Thursday, April 04, 2019

Re: hacked for the second time

On Wed, Apr 03, 2019 at 06:56:39PM +0000, Cord wrote:
> I have some heavy suspect that my openbsd box was been hacked for the second time in few weeks. The first time was been some weeks ago, I have got some suspects and after few checks I have found that someone was been connected to my vps via ssh on a non-standard port using my ssh key. The connection came from a tor exit node. There were been 2 connections and up since 5 days. Now I have some other new suspects because some private email seems knew from others. Also I have found other open sessions on the web gui of my email provider, but I am abolutely sure I have done the logout always.

If you see ssh sessions that shouldn't be there, kill those sessions.

Then before they log in again, do whatever changes are required such as generating
new keys, changing your password or similar, and of course clean up your sshd config.

From your (not very precise) description it could even be that a separate set of
binaries have been installed in addition to the system sshd. Look for those too.

Basically, do not trust your system as it is. Wipe, reinstall and rebuild should be an option.

For the webmail access, do change your password and if they support it, look into
any multi-factor authentication options.

Moving forward, learn how to read and interpret logs and for that matter packet captures.

The information you have offered up does not give any indication how the suspected
attackers got hold of enough information to get access (if indeed it is what happened).

That information could possibly be found in your logs, but in my experience it is far
more likely that somebody with access to the system made some stupid mistake such
as clicking a link in a mailed webpage, speaking their password out loud within
hearing distance of somebody with enough context information to be able to use it,
or something else equally cringeworthy. Then your logs would only show a successful
login, perhaps from somewhere unexpected, as the start of the compromise.

I hope some of this stream of semi-random items is of some use.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)