Thursday, April 26, 2007

Hack attempts at my server

I really love the ease of setting up a web server with Ubuntu - I set it up months back, and just forgot about it. Today morning I noticed some suspicious hard disk activity on my server, and I decided to check what's happening.

Someone might have been trying to hack into my box!!!

I got suspicious.

A common hacking technique in Linux involves dictionary based attacks on ssh (port 22), which is open on many servers for remote management. I have this port open too, because I love to connect to my server and administer it from my office etc. So, how do I know if someone is trying to hack my server by logging in via port 22?

Well, I read the SSH Daemon (sshd) log entries. By default, the sshd dumps its log in /var/log/auth.log . So I open that file in nano (command: nano /var/log/auth.log) and I see numerous failed login attempts through ssh. The log also contains their IP addresses, so I check their websites by entering their IP address in my browser. Many of such sites are actually running on commercial web servers, that have been hacked by exploiters. One such site is this:

This unsuspecting person has her website hacked, and there is an automated hacking tool installed there, which looks for more computers and hacks them. Thus, the hacker could soon control an army of hacked servers! This can be used very effectively for a DOS ("Denial of Service") attack on an enemy server to knock it down. I immediately wrote an email to this person to check the security of their server.

So, the SSH attack has been performed. Was it successful? The auth.log file will tell you if it accepted the password for a given user.

Also, you can use the last command to view the last few users who logged in (latest on the top) - this will also show the domain from which they logged in, the date and time, and also the length of time they stayed logged in. If you see any users logging in from any domains that you don't know of, they probably hacked your password! You might want to change the username and password (both) immediately, and please make a stronger password this time. Also check any suspicious modifications in the /etc/sudoers file (command: sudo nano /etc/sudoers), and check if any new users have been added to any groups (command: sudo groups root username)

A potential failure of this diagnostic process can be when the hacker clears the auth.log entries. I will explore more about this and update this post later.

Still, I am greatly amazed by the rock-solid security of Ubuntu - I just have the default system install and have not configured any firewall or anything, and my box is wide open to the internet, and still I'm not hacked! Extremely impressive!


Krishnan said...

Hi Anil
Impressive article. I liked a lot and very impressive. When I executed [sudo groups root username] i got this [root : root
id: username: No such user]. What does this mean? Is my system hacked? Please do let me know.

Anil said...

Krishnan, try this:
sudo groups root