Have I been hacked?

Support for security such as Firewalls and securing linux
fla_panther
Posts: 42
Joined: 2015/08/27 21:15:03

Have I been hacked?

Post by fla_panther » 2016/04/03 03:11:25

My network setup is a cable modem connected to a Cisco switch, and from there I have my desktop (running Win 7), a Buffalo NAS, and a CentOS 6 box I've been playing with.

I've been trying to get X11 forwarding working, and while doing so I did this command:

Code: Select all

[xxxxxx@server1 ~]$ xauth list
207.148.248.143:1  MIT-MAGIC-COOKIE-1  a4d0906592154c5a517a92b6e5714a9d
xxxxxx.xxxxxxxxx.com/unix:1  MIT-MAGIC-COOKIE-1  a4d0906592154c5a517a92b6e5714a9d
xxxxxx.xxxxxxxxx.com/unix:10  MIT-MAGIC-COOKIE-1  6465c9d4a75e01035e8b9048d13455ed
I have no ports opened to the internet so when I saw 207.148.248.143 there I researched it. I don't see anything specifically nasty about the owner of that IP but how is it even in my box? I confirmed I'm the only user logged in:

Code: Select all

[xxxxxx@server1 ~]$ w
 23:05:23 up  2:26,  1 user,  load average: 0.29, 0.18, 0.17
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
xxxxxx  pts/0    192.168.0.100    22:22    1.00s  0.47s  0.29s w
I don't know what to think. If there was another user logged in then maybe I could see that my Windows PC has been hacked and through that they accessed the CentOS box, but I just ran a scan and everything appears clean. Going to open a thread on a security forum at another website I know and see if they can confirm whether I'm clean or not. The only other possibility I can think of is that my NAS is phoning home (I hope not) and has a flaw that got it hacked (again, I hope not). Or, maybe there's some logical reason this 207.148.248.143 is showing up that I don't know of ... but it doesn't seem that way.

I checked for logins... found none but my own but the log only goes back to yesterday:

Code: Select all

[*******@server1 ~]$ sudo cat /var/log/secure | grep sshd
Apr  1 09:38:00 server1 sshd[2142]: Received signal 15; terminating.
Apr  1 09:38:03 server1 sshd[8039]: Server listening on 0.0.0.0 port 22.
Apr  1 09:38:03 server1 sshd[8039]: Server listening on :: port 22.
Apr  1 14:11:11 server1 sshd[8039]: Received signal 15; terminating.
Apr  2 20:40:28 server1 sshd[9719]: Server listening on 0.0.0.0 port 22.
Apr  2 20:40:28 server1 sshd[9719]: Server listening on :: port 22.
Apr  2 21:29:06 server1 sshd[10550]: Accepted password for ******* from 192.168.0.100 port 50957 ssh2
Apr  2 21:29:07 server1 sshd[10550]: pam_unix(sshd:session): session opened for user ******* by (uid=0)
Apr  2 21:34:48 server1 sshd[10550]: pam_unix(sshd:session): session closed for user *******
Apr  2 21:42:25 server1 sshd[10592]: Accepted password for ******* from 192.168.0.100 port 51052 ssh2
Apr  2 21:42:25 server1 sshd[10592]: pam_unix(sshd:session): session opened for user ******* by (uid=0)
Apr  2 22:21:42 server1 sshd[10592]: pam_unix(sshd:session): session closed for user *******
Apr  2 22:22:50 server1 sshd[12033]: Accepted password for ******* from 192.168.0.100 port 51749 ssh2
Apr  2 22:22:51 server1 sshd[12033]: pam_unix(sshd:session): session opened for user ******* by (uid=0)
Apr  2 22:35:45 server1 sshd[9719]: Received signal 15; terminating.
Apr  2 22:35:46 server1 sshd[12138]: Set /proc/self/oom_score_adj from 0 to -1000
Apr  2 22:35:46 server1 sshd[12138]: debug2: fd 3 setting O_NONBLOCK
Apr  2 22:35:46 server1 sshd[12138]: debug1: Bind to port 22 on 0.0.0.0.
Apr  2 22:35:46 server1 sshd[12138]: Server listening on 0.0.0.0 port 22.
Apr  2 22:35:46 server1 sshd[12138]: debug2: fd 4 setting O_NONBLOCK
Apr  2 22:35:46 server1 sshd[12138]: debug1: Bind to port 22 on ::.
Apr  2 22:35:46 server1 sshd[12138]: Server listening on :: port 22.
I built the server in January of this year so I would think the log would go back further than that. Or does the log start over every time I reboot the server (I wouldn't expect it to, it's got a hard drive after all, not flash).

Danny Michael
Posts: 4
Joined: 2014/08/16 21:20:02

Re: Have I been hacked?

Post by Danny Michael » 2016/04/03 05:00:59

Do you have web hosting with an EIG affiliated web host? That IP is with EIG. They have bought out many, many web hosts over the last few years.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Have I been hacked?

Post by TrevorH » 2016/04/03 11:58:17

Also look at the output from last -n and last -n /var/log/wtmp-yymmdd (yymmdd will be a datestamp, amend it).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

fla_panther
Posts: 42
Joined: 2015/08/27 21:15:03

Re: Have I been hacked?

Post by fla_panther » 2016/04/03 19:22:37

I installed squid on this box so I could learn about using it as a proxy server but I have no web server services configured. I have some websites that I bought through GoDaddy, some I've done nothing with at all, others I've mapped to WordPress sites (hosted on Wordpress.com servers, not my own).

The wtmp files show nothing:

Code: Select all

[*******@server1 ~]$ last -n 20 /var/log/wtmp-160401

wtmp begins Thu Aug 27 12:13:52 2015
[*******@server1 ~]$ last -n 30 /var/log/wtmp-160402

wtmp begins Thu Aug 27 12:13:52 2015
[*******@server1 ~]$ last -n 30 /var/log/wtmp-160403

wtmp begins Thu Aug 27 12:13:52 2015
[*******@server1 ~]$ last -n 30 /var/log/wtmp-160331

wtmp begins Thu Aug 27 12:13:52 2015
[*******@server1 ~]$ last -n 30 /var/log/wtmp-160330

wtmp begins Thu Aug 27 12:13:52 2015
[*******@server1 ~]$ last -n 30 /var/log/wtmp-160329

wtmp begins Thu Aug 27 12:13:52 2015
[*******@server1 ~]$ last -n 30 /var/log/wtmp-160328

wtmp begins Thu Aug 27 12:13:52 2015
[*******@server1 ~]$ last -n 30 /var/log/wtmp-160327

wtmp begins Thu Aug 27 12:13:52 2015
[*******@server1 ~]$ last -n 30 /var/log/wtmp-160326

wtmp begins Thu Aug 27 12:13:52 2015
[*******@server1 ~]$ last -n 30 /var/log/wtmp-160325

wtmp begins Thu Aug 27 12:13:52 2015
[*******@server1 ~]$ last -n 30 /var/log/wtmp-160324

wtmp begins Thu Aug 27 12:13:52 2015
[*******@server1 ~]$ last -n 30 /var/log/wtmp-160323

wtmp begins Thu Aug 27 12:13:52 2015
[*******@server1 ~]$ last -n 30 /var/log/wtmp-160322

wtmp begins Thu Aug 27 12:13:52 2015
[*******@server1 ~]$ last -n 30 /var/log/wtmp-160321

wtmp begins Thu Aug 27 12:13:52 2015
[*******@server1 ~]$

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Have I been hacked?

Post by TrevorH » 2016/04/04 10:27:44

The presence of all those wtmp files looks odd. Normally I'd expect there to be 2 of them, one called jsut wtmp (the current one) and the previous one. To have so many looks suspicious.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

fla_panther
Posts: 42
Joined: 2015/08/27 21:15:03

Re: Have I been hacked?

Post by fla_panther » 2016/04/05 02:40:21

Really there is just the one. I didn't know that before I ran the commands though. I saw the command format and assumed there would be multiple so I made up a list of commands that would cover the last few days and pasted them in. After reading your comment I went back and looked:

Code: Select all

[*******@server1 ~]$ ls -l /var/log/ | grep wtmp
-rw-rw-r--. 1 root  utmp    337536 Apr  4 22:37 wtmp
[*******@server1 ~]$
The strange thing (to me) is that the command format you gave me included a datestamp, and the one file that's there doesn't have one at all.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Have I been hacked?

Post by TrevorH » 2016/04/05 10:04:40

That just means it's never been rotated by logrotate - the current file is just 'wtmp' and is the default if no -f switch is given.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

fla_panther
Posts: 42
Joined: 2015/08/27 21:15:03

Re: Have I been hacked?

Post by fla_panther » 2016/04/05 20:38:10

Okay. I guess that was a dead end though. I've turned off the server for now. Any other ideas of where I might be able to look for anything out of the ordinary?

fla_panther
Posts: 42
Joined: 2015/08/27 21:15:03

Re: Have I been hacked?

Post by fla_panther » 2016/08/30 00:53:40

The server I had died, either a MB issue or a power supply ... it was a whitebox build anyway and I decided I was going to just buy a used server and rebuild. I now have a Dell PowerEdge R710 and installed CentOS6.8, again working on getting VNC and/or X11 working. And again xauth list includes the following in its output:

207.148.248.143:1 MIT-MAGIC-COOKIE-1 hex string 1
207.148.248.143:3 MIT-MAGIC-COOKIE-1 hex string 2
207.148.248.143:2 MIT-MAGIC-COOKIE-1 hex string 3

I've done nothing to this box except yum update and install tigervnc. It's REALLY bothering me that these IPs are showing up here. The only thing I can think of is that tigerVNC must have some sort of phone home function, which I can't see why it would need that. I guess I'm going to wipe the box clean, reinstall, and try some other VNC server and see what happens.

azbest
Posts: 22
Joined: 2016/08/16 07:50:57

Re: Have I been hacked?

Post by azbest » 2016/08/30 13:04:47

Hi,
please share next:

Code: Select all

ip a|grep 207.148.248
check the content of your files and timestamp of it

Code: Select all

ll /etc/passwd
ll /etc/shadow
ll /etc/group

if the timestamp different that it was before your last activities with users/groups you possible have a problem. But the timestamp for files can be changed, so it will not give you 100% ansver

Post Reply