Ubuntu LAMP cracked :(

pigdog's picture

Hi All,

I help administer a Turnkey Ubuntu LAMP applicance, installed as a virtual machine,  and it has been cracked.   The intruder gained access via keyboard interactive ssh.  The passwords were fairly complex.  I'm guessing he compromised ssh somehow  so that he did not need a password.  I've disabled the account name used in the attack  (and all others). 

These daemons were running:  oidentd and eggdrop (might have been eggdrop2).  These I killed in a hurry before trying to gather info.  There was also an ftp daemon that I killed.  There is no baseline of checksums after the initial install and subsequent scheduled updates (AFAIK),  but the md5sum of /usr/sbin/sshd  matches one published md5sum that I've seen, so I think it is clean.

Here is a truncated list of what was logged by the package manager at the time of the breach:

  install make <none> 3.81-7ubuntu1
  install binutils <none> 2.20.1-3ubuntu7.1
  install libgomp1 <none> 4.4.3-4ubuntu5.1
  install gcc-4.4 <none> 4.4.3-4ubuntu5.1
  install gcc <none> 4:4.4.3-1ubuntu1
  update-alternatives: run with --quiet --install /usr/bin/cc cc /usr/bin/gcc 20 --slave /usr/share/man/man1/cc.1.gz cc.1.gz /usr/share/man/man1/gcc.1.gz
  update-alternatives: run with --quiet --install /usr/bin/c89 c89 /usr/bin/c89-gcc 20 --slave /usr/share/man/man1/c89.1.gz c89.1.gz /usr/share/man/man1/c89-gcc.1.gz
  update-alternatives: run with --quiet --install /usr/bin/c99 c99 /usr/bin/c99-gcc 20 --slave /usr/share/man/man1/c99.1.gz c99.1.gz /usr/share/man/man1/c99-gcc.1.gz
  install oidentd <none> 2.0.8-3
  install ftp <none> 0.17-19build1
  update-alternatives: run with --install /usr/bin/ftp ftp /usr/bin/netkit-ftp 100 --slave /usr/share/man/man1/ftp.1.gz ftp.1.gz /usr/share/man/man1/netkit-ftp.1.gz

Does anything jump out at you in the above list that would not be included in Turnkey's LAMP appliance?  Should I remove everything with apt-get?  I've already rm'd netkit-ftp, odident, and ftp.  tcl was also installed, but i did not remove it.  I'm afraid removing tcl might break something on the appliance.

Is there a published baseline of md5sums for the components in TurnkeyLinux appliances?  Any advice on how to proceed would be appreciated. 


Jeremy Davis's picture

Perhaps it's just paranoia from my days of Win admin but I never completely trust a system that has been breached.

So I'd be looking to migrate your data to a new server. If you have a recent backup (eg TKLBAM prior to breach) I'd restore that to a brand new clean appliance. If you don't have that, then you could try doing a TKLBAM backup and just restore the data (files and database - I'd exclude any packages).

Something you could look into to increase security is using keyfile SSH logins and disable passwords (you'll need to do a little searching on config because I don't recall OTTOMH).

Post new comment