| LinHES Forums http://forums.linhes.org/ |
|
| Knoppmyth box compromised. http://forums.linhes.org/viewtopic.php?f=5&t=17616 |
Page 1 of 1 |
| Author: | goofee [ Sat Jan 12, 2008 4:38 pm ] |
| Post subject: | Knoppmyth box compromised. |
Ok I was warned and I deserve all the “I told you so’s” that I get. I normally had port 22,80,8001 forwarded to my mythbox so I could schedule, tinker, and stream at work. I wanted to stream the Canada - US world junior hockey game only to discover that I couldn’t connect. Tried changing every setting I could but couldn’t connect from outside my firewall. I even dropped the firewall for a bit and couldn’t connect. I finally called my ISP and they said they got an email from irc.undernet.org saying they thought I was running a energymech bot so my ISP blocked all my ports. While he was on the phone I unplugged my mythbox from the network and he said the activity disappeared. I’m hoping someone here can help me get rid of this as I really have no ideas where to start. They said the activity was on 6660 – 7000. Thanks in advance for any suggestions. I will take security risks more serious now. Warren. |
|
| Author: | Too Many Secrets [ Sat Jan 12, 2008 4:51 pm ] |
| Post subject: | |
Fist off, quiet sorry for your situation. This is quite sobering for be as well, as I enjoy using my box from afar too. I can't give you much, but I'd want to do a clean install to make sure nothing stuck around... Maybe you can save your recordings? |
|
| Author: | mihanson [ Sat Jan 12, 2008 6:10 pm ] |
| Post subject: | |
as far as "cleaning up" I think your best bet is to "upgrade" to the same version of KM that you are running. That way, you can be sure anything that was malicously installed is gone as the process of upgrading will reformat your root partition. After doing that, why not tunnel over SSH with an encryption key? It's much safer than using simple password authentication. http://www.knoppmythwiki.org/index.php?page=AccessMythWebSecurelyWithSSHandPuTTY http://www.knoppmythwiki.org/index.php?page=RemoteAccessfromWindows |
|
| Author: | mjl [ Sat Jan 12, 2008 8:39 pm ] |
| Post subject: | |
Hi, Before you do the upgrade and while you can put your hands on the system (off the network) I suggest you review the /var/log area. maybe start with auth.log to see who they logged in as. It may give an insight as to what was occurring without your knowledge. I would not do a backup as "things" could be hidden and you could just restore issues. check the passwd file to see if they added their own user account, (might give a date stamp of the last modifcation) It could be important to know exactly when you were hacked as if it was after a backup, then an upgrade may just restore some of the original issues. If the date of your backup is 1 Jan 08 and the "entry" was 31 Dec 07 ....... Also I would send tjc a pm and ask for some words of wisdom for some forensics. Mike |
|
| Author: | Greg Frost [ Sat Jan 12, 2008 10:41 pm ] |
| Post subject: | |
Be aware that a backup/restore will leave all of the contents of the root and mythtv home directory. If they have compromised stuff in there you would be best off just installing from scratch. |
|
| Author: | tjc [ Sun Jan 13, 2008 12:15 pm ] |
| Post subject: | |
You can strip the backup down to only include the information about your recordings and settings so you don't lose all of your media files. See the Taking advantage of the enhanced backup and restore scripts thread among others for discussions on how to do this. The password file is not normally restored, so that shouldn't be a risk, but anything in the directories Greg mentions is. |
|
| Author: | goofee [ Sun Jan 13, 2008 11:56 pm ] |
| Post subject: | |
Thanks guys. I figured the upgrade route would be the most absolute repair. I wasn't sure what all was copied with the backup or what could be tainted. I'll probably just keep the recording database and some customized config files. Going to have to take the plunge soon as I'm running out of guide data with it offline. mihanson - I had seen those posts but thought it more convenient to be able to access it from any pc with an internet connection without adding extra software. I will be setting it up this time. |
|
| Author: | techman83 [ Mon Jan 14, 2008 7:45 pm ] |
| Post subject: | |
Putty is your friend, small to download and doesn't require installing. Once you to know how to use it you can download and be logged into Mythweb in a matter of minutes. I figure the minor inconvenience is better then spending hours trying to undo the damage caused by this. I'm sure there is portable ssh app you could setup on a thumb drive though! |
|
| Author: | goofee [ Sat Jan 26, 2008 11:09 am ] |
| Post subject: | |
Well we're back online again. I backed up only the recording database and lirc files then started from scratch. I've setup the ssh tunneling and it wasn't as bad as expected. It adds an extra step to viewing mythweb remotely but...it's far more convenient then redoing my box again. The thing I'm wondering is how much I can send trough the tunnel. Can I stream video through it as well or would it add to much overhead to be useful. Thanks. |
|
| Author: | techman83 [ Tue Feb 12, 2008 8:22 pm ] |
| Post subject: | |
I have streamed through SSH, from my experience, the overhead isn't to bad. |
|
| Page 1 of 1 | All times are UTC - 6 hours |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|