Has my Linux server been compromised? How do I tell? [duplicate]

ssh security linux ubuntu-10.04

Running (X)Ubuntu 10.04.2 LTS behind a router.

I just received an email from my root account on that machine, with the following subject:

*** SECURITY information for <hostname>:

The message body contained this warning:

<hostname> : jun 1 22:15:17 : <username> : 3 incorrect password attempts ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/sh /tmp/tmpPHBmTO

I can see no /tmp/tmpPHBmTO file, though there is a file named /tmp/tmpwoSrWW with a timestamp dating from 2011-06-01 22:14, so just before the mentioned date/time. It's a binary file, and the content doesn't look familiar to me. Also, that file only has -rw------- permissions.

As I read it, this means that someone (or something) has (had) access to my machine. Apparently not root access (yet), but still, enough to write files to my /tmp directory at the very least.

Does someone have any pointers as to where I could look for more information: who could have done this, and how they could have done this?

My router is configured to allow access to forward traffic for SSH, HTTP (nginx acting as reverse proxy for one of several other services), SMTP, POP (postfix) and IMAP (dovecot), and also port 51413 (Transmission).


Solution 1:

I realize it's been two years since the original question was asked, but in case somebody else comes here through Google like me: I saw that behavior caused by a Dropbox daemon running with a non-root account on a server which didn't run any X server. I managed to copy the files before they were deleted. For some reason the daemon wants to reset permissions on its data directory (never mind that it wouldn't even have needed root to do that) and kill some process. I can only speculate as to why, maybe it did some kind of auto update and tried to reload itself or something like that.

The file /tmp/tmpe1AGcd contains:

#!/bin/bash
sudo -K
zenity --entry --title="Dropbox" --text="Dropbox needs your permission to save settings to your computer.

Type your Linux password to allow Dropbox to make changes." --entry-text "" --hide-text | sudo -S /bin/sh /tmp/tmpAH5mxL
if [ "$?" != 0 ]; then
zenity --error --text="Sorry, wrong password"
exit 1
fi

Since the machine is running headless and the binary "zenity" isn't even installed, sudo receives empty password attempts and fails when trying to execute /tmp/tmpAH5mxL, containing:

#!/bin/bash
chown -R 1000 "/home/<username>/.dropbox"
chmod -R u+rwX "/home/<username>/.dropbox"
kill -s USR2 5364

The resulting message I got was the same you did:

<hostname> : Jul  4 16:32:24 : <username>: 3 incorrect password attempts ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/sh /tmp/tmpAH5mxL

Solution 2:

If you have SSH opened to the Internet you WILL see hack attempts where scripties will try to crack that password.

Possible mitigation steps:

  • Do not allow root login via SSH (su after login if needed)
  • Have a VERY strong password (think passphrase - 10 or more characters)
  • Use key authentication for SSH and turn off password auth
  • Install fail2ban to block login attempts after n login attempts
  • Move ssh off of the default port (as recommended by @voithos)

Note: if your machine is already compromised, none of the above will help.

Related

With MySQL, how long does an "ALTER TABLE ... DISABLE KEYS;" statement last?
Is there a secure way to allow IIS 7 in a DMZ to access a DB server behind the firewall?
Server credential management for Linux and Windows
Use git commands with another path rather than the actual working dir
What is, and what problems result in a 'carrier error'
last loggedin users in linux showing 8 characters only
Registrar Name Server Change
Can Apache conditionally perform a rewrite from a custom http header?
Any experience with SATA SAS Interposer Cards?
RPM Spec How to specify in package so that previous RPM is removed
What are PCRE limits?
Why is my domain controller causing my router to send advertisements for Unique Local Addresses?