From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OibRX-0005Lx-Sh for garchives@archives.gentoo.org; Mon, 09 Aug 2010 23:07:44 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 220DFE0CDE; Mon, 9 Aug 2010 23:07:16 +0000 (UTC) Received: from mail-ww0-f53.google.com (mail-ww0-f53.google.com [74.125.82.53]) by pigeon.gentoo.org (Postfix) with ESMTP id C4031E06D0 for ; Mon, 9 Aug 2010 23:07:15 +0000 (UTC) Received: by wwi17 with SMTP id 17so225800wwi.10 for ; Mon, 09 Aug 2010 16:07:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=zR29s+gORW840L+9XfbpbDMuWnssaxK3Qsk+yfu1RWI=; b=p6W4HVTWryHcKeLU6ZuNX75VWPGZgJqPnMrk9SA65FvjnpBfw+B/egOWJhViyrllkV vcAwZzm752C6SxrbgISkmAxmbYa77gk6GbjfilEdb71tb4yGqUk62YdyC0TWK5kzvTij MRvYZ+ewnwvMxeIc94uPfwoWce0hK2ZDWuubY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; b=tLp7a27PoZeNr9hIL99j3JdTccejpZkyMADGdgAZwRBzzZRf++HAEiOA315pZwIcAJ R7SuKzTZHowJch1En0CKYpmypkj3ptuz4frQgClkDZxr01dP+LUzMi7IQ9APt/CoZfd1 D6snOtBtuj/aOc/uzgxR6WffMvqlG/XMT1Iwc= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.227.143.12 with SMTP id s12mr14376399wbu.125.1281395235222; Mon, 09 Aug 2010 16:07:15 -0700 (PDT) Sender: paul.hartman@gmail.com Received: by 10.227.83.213 with HTTP; Mon, 9 Aug 2010 16:07:15 -0700 (PDT) In-Reply-To: <201008092009.38665.michaelkintzios@gmail.com> References: <201008092009.38665.michaelkintzios@gmail.com> Date: Mon, 9 Aug 2010 18:07:15 -0500 X-Google-Sender-Auth: AdUKAm1gJ1ncCtCLKQU2akX1JtE Message-ID: Subject: Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice From: Paul Hartman To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 X-Archives-Salt: 54a91d75-3b2a-4243-9697-2e111035ad0e X-Archives-Hash: dbbc4605f7278c1a180fd9b8726d2757 On Mon, Aug 9, 2010 at 2:09 PM, Mick wrote: > On Monday 09 August 2010 17:25:56 Paul Hartman wrote: >> My user account has sudo-without-password rights to any command. > > Ouch! > Having still not physically touched the machine yet, I don't know if sudo had anything to do with it at all at this point. But I'll assume for a moment that its use was perhaps involved... > There have been discussions on this list why sudo is a bad idea and sudo on > *any* command is an even worse idea. You might as well be running everything > as root, right? Essentially. I did not think it through from an internally-defensive standpoint. I only thought of sudo as "I am deciding whether to run this command as user or as root". Assuming *I* would be the only one running a program on my computer. My thinking was clearly flawed there... The idea of an attacker being in my system didn't really enter my mind. Or an untrusted program shelling out and running "sudo some-bad-stuff" without my knowing. Every sudo command is logged, sure, but as Bill pointed out that only works for as long as it takes someone to sudo himself into a root shell (or delete the logs). I don't really audit the sudo logs regularly because of the stupid assumption that I was the only one running any sudo commands. > You have decided wisely to reinstall because you can't be sure of this OS > anymore. I'm most concerned about learning how this happened because I don't want to reinstall everything only to be compromised again, and with the hope that perhaps any info I find can help others avoid finding themselves in this same situation. If I'm only going to re-create the exact same set-up, I don't know if I can be sure of it then even after reinstalling... > Please keep us updated on what you find from the forensic analysis. Sudo was one of the first things that popped into my head. sshd is really the only service open to the outside. Some other ports are open for specific apps, like bittorrent traffic, which is what I was monitoring when I noticed the suspicious activity -- and I was downloading a Linux ISO, I swear. My original plans for tonight were to install Sabayon on an old laptop that is becoming unmanageable from a Gentoo standpoint due to infrequent use and days-long update sessions. I'll put that little project on hold for now... My sshd setup is pubkey only, no root logins, and I use denyhosts to block after 3 failed logins, and it syncs its blocklist from the denyhosts master server many times a day. I use NX Server, but not with the default key, and I don't think there have been any (publicly disclosed) remotely-exploitable opensshd vulnerabilities that would allow an attacker direct entry into a system. I haven't noticed anything out of place on my system, no unusual files or missing items. I take infrequent peeks at my ssh logs, w/who/last and network traffic (as I did today when I discovered it), but I am not religious about reading every log. Life has been quite busy lately and I haven't had as much time to dedicate to that sort of stuff. I has been more like log on, check my email, pay my bills, log off. So, from that outside-entry standpoint I was certainly lulled into a false sense of security about my system. My root account has a very long and complicated password, and my user account was surely "impenetrable" since I was using pubkey-only SSH logins, right... I have encrypted partitions, but they are mounted when the system is up and running, so they are really pointless against an "online" attack... Typing that long password into sudo every time I ran a command was a hassle, and clearly I thought myself too intelligent to ever run a malicious piece of code on my own computer. I mean, that's the kind of thing I would never do. I'm careful. I usually look at things before I run them, scan them with clamscan (not that I run outside scripts/binaries very often at all). Right? And what if a seemingly-safe program decided to download and run malware on its own? What if there was a vulnerability that was exploited before it was discovered & patched by the community (and my Gentoo update cycle)? What if there was a rogue Firefox add-on stealing passwords or running shell scripts? That would probably never happen, surely someone else would have noticed it and put a stop to it before it got to me, or I would have read a warning about it in the tech news someplace. Yeah, I'm being a bit sarcastic here. ;) I do hope I can find some evidence that leads me to the point of entry. It would set my mind at ease.