Hi there.

I have a linode that I allow a friend to use to host his webpages. He has a limited user account, and is restricted to hi home directory, but he also needed console access, which he has (had) through ssh.

Apparently, he changed his default password from a very difficult one to one that mathces his username... yes, silly. My mistake for not putting a policy in to prevent him from doing this.

Somehow, by probing random accounts, is my guess, someone was able to login, and on the 5th attempt, happened to try the username password combo, and immediatly began sending out phishing emails from this users mail account (thousands of them) using php. Thank you .bash_history.

I have disabled the account and locked out the phisher, and noticed in their scripts that they left behind that they are wgetting files from a particular domain to help with this phishing (i.e. they log in, wget the tarball, unpack it and type php 'file.php' from the unpacked directories). My question is this:

Who should I report this to? The registrar for the domain name that is hosting the files?

Any help is appreciated.

Paul

There is very little that the registrar can do other than revoke the domain, and I'm sure they'll require a pretty high standard of proof before they do that. No, the correct place to report this is with the FBI, for the break-in, and the FTC, who will be very interested in the phishing. They will persue the case much greater resources than you have at your own personal disposal. Be prepared to turn over various logs, including stuff from /var/log and the .bash_history of that shell account.

Also, dude.... passwords? That is so 20th century.

Thanks for the info, I will persue this, but wonder what good it will do. Have copies of my logs, the bash history, etc so that should help.

Yeah, passwords are a little outdated... got a solution for a joe six-pack type user (my buddy)? Getting him to use SSH was like getting blood from a stone. Certificate based authentication seems to be beyond his grasp; any other suggestions?

The only thing I can suggest is, give him an SSH key, tell him how to use it, and tell him, "Use it or you don't get access."

I know this is harsh, but, if he isn't willing to learn, he isn't worthy to use your system.

But, when you use ssh-agent on *ix, or Pageant on Windows, an SSH key is (IMO) easier to use than password authentication - and a hell of a lot more secure (provided that the key itself is passphrase-protected, of course).

_________________
Bus error (passengers dumped)

I have had exactly the same compromise on one of my linodes - the account and password used were both random alphanumeric strings, and the logs indicate that they were not brute forced.

pmmenneg - I take it the tarball in your case was disguised as a jpeg and created a directory called '. ' in the users home directory?

I have restricted the access to ssh to few trusted ip-addresses - but am a little concerned as to how the account was compromised. Out of curiosity which linode host was your system on?

Yes, it is curious to be sure. My setup was not brute-forced, although the password being equal to the username is a easy target. But I have NO idea how the attacker even knew that the username existed on the server, as the user has never sent an email using it, etc.

Yes, a hidden directory was created with .' ' on my user home dir (according to the bash_history), but I can't seem to find the directory anywhere (it looks like it was deleted, unless I am just doing something wrong in trying to 'cd' into it.

The tarball was not even disguised as a .jpg, just a .tar.gz.

I am on host18. Something smells fishy about this. How on earth could they have figured out your user/pass combo without a brute-force?

Miraz,

Do you have phpBB running anywhere on your Linode? That sounds suspiciously like the kind of compromise that I've seen result from older versions of phpBB with security issues.

_________________
IntuiWORX - Intuitive, Innovative Software Development
http://www.intuiworx.com

you need to use the quotes to reference that directory try:-

find / -name '. '

or

cd '. '

from within the users home directory

I do have phpBB - but it is a current install and is running chrooted, so I thought it was probably unlikely to be the problem.

There are two things that we do at my workplace (I work for a very large MSSP):

Alert US CERT
Alert ISP

Now, we provide security for several government customers and any crack attempts require notification to US CERT. And also, since some of our government customers have clout, they can request takedown notices to ISPs (usually regarding phishing incidents).

I suggest trying and not worrying so much about whether they'll do anything. I'd much rather make the effort in sending some type of notification, as you never know how they'll respond.

The last time I noticed suspicious activity, it was a DOD computer that was hammering my border router with spam. I alerted them but never got a response, but did notice that the activity stopped.

http://www.castlecops.com/pirt

Pretty handy link to get the ball rolling when this happens.