# I was.... hacked?...

## Hell-Razor

this is quite strange. I have never heard of this before but I received a letter yesterday from my ISP saying that "your internet activity has been viewed in some form of illegal activity". With this letter I received about 30 pages worth of "ls"  of random (or so it looks like) files on my machine. Now I am not saying I have not downloaded anything illegal but I honestly haven't in quite some time now (at least 6 months). I have noticed though some of the files are tar.gz and one of the files listed is in fact rkhunter which I installed about two weeks ago AND a .txt file that is in my /home/ dir containing all of my "wish-list" items for christmas. Now first off how the hell can they legally be viewing my files?

Second off who should I call and bitch at for this (if anybody)?... I have to head off to work now though Ill come back and maybe scan the letter I got on my scanner (that is if I can find the letter in the trash).

----------

## Hell-Razor

oh i forgot to add -- i think its time to ranish my hd's =(

----------

## GODhack

Update everything if not updated, remove sshd from startup if you have it there. 

Set iptables. 

Check ps was for strange lines.

ISP can give you IP of hacker, you can whois his ip and find maybe even his phone number is he is stupid enough.

That is maybe all you can do.

----------

## NeddySeagoon

Hell-Razor,

Make an image of your drive for later forensics, then reinstall. Better yet, get another drive.

Do not attempt to salvage anything from the old install. It looks like you have been compromised somehow.

Check your access logs if you use ssh for external access.

Exactly what an intruder can do, depends on the account they have access as.

Are there any signs the intruder was root ?

e.g. does the list of files include things in /root  ?

----------

## Hell-Razor

Alright I was unable to find the letter so I dont know if it was any root files (but cant or some / most of the root dir be seen by ls?)

Everything IS up to date hack. ssh is turned off i never really use it.

The strange thing is though that this is from my ISP, i am on the phone now for a different provider -- i dont know if i really can call and complaing because well i did/do illegal things with software except is there a line they crossed here?

----------

## Hell-Razor

[00:03:33]   Checking system startup files for malware       [ Warning ]

[00:03:34] Warning: Found string 'hidef' in file '/etc/init.d/net.lo'. Possible rootkit: Possible part of Knark rootkit

that is a post from my rkhunter output -- anything to be worried about?

----------

## platojones

 *Hell-Razor wrote:*   

> [00:03:33]   Checking system startup files for malware       [ Warning ]
> 
> [00:03:34] Warning: Found string 'hidef' in file '/etc/init.d/net.lo'. Possible rootkit: Possible part of Knark rootkit
> 
> that is a post from my rkhunter output -- anything to be worried about?

 

Yep...and I'm not even you.

----------

## platojones

Sorry, I shouldn't have been so flip in my last comment...yes, your box is 100% owned.  If you aren't taking NeddySeagoon's advice right now, you need to start.  rkhunter is confirming what you already know by now.  Unless you manually put 'hidef' in your net.lo file, then it doesn't get more explicit...

1)  Somebody sent you an email containing a directory listing from YOUR own filesystem.

2)  Only root can modify anything in /etc/init.d...and the word 'hidef' doesn't belong in net.lo unless you put it there yourself...if you don't remember doing that, then somebody else has root access to your computer.

So, follow Neddy's advise...at a bare minimum, you should have disconnected from the internet and started a reformat every drive on your box...followed by a re-install...and that goes for anything connected to this system.  You have been seriously compromised.  And don't re-connect to the internet until you have a reliable firewall installed.

----------

## Hell-Razor

```
local hidefirstroute=false first=true

   local routes="$(_get_array "routes_${IFVAR}")"

   if [ "${IFACE}" = "lo" -o "${IFACE}" = "lo0" ]; then

      if [ "${config_0}" != "null" ]; then

         routes="127.0.0.0/8 via 127.0.0.1

${routes}"

         hidefirstroute=true

      fi

   fi

   local OIFS="${IFS}" SIFS=${IFS-y}

   local IFS="$__IFS"

   for cmd in ${routes}; do

      unset IFS

      if ${first}; then

         first=false

         einfo "Adding routes"

      fi

      eindent

      ebegin ${cmd}

      # Work out if we're a host or a net if not told

      case ${cmd} in

         -net" "*|-host" "*);;

         *" "netmask" "*)                   cmd="-net ${cmd}";;

         *.*.*.*/32*)                       cmd="-host ${cmd}";;

         *.*.*.*/*|0.0.0.0|0.0.0.0" "*)     cmd="-net ${cmd}";;

         default|default" "*)               cmd="-net ${cmd}";;

         *)                                 cmd="-host ${cmd}";;

      esac

      if ${hidefirstroute}; then

         _add_route ${cmd} >/dev/null 2>&1

         hidefirstroute=false
```

and second it wasnt an email - it was a letter from my isp...

those are all the "hidef" items -- seems to be hide first route

----------

## platojones

Did you put those there?

----------

## Hell-Razor

nope

----------

## Hell-Razor

anyway whats the program that turns all of the data on your hds to 0 then back to 1 and whatnot? i need it now...

----------

## platojones

 *Quote:*   

> and second it wasnt an email - it was a letter from my isp... 

 

Well...let's back up here...first of all, even your ISP cannot get onto your machine, unless it is wide open.  And I don't know of any TOS that allows and ISP to break into your computer, for any reason.  Did that e-mail really contain a directory listing from your machine...or could it be something that you downloaded onto one of your ISPs servers?  If it is the latter, then your first post was not clear about it at all...you made this post because you thought you were hacked...why do you think you were?

----------

## platojones

 *Quote:*   

> nope

 

Ok, that answered the question

```

[xxxxxxx:/etc/init.d]# grep hidef *

[xxxxxxx:/etc/init.d]#

```

that's what should have happened unless you put 'hidef' in your net.lo

The command you want to zero your disks is

[/code]

dd if=/dev/zero of=/dev/hard drive

[code]

for every hard drive....do that for the disk your root partition on last:

----------

## Hell-Razor

Cause I got an ls of some of the files that were both dled and on my machine, a letter saying stuff about illegal software -- as I know right now my router shows nothing and same with all the other suggestions. How could they get a partial ls of my /home/ files without fully being into my machine? whoever did it knew what they were doing and I think I need to spend the rest of the night working on reinstalling   :Crying or Very sad: 

There is something like an ls but not quite the same I don't know how else to explain it... it has my name my ip my account number on it (basically everything except my full cc number and ss number)...There is also a download history of some but not all files - anywhere from what I think are kernel patches for a gentoo kernel to a random named tar.gz file (I have no idea what it is)...

Does that make sense?

----------

## Hell-Razor

I know now though I need to go the hardened route and ontop of that start using tor for EVERYTHING...

----------

## platojones

 *Hell-Razor wrote:*   

> Cause I got an ls of some of the files that were both dled and on my machine, a letter saying stuff about illegal software -- as I know right now my router shows nothing and same with all the other suggestions. How could they get a partial ls of my /home/ files without fully being into my machine? whoever did it knew what they were doing and I think I need to spend the rest of the night working on reinstalling  
> 
> There is something like an ls but not quite the same I don't know how else to explain it... it has my name my ip my account number on it (basically everything except my full cc number and ss number)...There is also a download history of some but not all files - anywhere from what I think are kernel patches for a gentoo kernel to a random named tar.gz file (I have no idea what it is)...
> 
> Does that make sense?

 

Ok...well...here's my advice.  1) Just disconnect from the internet ASAP.  2)  Call your ISP first thing tomorrow and ask 'What's Up!'...if you can't trust your ISP, then your are screwed no matter what...and if there is an issue about some downloads...better to confront them with it rather than wait for an e-mail from their lawyers.  

About the net.lo...well, big ALARM THERE!  Personally, if rkhunter reported something like that on my system, I would a) disconnect from the network immediately 2) Do as Neddy says and make a backup of the root partition for later forensic analysis.  3) Zero out every drive on my system and re-install.  

But that's just me...this whole situation is very odd...does anyone else in your house have physical access to your machine...or root access to it?  If not, the hidef thing is a super-sized alarm bell for being an illegal break in.  And...if this happened to me, as you describe it...out of the blue...I would assume a blackmail or extortion scam by a hacker....

----------

## platojones

Oh...and to be fair...I'll just go ahead and ask this...this is a relatively up-to-date Gentoo system, no?  It's not like some 5 year old Gentoo install that has never beein updated?  This isn't some other distro, or hybrid that was hacked together, right?  The reason I'm asking is that the net.lo you posted looks nothing like a current Gentoo net.lo...so if you are running Gentoo, then it has definitely been seriously altered...or way out of date.

----------

## platojones

Also, hopefully you aren't reading this now and have already started the remedial actions described...I wasn't pointing the finger at you, by any means..If your box was taken over (and it looks like it was), then the hacker is the one who has been the cause of all of this...he may be downloading and forwarding warez all over the world, using your box as an open relay for spam, etc, etc, and your ISP noticed it and sent you that letter...in fact, that makes perfect sense.  So yes, wipe your system and call and explain what happened to your ISP....and document that call...also, try and remember anything sensitive you may have on your system...have you used it for credit card transactions for online purchases, etc...if so, your browser has probably cached all of that information...and any passwords, credit cards numbers, etc, you may have used for anything on the internet may be comprimised.

----------

## lookitsme

 *Quote:*   

> The reason I'm asking is that the net.lo you posted looks nothing like a current Gentoo net.lo...so if you are running Gentoo, then it has definitely been seriously altered...or way out of date.

 

It looks the same as on my box... its provided by openrc-0.4.1.

----------

## mv

 *lookitsme wrote:*   

> It looks the same as on my box... its provided by openrc-0.4.1.

 

Yes, indeed: The posted passage is in openrc-0.4.1.tar.bz2 in the file init.d/net.lo.in. So it is completely normal and nothing to worry about. Just a false positive of rkhunter. However, you might want to open a new ticket on the openrc development page to inform Roy that his code triggers this problem: I am rather sure that he does not know yet.

----------

## Hell-Razor

well im on a new system (hooray) and yes it seems lookitsme is correct...i did use layman again and made a backup file of my net.lo this time to see if anything funky went on -- it was me i guess but oh well too late now.

I would like to thank everybody that helped -- It wasnt what I wanted to hear but hell it was something that had to be done.

For security measures -- iptables was recommended (going to install it now and take out my wifi router), and what about a proxy? Ive always liked tor and used my machine for a forward in the past -- how hard is it for my **NEW** isp (yes they came about 20 minutes ago to install  :Wink:  ) to read my traffic if i torify all my somewhat sensitive data?

----------

## quag7

The problem with tor is it isn't supposed to be used for p2p traffic, and even if you did use it that way, it would be painfully slow, like sub-dialup slow.  Tor is a good idea but there needs to be more relays and more responsible usage.  I always groan whenever I have to turn it on.

Using a seedbox or cheap shell account is not a bad alternative.

But what this has to do with where the ducks go in the winter, I do not know  :Wink: 

----------

## kernelOfTruth

*subscribes*

a little paranoia doesn't hurt anyone   :Idea: 

try to harden your system (e.g. hardened use-flags, hardened toolchain, hardened kernel)

and ensure that you have a decent iptables-based firewall and a router with built-in firewall in front of your box

----------

## NeddySeagoon

Perhaps its worth tempering the paranoia by making it clear that security is like the layers of an onion.

They have to break each layer in turn.

The idea is to make it clear to an attacker that there are easier targets out there and they should try one of those instead.

----------

## kernelOfTruth

 *NeddySeagoon wrote:*   

> Perhaps its worth tempering the paranoia by making it clear that security is like the layers of an onion.
> 
> They have to break each layer in turn.
> 
> The idea is to make it clear to an attacker that there are easier targets out there and they should try one of those instead.

 

exactly - it's like building up your digital fortress

some time ago I posted a link to a rather useful guide - I think you might find it useful, too:

https://forums.gentoo.org/viewtopic-t-647327-highlight-.html

----------

## defenderBG

 *Hell-Razor wrote:*   

> How could they get a partial ls of my /home/ files without fully being into my machine?

 

smb/ftp?

my security related knowledge is getting rusty... there were those programs, that would checksum every file and check every few hours if the checksum is still valid. pretty effective for /etc, /bin... etc what was their name?

----------

## merky1

I was thinking more along the lines of a P2P application being intercepted by the ISP.

----------

## defenderBG

most torrent clients nowodays have a cryptographic extension. you can force them to allow only encrypted transfer. for irc (xdcc is really good) I dont know if there is a way to encrypt the transfer.

----------

## cach0rr0

If I might make another suggestion

AIDE is your friend

if you use SSH (which seems you dont, but), something like fail2ban or denyhosts is a must, as well disable keyboard-interactive auth

hardened install with very finely-tuned grsec policies is needed as well

I think everyone else has covered most of what I had. 

hrmm...trying to think of what else, my box was marginally compromised a while back, and as I was admittedly lazy before - such an occurrence changed me from flippant to paranoid. Spent a good 3 weeks researching before bringing my box back online.

----------

## NeddySeagoon

cach0rr0,

Marginally compromised ?

Thats like being a little bit pregnant.

----------

## cach0rr0

 *NeddySeagoon wrote:*   

> cach0rr0,
> 
> Marginally compromised ?
> 
> Thats like being a little bit pregnant.

 

ha...true enough

basically, someone had managed to upload a file (index.html) into DocumentRoot on one of my vhosts (I blame wordpress)

Which of course took precedence over index.php, so i couldnt figure out why on earth my site wouldn't show - then found that

In theory damage should have been mitigated to that one vhost

It wasn't entirely clearly to me when the upload occurred, so rather than trust I'd fixed the problem....I just backed up, blew everything away, and actually put in the effort to do things right the second time around. 

I say "marginally" because to this day I'm still fairly confident the extent of damage was that one vhost - but as visits to that site were so infrquent, and i rotate logs daily, I didn't have heaps of data to use to confirm - and of course, no AIDE, so I couldn't see what else might have been tinkered with. I would say I overreacted were sec not something I take exceptionally seriously

EDIT: I'm also still fairly convinced, given that it's wordpress, it was classic SQL injection with dumpfile used to chunk the rogue index.html into DocumentRoot. Everything else being fairly sanely configured, I probably could have just scrapped that vhost and its DB, and its DB user, and been fairly safe - but I ain't trustin' it. Being hacked makes you feel far too violated - cue the innuendo

----------

## NeddySeagoon

cach0rr0,

You backed up after the compromise?

You could have saved and restored a rootkit.

----------

## madumlao

http://roy.marples.name/projects/openrc/browser/trunk/init.d/net.lo.in?rev=1384

darn it! you guys had me worried.

----------

## cach0rr0

 *NeddySeagoon wrote:*   

> cach0rr0,
> 
> You backed up after the compromise?
> 
> You could have saved and restored a rootkit.

 

Selectively backed up. 

Didn't back up the entire fs, just a few choice  bits of media (/video and /music, specifically) and what have you - the backup was done booted into a LiveUSB env, as at that point I (understandably) no longer trusted my kernel. 

Booted to LiveUSB, copied choice bits off to external drive, wiped the system, rebuilt system (this time hardened sources/profile/etc), mounted /external, copied a few pieces over. NB chkrootkit/rkhunter all came up clean running from liveusb env

Not too worried about that part....by that point I was actually paying attention - the compromise and resultant necessary "overreaction" was purely a result of my own lazy behaviour. Had I done things right the first time, I'd have been able to see just how far they'd gotten, and known whether or not a wipe was necessary. 

It was really a "come to jesus" moment. 

As well a number of friends pointing, laughing, and making me realize the error of my apathetic ways

 *Quote:*   

> 
> 
> (14:52:03) strerror: check your aide logs, you do have aide installed and running RIGHT?
> 
> (14:52:12) meat: nope ;x
> ...

 

----------

