Skip to content

How to be hacked quite simply…

February 3, 2014

Here the short story:

auth.log:Feb 2 13:20:33 xxx sshd[25786]: Accepted password for alexandre from port 53320 ssh2
auth.log:Feb 2 13:20:34 xxx sshd[25786]: pam_unix(sshd:session): session opened for user alexandre by (uid=0)
auth.log:Feb 2 13:20:34 xxx sshd[25786]: pam_env(sshd:session): Unable to open env file: /etc/default/locale: No such file or directory
auth.log:Feb 2 13:21:11 xxx sshd[25786]: pam_unix(sshd:session): session closed for user alexandre

Well, in fact, the user “alexandre” is my son. He has a simple e-mail address on this machine. I doesn’t know how to connect and I’m not sure my son can do some IP spoofing… The IP address is based near Falloujah, in Irak (and my son is not currently located in Irak)

The password was too simple. If I look in the system logs, I can see many attacks on the SFTP port and the SSH connection (the remote one) usually made from China (don’t ask me why). Of course, all these attacks are automatic ones: I don’t worry a lot about these attacks.

Why this one worried me? Because the first thing the hacking machine tried is to get the root level by requesting a sudo command. Fortunately, such users have no administrative privileges. Then I received an email as someone tried to get the power:

xxx : Feb  2 13:20:44 : alexandre : user NOT in sudoers ; TTY=pts/1 ; PWD=/xxx/xxx/home/alexandre ; USER=root ; COMMAND=/usr/bin/id

Well, that was a good idea to give very low power to a user… Now I will change the passwords even for them: this is a very important way to protect your system. This is the first time I see an intruder so near to succeed. And I give you this advice: do the same.

Basically, my server has about one attack per minute (mainly through SSH and SFTP in addition of trying to use my machine as an email proxy for spamming you). Until now, my server has never been compromised (it could be, but I don’t know). Then follow the same advice as before:

  • good password (don’t try to use the password and the login name the same!)
  • give as less privileges as possible to your users
  • limit the services you authorize (if you do not need the FTP, don’t enable it!)

You server should resist to basic attacks…


From → Computers

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: