Thursday, January 13, 2005


I awoke early this morning, after a late return from the Bay Area, to catch a concall that I was supposed to listen in on. Trying to keep awake through the impossibly boring European techno-bable, I wandered into my den to fire up my boxens and get a jump on email for the day. As I entered the room, I was welcomed by the steady glow of my Apple AirPort (wireless router that connects my house to the Internet) indicator lights. All three were steadily lit. Sitting down, I thought about this for a second: Why would all the traffic lights on my router be lit, if none of my computer are on ?

Getting a bad feeling in the pit of my stomach, I booted my Shuttle to take a look. Maybe someone has pierced the WPA encryption on my wireless link -- I have left the airport configured to advertise its SSID, as this really simplifies network config and troubleshooting. Logging into my Airport admin program, I found that no one was using the wireless -- i didn't have anyone registered for DHCP or any client MAC addresses. So someone might have figured out the WPA password, but I doubt they also could have faked the configs. Then I remembered, I recently restarted my old linux server in preparation of upgrading its hard drive. Uh-oh.

Logging into the server brought instant and curious results: a quick who command said that both I and Brian were logged in. This wasn't impossible (Brian has a login to the machine that I gave him a year or two ago), but what was telling was that brian appeared to be logged in from somewhere in the .ro domain -- Romania. Knowing that Brian hasn't been out of Columbus, Ohio in years (except on his visits here), I was suspicious. Not taking any chances, I employed standard operating procedure for a compromised machine -- I pulled the power cord.

After I had located my KNOPPIX CD that Brian had given me, I went to work finding out how my Romanian friend has gotten in. After mounting the home and root partitions, I checked the logs. /var/logs/messages didn't really have anything of use, but /var/logs/secure definately did -- I had a rash of unsuccessful ssh logins (for mostly daemon accounts), all starting about 5 AM this morning. Apparently, my Romanian friend was using a dictionary attack to find poorly password protected accounts. And he had found one -- I think Brian's account password was "brian" when I set it up. Now that I had found out how he had gotten in, I went about surveying damage. A quick find command (looking for files modified in the past day) turned up some new directories and files in the /tmp directory. Going into the directory, I found a standard toolkit of dictionary attack tools and irc bot binaries. This is almost identical to the write-up in this Honeypot break-in. It looks like I was dealing with a script kiddies -- he hadn't erased his tracks nor started to compromise other machines on my network. In fact, I don't think he even got root access for the server. However, it will really be impossible to know exactly since pulling the plug on the server killed some of the evidence in the log files.

Long story short, I am now in the process of completely reinstalling the machine. Unfortunately, it only has 64 MB of RAM so I think my choices are kinda limited -- maybe some cut down linux distro will work.

No comments: