3

A few weeks ago, my machine (lets call it "main") was logged into wirelessly from an unauthorized host, probably using ssh. I did not detect the intrusion until a few days ago, and my machine is completely shut down. I found the login using this line from last:

myusername    pts/1        ipad             Tue Oct 15 22:23 - 22:25  (00:02)

Needless to say, not only does no one in my family own an iPad, but almost none of my friends do, either. This makes me suspect that whoever was behind this changed the hostname of their machine.

Additionally, I discovered this line in the last output on another machine of mine ("secondary"):

myusername    pts/2        :0               Tue Oct 15 22:23 - 22:23  (00:00)

This line coincides with the timestamp from main, which has password-less ssh access (through keys) to secondary. Is it possible that whoever broke in to main has also rooted secondary? How can I prevent this from happening again? Are there logs that I can look through to determine exactly how main was accessed (I am the only user on the system and have a very strong password)? Is it at all possible that this is just a weird bug that occurred? Should I, and where should I start looking for rootkits and/or keyloggers?

In short, what should I do?

fouric
  • 4,588

3 Answers3

1

As for the possible hard disk hack:

  1. Re-flash your BIOS
  2. Buy a new, minimal USB stick. Boot from that.
  3. Use full-disk encryption for /.
  4. The usual "change all logins" routine.

That should cover any possible hard disk exploit scenario.

What really worries me though, are the Anti-theft and Management features added to several recent motherboards. Some hardware vendors have the option of allowing the user to permanently disable these features while some... do not.

I recommend you check whether your motherboard has these remote management features and (if possible) if they have been activated. Imagine if the remote attacker got his hands on hardware based remote management capability...

Eero Aaltonen
  • 1,404
  • This is a good answer (I never thought about checking for remote management features on my motherboard, I shall have to dig around the vendor's web site), but what it doesn't deal with is finding how my machine got broken into in the first place. I could do all this, and yet, if I fail to plug whatever security hole allowed the intruder in originally, it will all be for nothing. I consider myself rather paranoid, and so chances are it was not a simple case of me transmitting my password in cleartext across my wireless network. – fouric Nov 06 '13 at 07:02
  • 1
    Yeah but proper forensics probably requires a lot of time/experience. You may have to pay someone to take a look to your system. Also, you could ask on http://security.stackexchange.com/ although I'm not sure how to do this the right way. I know duplicates are frowned upon. – Eero Aaltonen Nov 06 '13 at 07:59
0

Take out all your data and do a clean reinstall.

Change all your passwords, including your WiFi passwords.

This way, you know you'll definitely be safe.

Novine
  • 604
  • 3
  • 7
  • 1
    I appreciate your suggestion, but (1) there are ways to modify a computer in such a way that a full OS reinstall is still compromised, (2) this concerns at least two computers that I have installed Linux on very many times (at least a dozen between them) and I would not like to do it again, and (3) I would like to know how they got in in the first place. If I just do a reinstall, they might use the exact same method, and then I would have the same problem. What if, instead of discovering my password, they found a vulnerability in ssh? – fouric Oct 29 '13 at 15:36
  • 1
    Wow, that's fascinating. I didn't know you could do that to a hard drive. I'm sorry i can't help more. – Novine Oct 29 '13 at 15:52
  • No apology necessary, I am grateful that you tried, and glad that you learned something. If you see anyone who might be able to help, though, please steer them this way! – fouric Oct 29 '13 at 15:55
0

How about trying a firewall? There is an inbuilt firewall in Ubuntu called ufw - type man ufw for more info and configurations. But its better to install a graphical application that allows you to configure it. You can try gufw.

Parto
  • 15,325
  • 24
  • 86
  • 117
  • Thanks for at least trying to answer my question. However, as you said yourself, ufw is built in to Ubuntu; it was already running on my system when it was compromised, so it obviously didn't help, and will not assist me with forensics, recovery, or adaption. – fouric Oct 30 '13 at 01:30
  • Unless you had enabled it, ufw is disabled by default. Check out its help document. You can check its status using sudo ufw status verbose it should return back Status: inactive or active. The firewall was just an idea to prevent future attacks, about forensics, am sorry but can't help you there. Am not really a security expert. – Parto Oct 30 '13 at 08:21
  • As this answer and this one state, ufw is merely a frontend to iptables. Because iptables manages the kernel firewall, which is enabled by default, turning on ufw will have no effect. – fouric Nov 06 '13 at 18:33