Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice

[Paul Hartman <paul.hartman+gentoo@gmail.com>]

On Mon, Aug 9, 2010 at 2:09 PM, Mick <michaelkintzios@gmail.com> wrote:
> On Monday 09 August 2010 17:25:56 Paul Hartman wrote:
>> My user account has sudo-without-password rights to any command.
>
> Ouch!
>

Having still not physically touched the machine yet, I don't know if
sudo had anything to do with it at all at this point. But I'll assume
for a moment that its use was perhaps involved...

> There have been discussions on this list why sudo is a bad idea and sudo on
> *any* command is an even worse idea. You might as well be running everything
> as root, right?

Essentially. I did not think it through from an internally-defensive
standpoint. I only thought of sudo as "I am deciding whether to run
this command as user or as root". Assuming *I* would be the only one
running a program on my computer. My thinking was clearly flawed
there... The idea of an attacker being in my system didn't really
enter my mind. Or an untrusted program shelling out and running "sudo
some-bad-stuff" without my knowing. Every sudo command is logged,
sure, but as Bill pointed out that only works for as long as it takes
someone to sudo himself into a root shell (or delete the logs). I
don't really audit the sudo logs regularly because of the stupid
assumption that I was the only one running any sudo commands.

> You have decided wisely to reinstall because you can't be sure of this OS
> anymore.

I'm most concerned about learning how this happened because I don't
want to reinstall everything only to be compromised again, and with
the hope that perhaps any info I find can help others avoid finding
themselves in this same situation. If I'm only going to re-create the
exact same set-up, I don't know if I can be sure of it then even after
reinstalling...

> Please keep us updated on what you find from the forensic analysis.

Sudo was one of the first things that popped into my head. sshd is
really the only service open to the outside. Some other ports are open
for specific apps, like bittorrent traffic, which is what I was
monitoring when I noticed the suspicious activity -- and I was
downloading a Linux ISO, I swear. My original plans for tonight were
to install Sabayon on an old laptop that is becoming unmanageable from
a Gentoo standpoint due to infrequent use and days-long update
sessions. I'll put that little project on hold for now...

My sshd setup is pubkey only, no root logins, and I use denyhosts to
block after 3 failed logins, and it syncs its blocklist from the
denyhosts master server many times a day. I use NX Server, but not
with the default key, and I don't think there have been any (publicly
disclosed) remotely-exploitable opensshd vulnerabilities that would
allow an attacker direct entry into a system. I haven't noticed
anything out of place on my system, no unusual files or missing items.
I take infrequent peeks at my ssh logs, w/who/last and network traffic
(as I did today when I discovered it), but I am not religious about
reading every log. Life has been quite busy lately and I haven't had
as much time to dedicate to that sort of stuff.  I has been more like
log on, check my email, pay my bills, log off.

So, from that outside-entry standpoint I was certainly lulled into a
false sense of security about my system. My root account has a very
long and complicated password, and my user account was surely
"impenetrable" since I was using pubkey-only SSH logins, right...  I
have encrypted partitions, but they are mounted when the system is up
and running, so they are really pointless against an "online"
attack...

Typing that long password into sudo every time I ran a command was a
hassle, and clearly I thought myself too intelligent to ever run a
malicious piece of code on my own computer. I mean, that's the kind of
thing I would never do. I'm careful. I usually look at things before I
run them, scan them with clamscan (not that I run outside
scripts/binaries very often at all). Right? And what if a
seemingly-safe program decided to download and run malware on its own?
What if there was a vulnerability that was exploited before it was
discovered & patched by the community (and my Gentoo update cycle)?
What if there was a rogue Firefox add-on stealing passwords or running
shell scripts? That would probably never happen, surely someone else
would have noticed it and put a stop to it before it got to me, or I
would have read a warning about it in the tech news someplace. Yeah,
I'm being a bit sarcastic here. ;)

I do hope I can find some evidence that leads me to the point of
entry. It would set my mind at ease.