My Yunohost hacked / Yunohost piratée

Support
,
1

[FR]

Hello,

Mon FAI indépendant préféré chez qui j’ai herbergé ma machine vient de m’informer que mon instance Yunohost s’est faites piratée et envoie du SPAM à gogo.

Je n’ai que des apps Yunohost officielles installées.

2 petites questions :

  • que faire dans ces cas là ? (j’ai déjà changé le mot de passe administrateur … mais ensuite ?)
  • est-ce que ca interesse les devs de Yunohost d’investiguer sur les raisons du piratage ? Est-ce que ca peut etre utile pour renforcer la sécurité de la distrib ?

Merci :slight_smile:

[EN]

Hi there,

My independat ISP where I placed my Yunohost server just informed me my machine has been hacked, and is now sending quite a lot of Spam

I only have official Yunohost app installed

2 questions:

  • what should I do? (I’ve changed my admin password … but then?)
  • Are Yunohost devs interested in checking what have happened? Would it be somehow useful to strenghen the distrib security?

Cheers

2

If you have a wordpress or a joomla it could come from here.

Your yunohost is up to date ?

And your app ?

You can watch your mail log in case it’s postfix that send this mail

tail -f /var/log/mail.log

If you see mail don’t send by you, you can stop temporarily postfix

service postfix stop

If you don’t see any strange email :

3

Hello,

Thanks for your reply!

I guess I’ve to log into ssh to send the command? Is it safe to login in ssh? (can it compromise my private key somehow?)

4

No I think your private key is safe

5

@K-nar

It happened to one of my known servers because a very simple to hack account was created like username: test and password: test123. See if no such simple account is present. The logs would tell which account is sending the mails or if the whole server has been hacked.

1 Like
6

@ljf

tail -f /var/log/mail.log

Indeed, I’ve sent 3 times the command, and got 3 differents info coming up (with ****.ru or *****.br references).
What does exactly this info means: “connect from gw-kompanija-sibirq-razvitie.ll-nsk.zsttk.ru[80.89.128.150]” ?
Somebody from that IP connected to my server?

@kanhu

very simple to hack account was created

Yop, good point, I might have unsecured password in my basic user list. How can I check my users passwords?

The logs would tell which account is sending the mails

What is the log you refer to? How can I access it?

Thanks for your help! :slight_smile:

7

OK, for the different logs --> YunoHost troubleshooting guide

8

You have to see recent from field in the logs to catch the culprits. A better way is to check the messages queue.

find /var/spool/postfix/deferred -type f | wc -l

If there are any then check them.

mailq

9

OK,

a few interesting things I’ve seen, but don’t really know how to understand them:

fail2ban.log
PLENTY OF entries

Example 1 :

2018-06-20 23:49:11,488 fail2ban.filter [23371]: WARNING Determined IP using DNS Lookup:
131.108.164-245.netwaytelecon.com.br = ['131.108.164.245']
2018-06-20 23:49:17,837 fail2ban.actions[23371]: WARNING [ssh] Unban 58.218.198.141
2018-06-20 23:50:09,900 fail2ban.actions[23371]: WARNING [ssh] Ban 58.218.198.141

Plenty of other like this one in the file …

Example 2 :

2018-06-21 16:00:48,383 fail2ban.actions[23371]: WARNING [ssh] Unban 182.100.67.237
2018-06-21 16:01:47,452 fail2ban.actions[23371]: WARNING [ssh] Ban 182.100.67.237`
2018-06-21 16:11:48,096 fail2ban.actions[23371]: WARNING [ssh] Unban 182.100.67.237
2018-06-21 16:15:28,333 fail2ban.actions[23371]: WARNING [ssh] Ban 182.100.67.237
2018-06-21 16:20:07,635 fail2ban.actions[23371]: WARNING [ssh] Ban 42.7.26.49
2018-06-21 16:25:28,981 fail2ban.actions[23371]: WARNING [ssh] Unban 182.100.67.237
2018-06-21 16:26:18,041 fail2ban.actions[23371]: WARNING [ssh] Ban 182.100.67.237
2018-06-21 16:30:08,297 fail2ban.actions[23371]: WARNING [ssh] Unban 42.7.26.49
2018-06-21 16:36:18,691 fail2ban.actions[23371]: WARNING [ssh] Unban 182.100.67.237
2018-06-21 16:38:09,817 fail2ban.actions[23371]: WARNING [ssh] Ban 182.100.67.237
2018-06-21 16:45:10,882 fail2ban.filter [23371]: WARNING Determined IP using DNS Lookup: ip-132-148-27-109.ip.secureserver.net = ['132.148.27.109']
2018-06-21 16:48:10,461 fail2ban.actions[23371]: WARNING [ssh] Unban 182.100.67.237
2018-06-21 16:50:30,617 fail2ban.actions[23371]: WARNING [ssh] Ban 182.100.67.237
2018-06-21 16:51:16,850 fail2ban.filter [23371]: WARNING Determined IP using DNS Lookup: c-73-202-176-149.hsd1.ca.comcast.net = ['73.202.176.149']
2018-06-21 17:00:31,251 fail2ban.actions[23371]: WARNING [ssh] Unban 182.100.67.237

Anything I should worry here? (especially the ‘unban’ entries?

/var/spool/postfix/deferred

find /var/spool/postfix/deferred -type f | wc -l

Results : 0

mail.log

tail -f /var/log/mail.log

Jun 21 17:24:38 ME postfix/anvil[28034]: statistics: max connection count 1 for (smtp:80.89.128.150) at Jun 21 17:16:10
Jun 21 17:24:38 ME postfix/anvil[28034]: statistics: max cache size 1 at Jun 21 17:16:10
Jun 21 17:26:34 ME postfix/smtpd[29022]: connect from unknown[185.221.172.140]
Jun 21 17:26:34 ME rmilter[590]: <2d144c57e5>; accepted connection from my.server.me; client: 185.221.172.140:53548 ([185.221.172.140])
Jun 21 17:26:34 ME postfix/smtpd[29022]: disconnect from unknown[185.221.172.140]
Jun 21 17:27:39 ME postfix/master[1564]: terminating on signal 15
Jun 21 18:05:32 ME postfix/master[32603]: daemon started – version 2.11.3, configuration /etc/postfix
Jun 21 18:05:40 ME postfix/smtpd[32606]: connect from unknown[103.215.211.106]
Jun 21 18:05:40 ME rmilter[590]: ; accepted connection from my.server.me; client: 103.215.211.106:55047 ([103.215.211.106])
Jun 21 18:05:41 ME postfix/smtpd[32606]: disconnect from unknown[103.215.211.106]

[a few minutes later]

Jun 21 18:13:54 ME postfix/anvil[32745]: statistics: max connection count 1 for (smtp:190.128.227.82) at Jun 21 18:10:33
Jun 21 18:13:54 ME postfix/anvil[32745]: statistics: max cache size 1 at Jun 21 18:10:33
Jun 21 18:15:39 ME postfix/smtpd[386]: warning: hostname 122-147-191-200.static.sparqnet.net does not resolve to address 122.147.191.200: Name or service not known
Jun 21 18:15:39 ME postfix/smtpd[386]: connect from unknown[122.147.191.200]
Jun 21 18:15:39 ME rmilter[590]: <94da952094>; accepted connection from my.server.me client: 122.147.191.200:54640 ([122.147.191.200])
Jun 21 18:15:40 ME postfix/smtpd[386]: disconnect from unknown[122.147.191.200]
Jun 21 18:18:16 ME postfix/smtpd[433]: connect from unknown[185.234.217.38]
Jun 21 18:18:16 ME rmilter[590]: <370bfefe51>; accepted connection from my.server.me; client: 185.234.217.38:63354 ([185.234.217.38])
Jun 21 18:18:16 ME postfix/smtpd[433]: lost connection after AUTH from unknown[185.234.217.38]
Jun 21 18:18:16 ME postfix/smtpd[433]: disconnect from unknown[185.234.217.38]

10

Does seems to be resolved … right?
I’ve “service postfix stop” again

Any idea on how to identify the user that has been hacked (user/root/ssh)?

Thanks,

11

Keep an close eye on the logs. Though these can be tempered. But still there may be traces.
Install pflogsumm to get daily postfix reports.

12

@K-nar which kinds of apps have you ?
Had you account with weak password ?

13

I do think I had weak account(s). I’ve changed every user passwords. Should be better now.

If I service postfix start, what would you recommend to check to make sure my server is not sending spam anymore?
What should I monitor exactly?

Also, is there any command to check the last users successful authentications?

Installed app:

  • Jirafeau
  • Kanboard
  • Nextcloud
  • OpenSondage
  • RoundCube
  • Transmission
  • TTRSS
  • Wordpress
14

You should watch regularly the content of /var/log/mail.log

To follow authentication, you can check: /var/log/auth.log /var/log/btmp /var/log/fail2ban.log

15

Take care to regularly update wordpress, some attacks on wordpress can send mail without postfix as describe in this post: