Before I powered down, while looking through the system logs on my poor
hacked computer, I noticed it was running chronyd, because it
complained. It is an old Fedora 13 system. It runs ntpd. That's bad.
But, on the VM and different box I am on on now, running Fedora 33, I
get:
[gary@entertain Mail]$ man -k date
date: nothing appropriate.
[gary@entertain Mail]$ man date
[gary@entertain Mail]$ man man
Where man date returns a man page. And according to the man page for
man:
man -k printf
Search the short descriptions and manual page names for the keyword
printf as regular expression. Print out any matches. Equivalent
to apropos printf.
Obviously man -k doesn't work.
I've been noticing more and more cruft like this. All kinds of things,
especially at the command line, where you can see, are broken.
I'm temporarily working from my entertainment system.
In reading so far, it looks like this is some kind of SSH key attack.
Makes me wonder why the default permissions in .ssh are what they are.
I must be missing somehting because the articles seem to call the .pub
file the private key. One even had a graphic with xxx.pub circled, to
show me where the private key is.
-Gary
Just when i was thinking of resurrecting meetings, Hacker Lab decided to
close! Wouldn't you know it! I wonder if Silver Skillet is still open?!
--
Brian Lavender
http://www.brie.com/brian/
"There are two ways of constructing a software design. One way is to
make it so simple that there are obviously no deficiencies. And the other
way is to make it so complicated that there are no obvious deficiencies."
Professor C. A. R. Hoare
The 1980 Turing award lecture
It looks like I've been hacked.
I came home after being away for 3 days to find my system had been rebooted. I have other systems that were fine, so I knew it wasn't a power glitch. My systems don't reboot if the power comes on. I checked my logs and the reboot occured at about 11 PM on Friday.
Before that, for at least hours and possibly days, there were a lot of login attempts. Some from users named terrorist, some that trace to Iran. I checked the audit log and found this:
type=CRYPTO_KEY_USER msg=audit(1659374984.916:5741): pid=5877 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=5878 suid=74 rport=51686 laddr=192.168.2.5 lport=23 exe="/usr/sbin/sshd" hostname=? addr=156.251.130.170 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1659374984.917:5742): pid=5877 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=b3:4d:28:a2:ce:77:2a:f8:58:21:75:95:d1:08:6d:26 direction=? spid=5877 suid=0 exe="/usr/sbin/sshd" hostname=? addr=156.251.130.170 terminal=? res=success
It traces to Africa. And I run sshd on port 23. This is the only IP I've found successful logins from. So, I've added a reject rule to the firewall.
It is interesting the journalctl only reports failed logins from this IP since the reboot. Audit.log has the successes, but no timestamp. I'm not sure why there should be continued failures from this address.
And now, I've got to start cleaning up.
And redoing with better security. Sigh.
-Gary
