This site is now 100% read-only, and retired.

I've been hacked

Submitted by root

Tags: none.
Never  <-> 64% 303 votes
Once  <-> 21% 102 votes
Twice  <-> 4% 22 votes
Several times  <-> 4% 22 votes
Lots  <-> 2% 10 votes
Total 470 votes

 

 

 

Re: I've been hacked
Posted by Anonymous (150.101.xx.xx) on Sun 18 Sep 2005 at 14:35
I was cracked once, and it was completely my fault!

One day when I had some guys around I created the account guest:guest just so they could push some files onto my server. The machine had no external access what-so-ever so, at the time, it was safe to do.

About 6 months later my firewall died suddenly from hardware failure and I had to use my internal server to perform it's duties till I could build a suitable replacement.
Needless to say I had completely forgotten about the guest account I had made.
The server wasn't even online a week and some script kiddie from Korea had found it whilst doing a sweep I guess. They used a buffer overflow in 2.4 to get root and tried to install a rootkit, except that just screwed up the Linux install.

Anyway, Lesson learnt, never again will I create an account like that, nor forget to remove it when done.

[ Parent ]

Re: I've been hacked
Posted by ajt (84.12.xx.xx) on Sun 18 Sep 2005 at 16:07
[ View Weblogs ]
I don't belive I've been cracked, but if it's been done properly would I know?

I do get lots of SSH scans but my SSH settings doesn't let anyone in without a valid certificate. Plus I have it switched off most of the time.

I know work gets virus infections all the time, and their Windows machines get rooted with amazing ease and frequency. The scary thing is that even though they use Windows for lots of things, I do believe they know what they are actually doing with them. I dread to think what most Windows machines are like with typical users...

--
"It's Not Magic, It's Work"
Adam

[ Parent ]

fail2ban
Posted by elivs (202.0.xx.xx) on Mon 19 Sep 2005 at 09:20
If you run a external login of any kind (eg ssh) then you should get this package. It monitors logs, and then bans IPs which have >5 failed logins. It uses iptables and is fully configurable. It has a very well maintained debian package that works right out of the box with the debain ssh package.
This stops alot of script kiddies scanning and looking for bad accounts (eg guest:guest).
Elivs

[ Parent ]

Re: fail2ban
Posted by Piem (81.178.xx.xx) on Fri 23 Sep 2005 at 18:54
fail2ban is good. nevertheless, no such account should be created EVER. imagine guest:guest is the first attempt of the script kiddie? :)

[ Parent ]

Re: I've been hacked
Posted by Anonymous (193.173.xx.xx) on Mon 19 Sep 2005 at 13:45
I've been hacked once under my very eyes. I was debugging an issue in a web script when I suddenly found the output of wget in my apache error logs. It appeared that my Cacti install was not completely inaccessible from the internet as I supposed it was. A known (even by me!!!) Cacti exploit was used to:
  1. download a shell.jpg with wget from a remote site
  2. rename it to shell.pl
  3. and run the script.
  4. This script opened a socket to port 4444 on a remote server
  5. and connected /bin/sh to this socket
  6. which gave this hacker shell access to the unprivileged account apache was running under
Luckily I saw this happening, so I immediately disconnected the system from the internet. Since I was already building a new server the hacked system never got online again...

[ Parent ]

Re: I've been hacked
Posted by Steve (82.41.xx.xx) on Tue 20 Sep 2005 at 14:54
[ View Weblogs ]

That's a pretty lucky break!

I've reconstructed several breakins back to their initial flaw, and what they did next. But I've never seen one happen in front of me.

I'd love to run a honeypot of some kind, but I think to do it properly I'd want a seperate IP address and I suspect that it would be less exciting once the box has been broken more than a couple of times.

(Certainly the proliferation of all the automated SSH login attempts we've been seeing suggests that a breakin would be almost certain if you just sat around for long enough with test:test, or root:root as your password.)

Steve
--

[ Parent ]

Re: I've been hacked
Posted by Anonymous (80.58.xx.xx) on Mon 19 Sep 2005 at 15:55
Do you remember ptrace? I underestimate it =)

[ Parent ]

Re: I've been hacked
Posted by matej (158.193.xx.xx) on Tue 20 Sep 2005 at 09:08
67% yesterday. today, 64% who never felt it... getting better but still lot of work left :)

[ Parent ]

Re: I've been hacked
Posted by Anonymous (84.176.xx.xx) on Tue 20 Sep 2005 at 18:01
The title reads "I've been hacked", but in most of the posts I read "I've been cracked". Could somebody please clarify the difference?

[ Parent ]

Re: I've been hacked
Posted by Steve (82.41.xx.xx) on Tue 20 Sep 2005 at 19:48
[ View Weblogs ]

Cracked would be preferred by most people I'm sure.

I rarely bother making the distinction clear myself though. The "media" will report computer intrusions using the word "hacked" even if other people will argue loudly about the difference between hacking and cracking.

It's just a symptom of the way that languages change over time. Fighting to keep words nailed to their "original" meanings seems misguided at best, and futile at worst to me.

Back in the day .. "cracking" to me was removing the copy protection from commercial software, or patching unregistered shareware to become full versions. That is still what I call it and what I think of when people talk about cracking. Not that I get my hands dirty often these days .. ;)

Steve
--

[ Parent ]

Re: I've been hacked
Posted by Antitribu (203.144.xx.xx) on Wed 21 Sep 2005 at 05:33
There is a long standing dispute over the use of these words.

Hackers have historically been those people who go beyond computer literate and into ledgend as doing incredible things with computers that nobody else thought was possible/reasonable/sane. These people “Hack”.

Crackers have generally existed in the underbelly of the net, breaking into servers, removing copy protection. These people “Crack”.

As mentioned above the media and those that brought us such wonderful movies as "hackers" have blurred the lines and made a word that many IT people have come to love mean something else.

As I understand there is also a division between an actual Cracker and a script kiddie. While the Cracker is evil they at least employ some skill and expertise in their art. Some may even argue they could be appreciated along the same lines as a magnificent jewel heist. I think most admins would tend to disagree though. Script Kiddies are generally indiscriminate and using other people’s tools. They can however turn a dull day at the office into an entertaining one with judicious use of a honey pot.

For definitions:
http://www.catb.org/~esr/jargon/html/C/crack.html
and
http://www.catb.org/~esr/jargon/html/H/hack.html
The jargon file also has some excelent examples of true "hacking" http://www.catb.org/~esr/jargon/html/

[ Parent ]

Re: I've been hacked
Posted by fsateler (201.214.xx.xx) on Wed 21 Sep 2005 at 03:34
[ View Weblogs ]
I was once hacked... and it was all my fault! A friend of mine sent me a scripted IRC client (why on earth I'd want a scripted client, I don't know, but anyways), but he included a trojan horse, and he got inside. He gave me the hell of a scare, but the trojan was removed easily. I must admit, though, that I made similar tricks in those days, so I guess I was pretty dumb...
--------
Felipe Sateler

[ Parent ]

Re: I've been hacked
Posted by Anonymous (213.158.xx.xx) on Thu 22 Sep 2005 at 14:20
Only time I've ever been hit was in the bad old days of redhat package management when not only did you have to go and get the new package yourself then manually install it and all its dependencies, but it was also invariably a new version of the software so you had to reconfigure the damned thing again, perhaps learning a new syntax for the config file, dealing with the defaults that have changed etc etc.

It was such a nightmare that it occasionally was too much of a PITA to do... and then a bind vulnerability like that slipped under the radar and a script kiddie had a go. Luckily his script didn't even understand shadowed passwords so it only made the entry in /etc/passwd and not in /etc/shadow so he never managed to actually log in and do anything.

That event was one of the big things that made me move to Debian... *real* package management and security support that backports the fixes rather than making the user upgrade, reconfigure and tear hair out.

(RedHat might do that too now... don't know... don't care... I'll stick with Debian :)

[ Parent ]