teknic Posted February 6, 2010 Share Posted February 6, 2010 So, I just nmaped all nodes on my network, and my laptop which runs ubuntu 9.10 seems to have been hacked. Below is what nmap showed for my laptop... Interesting ports on xxxxxx (192.168.1.xxx): Not shown: 982 closed ports PORT STATE SERVICE 1/tcp open tcpmux 22/tcp open ssh 79/tcp open finger 111/tcp open rpcbind 119/tcp open nntp 139/tcp open netbios-ssn 143/tcp open imap 445/tcp open microsoft-ds 1080/tcp open socks 1524/tcp open ingreslock 2000/tcp open callbook 6667/tcp open irc 12345/tcp open netbus 31337/tcp open Elite 32771/tcp open sometimes-rpc5 32772/tcp open sometimes-rpc7 32773/tcp open sometimes-rpc9 32774/tcp open sometimes-rpc11 I'd like to find out who attacked me, what their intentions were, where they hacked me from, and when the hack occurred. Can you guys help me get my forensics started? Where should I start and what tools should I use? Thanks! Quote Link to comment Share on other sites More sharing options...
Sparda Posted February 6, 2010 Share Posted February 6, 2010 Did you check what services are running? Quote Link to comment Share on other sites More sharing options...
teknic Posted February 6, 2010 Author Share Posted February 6, 2010 Did you check what services are running? Here's the output from top... PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 27461 johnny 20 0 537m 216m 40m S 24 10.8 518:19.54 firefox 1367 root 20 0 142m 71m 16m S 1 3.5 148:15.01 Xorg 573 johnny 20 0 2472 1208 884 R 0 0.1 0:00.07 top 1605 root 20 0 5228 2752 2216 S 0 0.1 1:01.57 devkit-power-da 1750 johnny 20 0 96164 9.8m 7608 S 0 0.5 38:56.63 pulseaudio 1 root 20 0 2664 1480 1128 S 0 0.1 0:01.29 init 2 root 15 -5 0 0 0 S 0 0.0 0:00.00 kthreadd 3 root RT -5 0 0 0 S 0 0.0 0:00.00 migration/0 4 root 15 -5 0 0 0 S 0 0.0 1:30.32 ksoftirqd/0 5 root RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/0 9 root 15 -5 0 0 0 S 0 0.0 0:00.35 events/0 11 root 15 -5 0 0 0 S 0 0.0 0:00.00 cpuset 12 root 15 -5 0 0 0 S 0 0.0 0:00.00 khelper 13 root 15 -5 0 0 0 S 0 0.0 0:00.00 netns 14 root 15 -5 0 0 0 S 0 0.0 0:00.00 async/mgr 15 root 15 -5 0 0 0 S 0 0.0 0:00.00 kintegrityd/0 17 root 15 -5 0 0 0 S 0 0.0 0:00.10 kblockd/0 19 root 15 -5 0 0 0 S 0 0.0 0:04.57 kacpid 20 root 15 -5 0 0 0 S 0 0.0 0:00.80 kacpi_notify 21 root 15 -5 0 0 0 S 0 0.0 0:00.00 kacpi_hotplug 22 root 15 -5 0 0 0 S 0 0.0 1:04.44 ata/0 24 root 15 -5 0 0 0 S 0 0.0 0:00.00 ata_aux 25 root 15 -5 0 0 0 S 0 0.0 0:00.00 ksuspend_usbd 26 root 15 -5 0 0 0 S 0 0.0 0:00.00 khubd 27 root 15 -5 0 0 0 S 0 0.0 0:00.61 kseriod 28 root 15 -5 0 0 0 S 0 0.0 0:00.02 kmmcd 29 root 15 -5 0 0 0 S 0 0.0 0:00.00 bluetooth 30 root 20 0 0 0 0 S 0 0.0 0:00.01 khungtaskd 31 root 20 0 0 0 0 S 0 0.0 0:00.00 pdflush 32 root 20 0 0 0 0 S 0 0.0 0:01.38 pdflush 33 root 15 -5 0 0 0 S 0 0.0 0:00.22 kswapd0 34 root 15 -5 0 0 0 S 0 0.0 0:00.00 aio/0 36 root 15 -5 0 0 0 S 0 0.0 0:00.00 ecryptfs-kthrea 37 root 15 -5 0 0 0 S 0 0.0 0:00.00 crypto/0 48 root 15 -5 0 0 0 S 0 0.0 0:00.00 scsi_eh_0 49 root 15 -5 0 0 0 S 0 0.0 1:57.31 scsi_eh_1 51 root 15 -5 0 0 0 S 0 0.0 0:00.00 kstriped 52 root 15 -5 0 0 0 S 0 0.0 0:00.00 kmpathd/0 54 root 15 -5 0 0 0 S 0 0.0 0:00.00 kmpath_handlerd 55 root 15 -5 0 0 0 S 0 0.0 0:00.00 ksnapd 56 root 15 -5 0 0 0 R 0 0.0 0:08.99 kondemand/0 58 root 15 -5 0 0 0 S 0 0.0 0:00.00 kconservative/0 60 root 10 -10 0 0 0 S 0 0.0 0:00.00 krfcommd 334 root 15 -5 0 0 0 S 0 0.0 0:00.00 khpsbpkt 342 root 15 -5 0 0 0 S 0 0.0 0:00.00 knodemgrd_0 357 root 20 0 8524 2968 2348 S 0 0.1 0:00.12 sshd 423 johnny 20 0 8668 1664 1028 S 0 0.1 0:00.03 sshd 424 johnny 20 0 6168 3464 1500 S 0 0.2 0:00.15 bash 429 root 15 -5 0 0 0 S 0 0.0 0:05.33 kjournald2 451 johnny 20 0 3316 1096 880 T 0 0.1 0:00.14 less 487 root 20 0 2152 692 572 S 0 0.0 0:00.09 upstart-udev-br 512 root 16 -4 2548 820 392 S 0 0.0 0:00.12 udevd 669 root 20 0 1852 472 456 S 0 0.0 0:00.19 dd 700 root 15 -5 0 0 0 S 0 0.0 0:00.00 kpsmoused 706 syslog 20 0 34856 1240 976 S 0 0.1 0:03.03 rsyslogd 751 root 15 -5 0 0 0 S 0 0.0 0:00.00 pccardd 801 root 15 -5 0 0 0 S 0 0.0 0:00.00 hd-audio0 812 messageb 20 0 3284 1568 788 S 0 0.1 1:09.99 dbus-daemon 842 root 20 0 20504 3032 2128 S 0 0.1 0:00.43 console-kit-dae 922 avahi 20 0 2824 1492 1232 S 0 0.1 0:01.51 avahi-daemon 923 avahi 20 0 2824 520 316 S 0 0.0 0:00.00 avahi-daemon 931 root 20 0 18584 3948 3304 S 0 0.2 0:38.49 NetworkManager 933 root 20 0 3908 2128 1708 S 0 0.1 0:00.07 modem-manager 946 root 20 0 4784 2284 1936 S 0 0.1 0:03.28 wpa_supplicant Quote Link to comment Share on other sites More sharing options...
shonen Posted February 6, 2010 Share Posted February 6, 2010 damn that's a nice big list of open ports. WTF netbus? people are still using that backdoor? 0_o Quote Link to comment Share on other sites More sharing options...
teknic Posted February 6, 2010 Author Share Posted February 6, 2010 Just started up firestarter on my hacked laptop and immediately found four IPs trying to connect the following four ports... 60824 35915 51392 42675 I scanned the IPs and they all trace back to tor exit nodes. Looking further I found about 40 active connection, all from tor!! Whats the best way to determine when the hack happened? Quote Link to comment Share on other sites More sharing options...
Sparda Posted February 6, 2010 Share Posted February 6, 2010 Is your computer exposed to the internet or similar? Quote Link to comment Share on other sites More sharing options...
teknic Posted February 6, 2010 Author Share Posted February 6, 2010 Right now it's connected to the internet. Quote Link to comment Share on other sites More sharing options...
teknic Posted February 6, 2010 Author Share Posted February 6, 2010 damn that's a nice big list of open ports. WTF netbus? people are still using that backdoor? 0_o I thought netbus was a windows backdoor. What the hell is it doing running on my linux box? Quote Link to comment Share on other sites More sharing options...
Sparda Posted February 6, 2010 Share Posted February 6, 2010 Right now it's connected to the internet. I mean, is it directly connected to the internet or in the DMZ or some thing? Quote Link to comment Share on other sites More sharing options...
digip Posted February 6, 2010 Share Posted February 6, 2010 There is a 0-day flaw out for linux right now, I beleive for the samba service. @emgent - #samba 3.4.5 0day http://www.youtube.com/watch?v=NN50RtZ2N74 - the client http://backtrack.it/~emgent/samba0day.c about 11 hours ago from TTYtter Linux, OSX and *nix users: be very afraid (working in 0day remote and local exploiting tecniques with @crossbowert_bt). STAY TUNED! 7:40 PM Jan 21st from Echofon And remove it from the internet, unless you are going to monitor it with wireshark or somehting, dont let them into your internal network. If you do, unplug all the other machines while doing it so dont possibly get into another machine on your lan. Quote Link to comment Share on other sites More sharing options...
teknic Posted February 6, 2010 Author Share Posted February 6, 2010 I mean, is it directly connected to the internet or in the DMZ or some thing? It's connected to my router which is connected to the internet. Not in the DMZ. Quote Link to comment Share on other sites More sharing options...
digip Posted February 6, 2010 Share Posted February 6, 2010 It's connected to my router which is connected to the internet. Not in the DMZ. Check to make sure your router hasent been whacked either. Does it support VPN, uPnP or remote administration? Quote Link to comment Share on other sites More sharing options...
shonen Posted February 6, 2010 Share Posted February 6, 2010 thats true, first I have heard about netbus on a nix system. Shouldn't NAT protect against these remote connections? I guess this is the joy of UPnP and reverse connections. sucks to be you and seems pretty messed up but the thread is interesting to read while I am at work. Agreed, disconnect all of your clients. last thing you need is your ubuntu install acting as a launching pad to other systems on your internal lan. Quote Link to comment Share on other sites More sharing options...
digip Posted February 6, 2010 Share Posted February 6, 2010 They could even use your ubuntu box to mitm your other machines on the lan so be carefull whatever it is you do. Quote Link to comment Share on other sites More sharing options...
VaKo Posted February 6, 2010 Share Posted February 6, 2010 Firewalls people! Install them! Quote Link to comment Share on other sites More sharing options...
still learning Posted February 6, 2010 Share Posted February 6, 2010 "31337/tcp open Elite" that does not look good :( I thought Ubuntu Linux did not need firewalls or an AV? or is only FreeBSD or Debian 100% unhackable OTB? or nothings unhackable OTB >:) what is the best firewall systems for Linux and Windows? Comodo and a strong anti rootkit system for Linux? I am a Linux noob. Quote Link to comment Share on other sites More sharing options...
teknic Posted February 6, 2010 Author Share Posted February 6, 2010 Just ran chkrootkit and found the following... Checking `bindshell'... INFECTED (PORTS: 15 24 6667 31337) Is there free anti-virus out there that will remove rootkits? Quote Link to comment Share on other sites More sharing options...
shonen Posted February 6, 2010 Share Posted February 6, 2010 Correct me if I am wrong but I recall reading somewhere that you can get avast for ubuntu. Quote Link to comment Share on other sites More sharing options...
still learning Posted February 6, 2010 Share Posted February 6, 2010 "Just ran chkrootkit and found the following... Checking `bindshell'... INFECTED (PORTS: 15 24 6667 31337) Is there free anti-virus out there that will remove rootkits? " I beleive chkrootkit is suppose to remove it. There maybe a special command line or something. I have always heard hardening your linux kernel is the best way to start off, but could be wrong. Quote Link to comment Share on other sites More sharing options...
Burning Aces Posted February 6, 2010 Share Posted February 6, 2010 rm -rf /* is my suggestion haha. disconnect from the net get data you want and re install a good distro or go back to windows Quote Link to comment Share on other sites More sharing options...
digininja Posted February 9, 2010 Share Posted February 9, 2010 I'd suggest grabbing off your data and doing a clean install, it is the only sure way to clean off a rootkit Quote Link to comment Share on other sites More sharing options...
lopez1364 Posted February 9, 2010 Share Posted February 9, 2010 I think this guy made this up or hacked his own box. Too many open ports that would red flag anybody. Using old backdoors and nobody would use multiple backdoors.... come on. Seriously. Quote Link to comment Share on other sites More sharing options...
digip Posted February 9, 2010 Share Posted February 9, 2010 Or there was no hack, and its just stuff he runs doing shit in the background. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.