HELP! I've been hacked!!!

[teknic]

So, I just nmaped all nodes on my network, and my laptop which runs ubuntu 9.10 seems to have been hacked.

Below is what nmap showed for my laptop...

Interesting ports on xxxxxx (192.168.1.xxx):

Not shown: 982 closed ports

PORT STATE SERVICE

1/tcp open tcpmux

22/tcp open ssh

79/tcp open finger

111/tcp open rpcbind

119/tcp open nntp

139/tcp open netbios-ssn

143/tcp open imap

445/tcp open microsoft-ds

1080/tcp open socks

1524/tcp open ingreslock

2000/tcp open callbook

6667/tcp open irc

12345/tcp open netbus

31337/tcp open Elite

32771/tcp open sometimes-rpc5

32772/tcp open sometimes-rpc7

32773/tcp open sometimes-rpc9

32774/tcp open sometimes-rpc11

I'd like to find out who attacked me, what their intentions were, where they hacked me from, and when the hack occurred. Can you guys help me get my forensics started? Where should I start and what tools should I use? Thanks!

[Sparda]

Did you check what services are running?

[teknic]

Did you check what services are running?

Here's the output from top...

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND

27461 johnny 20 0 537m 216m 40m S 24 10.8 518:19.54 firefox

1367 root 20 0 142m 71m 16m S 1 3.5 148:15.01 Xorg

573 johnny 20 0 2472 1208 884 R 0 0.1 0:00.07 top

1605 root 20 0 5228 2752 2216 S 0 0.1 1:01.57 devkit-power-da

1750 johnny 20 0 96164 9.8m 7608 S 0 0.5 38:56.63 pulseaudio

1 root 20 0 2664 1480 1128 S 0 0.1 0:01.29 init

2 root 15 -5 0 0 0 S 0 0.0 0:00.00 kthreadd

3 root RT -5 0 0 0 S 0 0.0 0:00.00 migration/0

4 root 15 -5 0 0 0 S 0 0.0 1:30.32 ksoftirqd/0

5 root RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/0

9 root 15 -5 0 0 0 S 0 0.0 0:00.35 events/0

11 root 15 -5 0 0 0 S 0 0.0 0:00.00 cpuset

12 root 15 -5 0 0 0 S 0 0.0 0:00.00 khelper

13 root 15 -5 0 0 0 S 0 0.0 0:00.00 netns

14 root 15 -5 0 0 0 S 0 0.0 0:00.00 async/mgr

15 root 15 -5 0 0 0 S 0 0.0 0:00.00 kintegrityd/0

17 root 15 -5 0 0 0 S 0 0.0 0:00.10 kblockd/0

19 root 15 -5 0 0 0 S 0 0.0 0:04.57 kacpid

20 root 15 -5 0 0 0 S 0 0.0 0:00.80 kacpi_notify

21 root 15 -5 0 0 0 S 0 0.0 0:00.00 kacpi_hotplug

22 root 15 -5 0 0 0 S 0 0.0 1:04.44 ata/0

24 root 15 -5 0 0 0 S 0 0.0 0:00.00 ata_aux

25 root 15 -5 0 0 0 S 0 0.0 0:00.00 ksuspend_usbd

26 root 15 -5 0 0 0 S 0 0.0 0:00.00 khubd

27 root 15 -5 0 0 0 S 0 0.0 0:00.61 kseriod

28 root 15 -5 0 0 0 S 0 0.0 0:00.02 kmmcd

29 root 15 -5 0 0 0 S 0 0.0 0:00.00 bluetooth

30 root 20 0 0 0 0 S 0 0.0 0:00.01 khungtaskd

31 root 20 0 0 0 0 S 0 0.0 0:00.00 pdflush

32 root 20 0 0 0 0 S 0 0.0 0:01.38 pdflush

33 root 15 -5 0 0 0 S 0 0.0 0:00.22 kswapd0

34 root 15 -5 0 0 0 S 0 0.0 0:00.00 aio/0

36 root 15 -5 0 0 0 S 0 0.0 0:00.00 ecryptfs-kthrea

37 root 15 -5 0 0 0 S 0 0.0 0:00.00 crypto/0

48 root 15 -5 0 0 0 S 0 0.0 0:00.00 scsi_eh_0

49 root 15 -5 0 0 0 S 0 0.0 1:57.31 scsi_eh_1

51 root 15 -5 0 0 0 S 0 0.0 0:00.00 kstriped

52 root 15 -5 0 0 0 S 0 0.0 0:00.00 kmpathd/0

54 root 15 -5 0 0 0 S 0 0.0 0:00.00 kmpath_handlerd

55 root 15 -5 0 0 0 S 0 0.0 0:00.00 ksnapd

56 root 15 -5 0 0 0 R 0 0.0 0:08.99 kondemand/0

58 root 15 -5 0 0 0 S 0 0.0 0:00.00 kconservative/0

60 root 10 -10 0 0 0 S 0 0.0 0:00.00 krfcommd

334 root 15 -5 0 0 0 S 0 0.0 0:00.00 khpsbpkt

342 root 15 -5 0 0 0 S 0 0.0 0:00.00 knodemgrd_0

357 root 20 0 8524 2968 2348 S 0 0.1 0:00.12 sshd

423 johnny 20 0 8668 1664 1028 S 0 0.1 0:00.03 sshd

424 johnny 20 0 6168 3464 1500 S 0 0.2 0:00.15 bash

429 root 15 -5 0 0 0 S 0 0.0 0:05.33 kjournald2

451 johnny 20 0 3316 1096 880 T 0 0.1 0:00.14 less

487 root 20 0 2152 692 572 S 0 0.0 0:00.09 upstart-udev-br

512 root 16 -4 2548 820 392 S 0 0.0 0:00.12 udevd

669 root 20 0 1852 472 456 S 0 0.0 0:00.19 dd

700 root 15 -5 0 0 0 S 0 0.0 0:00.00 kpsmoused

706 syslog 20 0 34856 1240 976 S 0 0.1 0:03.03 rsyslogd

751 root 15 -5 0 0 0 S 0 0.0 0:00.00 pccardd

801 root 15 -5 0 0 0 S 0 0.0 0:00.00 hd-audio0

812 messageb 20 0 3284 1568 788 S 0 0.1 1:09.99 dbus-daemon

842 root 20 0 20504 3032 2128 S 0 0.1 0:00.43 console-kit-dae

922 avahi 20 0 2824 1492 1232 S 0 0.1 0:01.51 avahi-daemon

923 avahi 20 0 2824 520 316 S 0 0.0 0:00.00 avahi-daemon

931 root 20 0 18584 3948 3304 S 0 0.2 0:38.49 NetworkManager

933 root 20 0 3908 2128 1708 S 0 0.1 0:00.07 modem-manager

946 root 20 0 4784 2284 1936 S 0 0.1 0:03.28 wpa_supplicant

[shonen]

damn that's a nice big list of open ports. WTF netbus? people are still using that backdoor? 0_o

[teknic]

Just started up firestarter on my hacked laptop and immediately found four IPs trying to connect the following four ports...

60824

35915

51392

42675

I scanned the IPs and they all trace back to tor exit nodes.

Looking further I found about 40 active connection, all from tor!! Whats the best way to determine when the hack happened?

[Sparda]

Is your computer exposed to the internet or similar?

[teknic]

Right now it's connected to the internet.

[teknic]

damn that's a nice big list of open ports. WTF netbus? people are still using that backdoor? 0_o

I thought netbus was a windows backdoor. What the hell is it doing running on my linux box?

[Sparda]

Right now it's connected to the internet.

I mean, is it directly connected to the internet or in the DMZ or some thing?

[digip]

There is a 0-day flaw out for linux right now, I beleive for the samba service.

@emgent - #samba 3.4.5 0day http://www.youtube.com/watch?v=NN50RtZ2N74 - the client http://backtrack.it/~emgent/samba0day.c

about 11 hours ago from TTYtter

Linux, OSX and *nix users: be very afraid (working in 0day remote and local exploiting tecniques with @crossbowert_bt). STAY TUNED!

7:40 PM Jan 21st from Echofon

And remove it from the internet, unless you are going to monitor it with wireshark or somehting, dont let them into your internal network. If you do, unplug all the other machines while doing it so dont possibly get into another machine on your lan.

[teknic]

I mean, is it directly connected to the internet or in the DMZ or some thing?

It's connected to my router which is connected to the internet. Not in the DMZ.

[digip]

It's connected to my router which is connected to the internet. Not in the DMZ.

Check to make sure your router hasent been whacked either. Does it support VPN, uPnP or remote administration?

[shonen]

thats true, first I have heard about netbus on a nix system.

Shouldn't NAT protect against these remote connections? I guess this is the joy of UPnP and reverse connections.

sucks to be you and seems pretty messed up but the thread is interesting to read while I am at work.

Agreed, disconnect all of your clients. last thing you need is your ubuntu install acting as a launching pad to other systems on your internal lan.

[digip]

They could even use your ubuntu box to mitm your other machines on the lan so be carefull whatever it is you do.

[VaKo]

Firewalls people! Install them!

[still learning]

"31337/tcp open Elite"

that does not look good :(

I thought Ubuntu Linux did not need firewalls or an AV? or is only FreeBSD or Debian 100% unhackable OTB? or nothings unhackable OTB >:)

what is the best firewall systems for Linux and Windows?

Comodo and a strong anti rootkit system for Linux? I am a Linux noob.

[teknic]

Just ran chkrootkit and found the following...

Checking `bindshell'... INFECTED (PORTS: 15 24 6667 31337)

Is there free anti-virus out there that will remove rootkits?

[shonen]

Correct me if I am wrong but I recall reading somewhere that you can get avast for ubuntu.

[still learning]

"Just ran chkrootkit and found the following...

Checking `bindshell'... INFECTED (PORTS: 15 24 6667 31337)

Is there free anti-virus out there that will remove rootkits? "

I beleive chkrootkit is suppose to remove it. There maybe a special command line or something. I have always heard hardening your linux kernel is the best way to start off, but could be wrong.

[Burning Aces]

rm -rf /* is my suggestion haha. disconnect from the net get data you want and re install a good distro or go back to windows

[digininja]

I'd suggest grabbing off your data and doing a clean install, it is the only sure way to clean off a rootkit

[lopez1364]

I think this guy made this up or hacked his own box. Too many open ports that would red flag anybody. Using old backdoors and nobody would use multiple backdoors.... come on. Seriously.

[digip]

Or there was no hack, and its just stuff he runs doing shit in the background.