I think I've been hacked, what can I do?

Question

I have recently installed Ubuntu 15.xx and I belive my machine has been hacked.

My computer's name has been changed to imatransvestite, and although I can still change passwords, I cannot use sudo without this error: sudo: unable to resolve host imatransvestite

What can I do to fix tis, and what should I do?

Reinstall from scratch. Configure the firewall when your installation is completed, and don't use untrusted wireless networks or websites (that's likely a vector for how you got hacked) — Thomas Ward, Nov 05 '15 at 15:40
when I type sudo or any command that is using sudo this is the answer "sudo: unable to resolve host imatransvestite" — albvik, Nov 05 '15 at 15:41
See @ThomasW. 's advice + you'll need to find out first how you were hacked. Highly unlikely under normal circumstances. — Jacob Vlijm, Nov 05 '15 at 15:42
Close Voters: This is not really "too broad" in so much that if they are hacked it's time to 'nuke the system'. My answer gives them a course of action. We do not need to close this as 'broad' — Thomas Ward, Nov 05 '15 at 15:54
Similar: http://askubuntu.com/q/601869/178596 . I think there was another one where the 'Nuke em from orbit' method was suggested — Wilf, Nov 05 '15 at 16:06
Highly relevant: How do I deal with a compromised server? on [sf]. — user, Nov 05 '15 at 19:20
I've still not come up with a better way of putting it than that, @MichaelKjörling - but people want the "one weird trick to making your server be like it was never hacked in the first place". — Rob Moir, Nov 05 '15 at 20:14
If your system has been hacked @albvik then you should be thinking about what information might have been compromised and the possible consequences of that. Is this a personal system with personal data? A server that might hold customer data or could be serving trojanised webpages to visitors? This is potentially more valuable to your attackers (and to yourself) than the simple fact of the hack itself. — Rob Moir, Nov 05 '15 at 20:16
@RobM I don't currently own any "precious data" on my laptop :) , I got only programming books and stuff like that. I've just begun my journey into cyber-security stuff. — albvik, Nov 05 '15 at 21:51
@albvik Welcome to a lesson you should have learned a long time ago. No, this is not a slight. No matter what anyone else said, this is important and I want you to remember this. Security is a process - not an application. The largest vector for vulnerabilities is in the chair -- not in the code. As others have said, nothing on your system can be presumed safe now. Nothing... Learn good backup processes and strictly follow them no matter how tedious they seem. Use strong passwords, keep minimal ports available, and use least permissions. Never make assumptions except to assume it is unsafe. — KGIII, Nov 05 '15 at 22:08
Reinstalling from scratch is good advice but for any more relevant advice you'd have to give more specific details in the question to narrow it down a bit: for example, are you on a home network, what was the network setup, what do you know about who "hacked" you, etc. For instance, did you little brother simply log in as you using the password he already knows you use ... or was this a secure password and nobody else had physical access ... ? — thomasrutter, Nov 06 '15 at 04:58

Thomas Ward · Accepted Answer · 2015-11-05T19:49:39.520

If you have been hacked, or even think you have been hacked, then there is no easy way to determine what all has been done to your system.

In your case, we know that, at the very least, your system's hostname has been changed. However, a backdoor for the hacker could have been installed. Malware could have been installed. Your system could be configured to use poisoned DNS. You could have malware that's downloading very very NSFW illegal things to your computer. There is literally an unending list of things your computer could be doing as a result of being hacked..

Your best solution is to "Nuke It From Orbit"^TM, or in laymans terms, "Completely reinstall from scratch".

In addition to reinstalling your system from scratch, take the following steps:

Change all your passwords on websites you use. It's possible your passwords are now in the hands of the hacker, so time to use different ones.
Set up a firewall. After you have a cleanly installed system, run the following commands, to make sure that a firewall is installed and enabled. This will help secure your system:
```
sudo apt-get install ufw
sudo ufw enable
```
Only use networks and websites which you trust to not be malicious. Unsecured wireless networks are a hacker's paradise, and untrusted sites can have malware or other privacy-violating things on them that can lead to you being hacked.
Use different passwords for every login, and use a password manager to manage/remember them. Make sure a password manager's password doesn't match another password you use, and make sure all your passwords are different. This applies for your user account too going forward. This is one of the most effective methods, but it's a little more difficult.

Isn't UFW installed and enabled by default? Or only on newer versions? — Byte Commander, Nov 05 '15 at 18:10
@ByteCommander all the ones I've seen, 14.04+, ufw is installed, but I don't think it's enabled. I'm rebuilding my Ubuntu VMs to test, but it never hurts to put it in the list of things to do anyways. Because always verifying is better than not. — Thomas Ward, Nov 05 '15 at 18:11
That's for sure. But I can't remember having it manually installed on my new 15.10, but it's enabled. — Byte Commander, Nov 05 '15 at 18:13

score 1 · Answer 2 · answered Nov 06 '15 at 04:50

If you've been hacked, then your number one priority should be to determine the attack vector -- otherwise it will just end up happening again. Before wiping the system and reinstalling everything, back up any relevant logs and review them. If your attacker did not wipe the logs, then you should have a pretty fair idea of how they got in and what your first steps should be when you do reinstall your system.

I think I've been hacked, what can I do?

2 Answers2

Linked

Related