Hacked - Have info on the culprit...
I have a linode that I allow a friend to use to host his webpages. He has a limited user account, and is restricted to hi home directory, but he also needed console access, which he has (had) through ssh.
Apparently, he changed his default password from a very difficult one to one that mathces his username… yes, silly. My mistake for not putting a policy in to prevent him from doing this.
Somehow, by probing random accounts, is my guess, someone was able to login, and on the 5th attempt, happened to try the username password combo, and immediatly began sending out phishing emails from this users mail account (thousands of them) using php. Thank you .bash_history.
I have disabled the account and locked out the phisher, and noticed in their scripts that they left behind that they are wgetting files from a particular domain to help with this phishing (i.e. they log in, wget the tarball, unpack it and type php 'file.php' from the unpacked directories). My question is this:
Who should I report this to? The registrar for the domain name that is hosting the files?
Any help is appreciated.
Paul
9 Replies
@pmmenneg:
Who should I report this to? The registrar for the domain name that is hosting the files?
There is very little that the registrar can do other than revoke the domain, and I'm sure they'll require a pretty high standard of proof before they do that. No, the correct place to report this is with the FBI, for the break-in, and the FTC, who will be very interested in the phishing. They will persue the case much greater resources than you have at your own personal disposal. Be prepared to turn over various logs, including stuff from /var/log and the .bash_history of that shell account.
Also, dude…. passwords? That is so 20th century.
Yeah, passwords are a little outdated… got a solution for a joe six-pack type user (my buddy)? Getting him to use SSH was like getting blood from a stone. Certificate based authentication seems to be beyond his grasp; any other suggestions?
I know this is harsh, but, if he isn't willing to learn, he isn't worthy to use your system.
But, when you use ssh-agent on ix, or Pageant on Windows, an SSH key is (IMO) easier* to use than password authentication - and a hell of a lot more secure (provided that the key itself is passphrase-protected, of course).
pmmenneg - I take it the tarball in your case was disguised as a jpeg and created a directory called '. ' in the users home directory?
I have restricted the access to ssh to few trusted ip-addresses - but am a little concerned as to how the account was compromised. Out of curiosity which linode host was your system on?
@Miraz:
I have had exactly the same compromise on one of my linodes - the account and password used were both random alphanumeric strings, and the logs indicate that they were not brute forced.
pmmenneg - I take it the tarball in your case was disguised as a jpeg and created a directory called '. ' in the users home directory?
I have restricted the access to ssh to few trusted ip-addresses - but am a little concerned as to how the account was compromised. Out of curiosity which linode host was your system on?
Yes, it is curious to be sure. My setup was not brute-forced, although the password being equal to the username is a easy target. But I have NO idea how the attacker even knew that the username existed on the server, as the user has never sent an email using it, etc.
Yes, a hidden directory was created with .' ' on my user home dir (according to the bash_history), but I can't seem to find the directory anywhere (it looks like it was deleted, unless I am just doing something wrong in trying to 'cd' into it.
The tarball was not even disguised as a .jpg, just a .tar.gz.
I am on host18. Something smells fishy about this. How on earth could they have figured out your user/pass combo without a brute-force?
Do you have phpBB running anywhere on your Linode? That sounds suspiciously like the kind of compromise that I've seen result from older versions of phpBB with security issues.
find / -name '. '
or
cd '. '
from within the users home directory
I do have phpBB - but it is a current install and is running chrooted, so I thought it was probably unlikely to be the problem.
Alert US CERT
Alert ISP
Now, we provide security for several government customers and any crack attempts require notification to US CERT. And also, since some of our government customers have clout, they can request takedown notices to ISPs (usually regarding phishing incidents).
I suggest trying and not worrying so much about whether they'll do anything. I'd much rather make the effort in sending some type of notification, as you never know how they'll respond.
The last time I noticed suspicious activity, it was a DOD computer that was hammering my border router with spam. I alerted them but never got a response, but did notice that the activity stopped.
@inkblot:
There is very little that the registrar can do other than revoke the domain, and I'm sure they'll require a pretty high standard of proof before they do that. No, the correct place to report this is with the FBI, for the break-in, and the FTC, who will be very interested in the phishing. They will persue the case much greater resources than you have at your own personal disposal. Be prepared to turn over various logs, including stuff from /var/log and the .bash_history of that shell account.
Also, dude…. passwords? That is so 20th century.
Pretty handy link to get the ball rolling when this happens.