:17]
[14:48:17] Info: End date is Sun Feb 6 14:48:17 AST 2011

Also chkrootkit reported no problems...


vue666
Small block Chevies rule
Premium
join:2007-12-07
Halifax, NS
kudos:2
Is there a log I can check to see if this is the first & only time these hacker accessed my computer? Or whether there were other times?


lugnut

@look.ca
reply to vue666
sorry. gave you the wrong command. run

sudo unhide brute

uhide is a utility installed by rkhunter that displays hidden processes.

As for rkhunter coming up clean, yer not out of the woods. It only checks for 242 possible rootkits favored by script kiddies. Real hackers write their own rootkits.

Also you can take a look at /var/logs/rkhunter.log for results but the results are pretty much useless after a machine has been compromised.

Proper procedure is to run rkhunter immediately after a clean install and then it keeps a running tab of any changes on your machine on subsequent runs.


vue666
Small block Chevies rule
Premium
join:2007-12-07
Halifax, NS
kudos:2

1 edit
Just booted up my Ubuntu computer. Ran the unhide brute as sudo.

It found one hidden PID 2163

Of course it wasn't listed in system monitoring... How do I find out what this process or services is?

I ran unhide brute 5 minutes later and it found two more hidden PIDs - 4737 & 4738 but did not report the previous PID...

Once again no luck finding out what these PIDs are...

Ran unhide once more 5 minutes and found nothing....

I was hoping to use

ps aux | grep PID#

to identify something...

Perhaps it was someone at my ISP shutting down my torrents?'

What I don't understand is, I always thought VNC was only for local network (or private network) and since my router is blocking port 5900 remote viewing on the other side (public side) of the router's NAT was not possible...


vue666
Small block Chevies rule
Premium
join:2007-12-07
Halifax, NS
kudos:2
I've ran unhide brute a few more times and it's found nothing...


Selenia
Gentoo Convert
Premium
join:2006-09-22
Fort Smith, AR
kudos:2
reply to firephoto
If it's just a switch, it does not employ NAT like a router. Thus, your service would be visible from the outside. Due to the control demonstrated over your X11 session and the cliche terminal entry that followed, I would wager it was your vnc. Simple solution is to be more careful about leaving services open. Your symptoms are not consistent with a buffer overflow exploit. So, relax and firewall and/or password services, as warranted.

Edit: Oops, reply was for OP
--
The new Sony rootkit-Using the ability to remove features you paid for. What's next? Boycott Sony products »[Rant] ps3 update = no more Linux

»It's a Sony (once and forever)


vue666
Small block Chevies rule
Premium
join:2007-12-07
Halifax, NS
kudos:2
Thanks kindly... It's an Airlink101 AR504 router... Sadly it is not supported by the Tomato firmwire or other 3rd parties...