Have I been hacked?

[fla_panther]

Code: Select all

[root@server1 ~]# ip a|grep 207.148.248
[root@server1 ~]# ll /etc/passwd
-rw-r--r--. 1 root root 1627 Aug 28 18:56 /etc/passwd
[root@server1 ~]# ll /etc/shadow
----------. 1 root root 1040 Aug 28 18:56 /etc/shadow
[root@server1 ~]# ll /etc/group
-rw-r--r--. 1 root root 804 Aug 28 19:04 /etc/group
[root@server1 ~]#

My previous post here was 2016/08/29 19:53:40 so assuming a 1 hour time difference two of those are very close and the other is 8 minutes later. I shut down the server after that and left it off overnight. I turned it on again to do this and am turning it back off again.

[azbest]

so please check content of files for extra accounts:
/etc/passwd
/etc/shadow
/etc/group

also check this file /etc/passwd for accounts which has user ID = 0 for example like this:

Code: Select all

cat /etc/passwd | awk -F: '{ if ( $3==0) print "user", $1, "has ID", $3 }'

also it will be a good idea to check SSH keys

[fla_panther]

Here's the output. Looks to me like it's only the defaults and my account. Only root has ID 0. SSH keys didn't change since I last logged in but as I mentioned I've been keeping the box turned off since last night.

Code: Select all

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
rtkit:x:499:499:RealtimeKit:/proc:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
saslauth:x:498:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
pulse:x:497:496:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
myusername:x:500:500:myusername:/home/myusername:/bin/bash

root::17041:0:99999:7:::
bin:*:15980:0:99999:7:::
daemon:*:15980:0:99999:7:::
adm:*:15980:0:99999:7:::
lp:*:15980:0:99999:7:::
sync:*:15980:0:99999:7:::
shutdown:*:15980:0:99999:7:::
halt:*:15980:0:99999:7:::
mail:*:15980:0:99999:7:::
uucp:*:15980:0:99999:7:::
operator:*:15980:0:99999:7:::
games:*:15980:0:99999:7:::
gopher:*:15980:0:99999:7:::
ftp:*:15980:0:99999:7:::
nobody:*:15980:0:99999:7:::
dbus:!!:17041::::::
usbmuxd:!!:17041::::::
rpc:!!:17041:0:99999:7:::
rtkit:!!:17041::::::
avahi-autoipd:!!:17041::::::
vcsa:!!:17041::::::
abrt:!!:17041::::::
rpcuser:!!:17041::::::
nfsnobody:!!:17041::::::
haldaemon:!!:17041::::::
ntp:!!:17041::::::
apache:!!:17041::::::
saslauth:!!:17041::::::
postfix:!!:17041::::::
gdm:!!:17041::::::
pulse:!!:17041::::::
sshd:!!:17041::::::
tcpdump:!!:17041::::::
myusername:--trimmed--:17041:0:99999:7:::

root:x:0:
bin:x:1:bin,daemon
daemon:x:2:bin,daemon
sys:x:3:bin,adm
adm:x:4:adm,daemon
tty:x:5:
disk:x:6:
lp:x:7:daemon
mem:x:8:
kmem:x:9:
wheel:x:10:
mail:x:12:mail,postfix
uucp:x:14:
man:x:15:
games:x:20:
gopher:x:30:
video:x:39:
dip:x:40:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
dbus:x:81:
usbmuxd:x:113:
rpc:x:32:
utmp:x:22:
utempter:x:35:
rtkit:x:499:
avahi-autoipd:x:170:
desktop_admin_r:x:498:
desktop_user_r:x:497:
floppy:x:19:
vcsa:x:69:
abrt:x:173:
cdrom:x:11:
tape:x:33:
dialout:x:18:
wbpriv:x:88:
rpcuser:x:29:
nfsnobody:x:65534:
haldaemon:x:68:haldaemon
ntp:x:38:
apache:x:48:
saslauth:x:76:
postdrop:x:90:
postfix:x:89:
gdm:x:42:
pulse:x:496:
pulse-access:x:495:
fuse:x:494:
sshd:x:74:
slocate:x:21:
stapusr:x:156:
stapsys:x:157:
stapdev:x:158:
tcpdump:x:72:
myusername:x:500:

[fla_panther]

As a test I reinstalled CentoS. I planned to stop at verious points and see whether the IP was showing up in the xauth list. I installed CentOS, and my output was:

Code: Select all

[myuser@server1 ~]$ xauth list
server1.mydomain.com/unix:1  MIT-MAGIC-COOKIE-1  <hash>

Then I did a yum update and ran the command again, got the same result. Then I installed tiger VNC using "yum install tigervnc-server". I've done nothing else to this device, and at this point I'm seeing the IP in the xauth list:

Code: Select all

[myuser@server1 ~]$ xauth list
207.148.248.143:1  MIT-MAGIC-COOKIE-1  <hash>
server1.mydomain.com/unix:1  MIT-MAGIC-COOKIE-1  <hash>

It's got to be related to tiger VNC. The strange thing is that we use tiger VNC at work and I do not get this result. The firewall at work may be more sophisticated than my cable modem but if it's the software on the server that's initiating a connection back to 207.148.248.143 then it'll be considered an established connection and will be allowed. So I see no reason why this should be happening on a server at my home but not on one at work.

I guess I'll go over to the Tiger VNC forum and see what they can tell me.

[fla_panther]

It's been a month and I'm no closer to finding anything about about that IP or how it got on my system. Tiger VNC's Google group didn't get me any useful intel. I'm already having my desktop and laptop checked for viruses but I also have two Buffalo TeraStation NAS boxes that run proprietary code. I think they run a flavor of Linux but hacking into them may void whatever warranty they have. I'm not sure I can consider them clean.

Moving forward I'm going to air gap the server, reinstall the OS, and configure more security measures such that even the LAN isn't trusted. Once I feel more confident in its config I'll bring it back onto the network and see what happens.

[enjinn]

Is it possible you have configured your tiger VNC with a no-ip client or dynamic dns setting and it is propagating that IP address on your behalf?

[fla_panther]

I'm not sure what a no-ip client is or how i'd set one up. As for Dynamic DNS, no, I definitely had not set that up.

[TrevorH]

Would you work for a very large company based in the USA?

[fla_panther]

I don't think I would've been a target of corporate espionage if that's what you're thinking. My previous employer was one of the top 10 largest ISPs in the US, but I left there a year ago and I was not high up in the company. My current employer is much smaller and again I'm not in the company leadership.

[TrevorH]

No, I wasn't thinking that but I used whois on the ip address you are looking at and it tells me that it belongs to a very large US based organisation. I wondered if you worked for them.