Hacker?

MrYoshii · 29. Mai 2015

Guten Abend
Habe heute bemerkt das der smbd Prozess ca 8% CPU load macht und der Switch blinkt auch also nas und Router nun stellt sich mir die frage was wo hin kopiert wird habe alle PCs gecheckt nichts wird kopiert
Windowsfreigaben sind Passwort geschürzt..

Bitte um Hilfe

MfG

good Evening
Today I noticed that the smbd process approximately 8 % CPU load and therefore makes the switch flashes NAS and router now makes me wonder what go where copies have all PCs checked nothing is copied
Windows releases are pursed password ..

Please help

(google translator)

Enra · 30. Mai 2015

I would install tcpdump on the NAS and have a look at the network traffic.

MrYoshii · 30. Mai 2015

58.218.205.69.51249 das sieht verdächtig aus oder?

58.218.205.69.51249 that looks suspiciously like it?

Enra · 30. Mai 2015

Not if you share files with your chinese girlfried.
You exposed your smb ports to the Internet???
No good idea.

MrYoshii · 30. Mai 2015

i have no open ports
and i have no chines gf

Code

Gamer-PC.local.58971: Flags [P.], seq 8676144:8676288, ack 44033, win 460, length 144
00:59:14.541315
 IP HomeServer.local.ssh > 221.229.166.205.32791: Flags [P.], seq 
40:968, ack 16, win 227, options [nop,nop,TS val 24171650 ecr 79667221],
 length 928
00:59:14.579150 IP HomeServer.local.ssh > 
221.229.166.205.32791: Flags [.], ack 664, win 237, options [nop,nop,TS 
val 24171660 ecr 79667221], length 0
00:59:15.094589 IP 
HomeServer.local.ssh > 221.229.166.205.32791: Flags [.], ack 936, win
 247, options [nop,nop,TS val 24171788 ecr 79667350], length 0
00:59:15.102460
 IP HomeServer.local.ssh > 221.229.166.205.32791: Flags [P.], seq 
968:1816, ack 936, win 247, options [nop,nop,TS val 24171790 ecr 
79667350], length 848
00:59:15.639148 IP HomeServer.local.ssh > 
221.229.166.205.32791: Flags [.], ack 952, win 247, options [nop,nop,TS 
val 24171925 ecr 79667479], length 0
00:59:16.040869 IP HomeServer.local.ssh > 221.229.166.205.3279

Alles anzeigen

Code

239.255.255.250.1900: UDP, length 261
00:37:19.319809
 IP HomeServer.local.ssh > Gamer-PC.local.58971: Flags [P.], seq 
6524752:6524896, ack 39633, win 357, length 144
00:37:19.320066 IP ralink.ralinktech.com.32769 > 239.255.255.250.1900: UDP, length 333
00:37:19.320267 IP ralink.ralinktech.com.32769 > 239.255.255.250.1900: UDP, length 329
00:37:19.320280
 IP HomeServer.local.ssh > Gamer-PC.local.58971: Flags [P.], seq 
6525088:6525232, ack 39633, win 357, length 144
00:37:19.320474 IP ralink.ralinktech.com.32769 > 239.255.255.250.1900: UDP, length 309
00:37:19.320681
 IP HomeServer.local.ssh > Gamer-PC.local.58971: Flags [P.], seq 
6525504:6525648, ack 39633, win 357, length 144
00:37:19.320693 IP ralink.ralinktech.com.32769 > 239.255.255.250.1900: UDP, length 341
00:37:19.321142 IP ralink.ralinktech.com.32769 > 239.255.255.250.1900: UDP, length 323
00:37:19.321305 IP ralink.ralinktech.com.32769 > 239.255.255.250.1900:

Alles anzeigen

what about it?

Enra · 30. Mai 2015

Zitat von MrYoshii

IP HomeServer.local.ssh > 221.229.166.205.32791

221.229.166.205 is a chinese IP address. Suspect.
239.255.255.250 is multicast in your LAN. Probably unsuspicious.

PS:
You can find out, where a specific IP address is located by just searching the web for it.

MrYoshii · 30. Mai 2015

ok

have but no open ports How is that possible that the access ?

Enra · 30. Mai 2015

OK,

if your machine is hacked, then the connection is started from inside your lan (NAS).
Then your router normally allows the communication.
I would stop the internet connection of the NAS (firewall policy in the router, or taking away the def. GW), backup all data and examine the NAS.
I think I would reinstall the machine.
Give the output of
ps -A
Perhaps we will see something there.
Perhaps someone else has also a good idea

MrYoshii · 30. Mai 2015

NAS has been installed 2 days ago
have banned the Chinese in router

Code

root@HomeServer:~# ps -A
  PID TTY          TIME CMD
    1 ?        00:00:01 init
    2 ?        00:00:00 kthreadd
    3 ?        00:00:26 ksoftirqd/0
    5 ?        00:00:00 kworker/0:0H
    7 ?        00:01:25 rcu_sched
    8 ?        00:00:00 rcu_bh
    9 ?        00:00:00 migration/0
   10 ?        00:00:00 watchdog/0
   11 ?        00:00:00 watchdog/1
   12 ?        00:00:03 migration/1
   13 ?        00:00:56 ksoftirqd/1
   15 ?        00:00:00 kworker/1:0H
   16 ?        00:00:00 khelper
   17 ?        00:00:00 kdevtmpfs
   18 ?        00:00:00 netns
   19 ?        00:00:00 khungtaskd
   20 ?        00:00:00 writeback
   21 ?        00:00:00 ksmd
   22 ?        00:00:00 khugepaged
   23 ?        00:00:00 crypto
   24 ?        00:00:00 kintegrityd
   25 ?        00:00:00 bioset
   26 ?        00:00:00 kblockd
   29 ?        00:00:02 kswapd0
   30 ?        00:00:00 fsnotify_mark
   36 ?        00:00:00 kthrotld
   37 ?        00:00:00 ipv6_addrconf
   39 ?        00:00:00 deferwq
  108 ?        00:00:00 khubd
  170 ?        00:00:00 ata_sff
  220 ?        00:00:00 acpi_thermal_pm
  288 ?        00:00:00 scsi_eh_0
  289 ?        00:00:00 scsi_tmf_0
  290 ?        00:00:00 scsi_eh_1
  291 ?        00:00:00 scsi_tmf_1
  292 ?        00:00:00 scsi_eh_2
  293 ?        00:00:00 scsi_tmf_2
  294 ?        00:00:00 scsi_eh_3
  295 ?        00:00:00 scsi_tmf_3
  296 ?        00:00:00 scsi_eh_4
  297 ?        00:00:00 scsi_tmf_4
  298 ?        00:05:27 scsi_eh_5
  299 ?        00:00:00 scsi_tmf_5
  326 ?        00:05:27 kworker/0:1H
  338 ?        00:00:00 kworker/1:1H
  361 ?        00:00:00 md
  369 ?        00:00:00 bioset
  391 ?        00:00:02 jbd2/sdc1-8
  392 ?        00:00:00 ext4-rsv-conver
  531 ?        00:00:00 udevd
  808 ?        00:00:00 cfg80211
  819 ?        00:00:00 kpsmoused
  844 ?        00:01:47 irq/46-iwlwifi
  846 ?        00:00:42 irq/48-mei_me
  847 ?        00:00:00 kvm-irqfd-clean
  868 ?        00:00:00 kworker/u5:0
  869 ?        00:00:00 hci0
  870 ?        00:00:00 hci0
  879 ?        00:00:00 hd-audio0
  884 ?        00:00:00 kworker/u5:2
 1124 ?        00:00:03 omv-engined
 1777 ?        00:00:00 xfsalloc
 1778 ?        00:00:00 xfs_mru_cache
 1779 ?        00:00:00 xfslogd
 1780 ?        00:00:00 xfs-data/md127
 1781 ?        00:00:00 xfs-conv/md127
 1782 ?        00:00:00 xfs-cil/md127
 1783 ?        00:00:00 xfsaild/md127
 2072 ?        00:00:00 bond0
 2282 ?        00:00:01 hostapd
 2296 ?        00:00:00 dnsmasq
 2458 ?        00:00:38 freshclam
 2467 ?        00:00:00 rpcbind
 2485 ?        00:00:00 rpc.statd
 2490 ?        00:00:00 rpciod
 2492 ?        00:00:00 nfsiod
 2499 ?        00:00:00 rpc.idmapd
 2748 ?        00:00:26 rrdcached
 2825 ?        00:00:00 mdadm
 2843 ?        00:00:00 acpid
 2875 ?        00:00:00 dbus-daemon
 2896 ?        00:00:00 nginx
 2897 ?        00:00:07 nginx
 2898 ?        00:00:06 nginx
 2899 ?        00:00:03 nginx
 2900 ?        00:00:07 nginx
 2901 ?        00:00:00 cron
 2959 ?        00:00:03 avahi-daemon
 2960 ?        00:00:00 avahi-daemon
 2978 ?        00:00:43 collectd
 2990 ?        00:00:01 sshd
 3018 ?        00:00:05 cupsd
 3067 ?        00:03:07 monit
 3107 ?        00:00:18 watchdog
 3112 tty1     00:00:00 login
 3113 tty2     00:00:00 getty
 3114 tty3     00:00:00 getty
 3115 tty4     00:00:00 getty
 3116 tty5     00:00:00 getty
 3117 tty6     00:00:00 getty
 3202 ?        00:00:01 php5-fpm
 3203 ?        00:00:00 php5-fpm
 3204 ?        00:00:00 php5-fpm
 3421 tty1     00:00:00 bash
 3954 ?        00:00:03 screen
 3955 pts/0    00:00:00 bash
 4110 pts/0    00:00:00 sudo
 4111 pts/0    00:02:06 badblocks
 4121 ?        00:00:01 screen
 4122 pts/2    00:00:00 bash
10666 ?        00:00:01 kworker/1:2
12692 ?        00:00:02 kworker/1:0
14087 ?        00:00:00 kworker/0:1
15794 ?        00:00:00 kworker/0:0
15907 ?        00:00:00 kworker/u4:1
16050 ?        00:00:00 kworker/u4:0
16150 ?        00:00:00 sshd
16153 pts/1    00:00:00 bash
16167 ?        00:00:00 smbd
16170 ?        00:00:00 kworker/1:1
16187 pts/1    00:00:00 ps
21554 ?        00:00:00 nmbd
21557 ?        00:00:01 smbd
21565 ?        00:00:00 smbd
26137 ?        00:00:00 udevd
26138 ?        00:00:00 udevd

Alles anzeigen

Enra · 30. Mai 2015

Zitat von MrYoshii

NAS has been installed 2 days ago

hmmm, that reduces the possibility to be hacked.
In ps -A I don't see any suspicious processes

You can try to disable one service after the other (for example: I don't know how and where CLAMAV loads its virus-database updates) and have a look whether the communication stops.

Or tcpdump the traffic into a file and have a look on it with wireshark.
Perhaps you find a hint there.

But keep in mind that I am not a virus-expert.
Therfore other opinions are strongly welcome.

MrYoshii · 30. Mai 2015

i have blockt the ip area

Code

58.218.205.01 - 58.218.205.255
221.229.166.01 - 221.229.166.255

and now i have no trafic

if anything changes I register resist

Enra · 30. Mai 2015

You will not investigate further?

This will only cover the symptoms, not the root cause.

MrYoshii · 30. Mai 2015

you're right but i have no idea what i can do

Enra · 30. Mai 2015

Zitat von Enra

You can try to disable one service after the other (for example: I don't know how and where CLAMAV loads its virus-database updates) and have a look whether the communication stops.

Or tcpdump the traffic into a file and have a look on it with wireshark.
Perhaps you find a hint there.

If in doubt, I would reinstall my system.

MrYoshii · 30. Mai 2015

ok my question is why he can access t my files i have set a pw with 18 character
and the root pw has also 18 character

Enra · 30. Mai 2015

No one of us knows your setup.
Opened port to the internet?
HTTP or HTTPS ?
Trojans in the internal network?

Dennis · 30. Mai 2015

The router could be the problem. Take a look at him too.

davidh2k · 30. Mai 2015

Plex installed?

Greetings
David

MrYoshii · 31. Mai 2015

Zitat

The router could be the problem. Take a look at him too.

how ?

Zitat

Plex installed?

no i have no plex installt i have no open ports and all pw a very difficult

MrYoshii · 31. Mai 2015

Here is the auth.log

Code

May 28 22:11:42 HomeServer sshd[3153]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.195.189.84  user=root
May 28 22:11:51 HomeServer sshd[3155]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.195.189.84  user=root
May 28 22:11:52 HomeServer sshd[3155]: Failed password for root from 122.195.189.84 port 37825 ssh2
May 28 22:11:55 HomeServer sshd[3155]: Failed password for root from 122.195.189.84 port 37825 ssh2
May 28 22:11:58 HomeServer sshd[3155]: Failed password for root from 122.195.189.84 port 37825 ssh2
May 28 22:11:59 HomeServer sshd[3155]: Received disconnect from 122.195.189.84: 11:  [preauth]
May 28 22:11:59 HomeServer sshd[3155]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.195.189.84  user=root
May 28 22:12:07 HomeServer sshd[3157]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.195.189.84  user=root
May 28 22:12:09 HomeServer sshd[3157]: Failed password for root from 122.195.189.84 port 33244 ssh2
May 28 22:12:12 HomeServer sshd[3157]: Failed password for root from 122.195.189.84 port 33244 ssh2
May 28 22:12:14 HomeServer sshd[3157]: Failed password for root from 122.195.189.84 port 33244 ssh2
May 28 22:12:14 HomeServer sshd[3157]: Received disconnect from 122.195.189.84: 11:  [preauth]
May 28 22:12:14 HomeServer sshd[3157]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.195.189.84  user=root
May 28 22:12:22 HomeServer sshd[3159]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.195.189.84  user=root
May 28 22:12:25 HomeServer sshd[3159]: Failed password for root from 122.195.189.84 port 56165 ssh2
May 28 22:12:27 HomeServer sshd[3159]: Failed password for root from 122.195.189.84 port 56165 ssh2
May 28 22:12:30 HomeServer sshd[3159]: Failed password for root from 122.195.189.84 port 56165 ssh2
May 28 22:12:31 HomeServer sshd[3159]: Received disconnect from 122.195.189.84: 11:  [preauth]
May 28 22:12:31 HomeServer sshd[3159]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.195.189.84  user=root
May 28 22:12:39 HomeServer sshd[3162]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.195.189.84  user=root
May 28 22:12:41 HomeServer sshd[3162]: Failed password for root from 122.195.189.84 port 52260 ssh2
May 28 22:12:43 HomeServer sshd[3162]: Failed password for root from 122.195.189.84 port 52260 ssh2
May 28 22:12:46 HomeServer sshd[3162]: Failed password for root from 122.195.189.84 port 52260 ssh2
May 28 22:12:46 HomeServer sshd[3162]: Received disconnect from 122.195.189.84: 11:  [preauth]
May 28 22:12:46 HomeServer sshd[3162]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.195.189.84  user=root
May 28 22:12:55 HomeServer sshd[3164]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.195.189.84  user=root
May 28 22:12:57 HomeServer sshd[3164]: Failed password for root from 122.195.189.84 port 48011 ssh2
May 28 22:12:59 HomeServer sshd[3164]: Failed password for root from 122.195.189.84 port 48011 ssh2
May 28 22:13:02 HomeServer sshd[3164]: Failed password for root from 122.195.189.84 port 48011 ssh2
May 28 22:13:02 HomeServer sshd[3164]: Received disconnect from 122.195.189.84: 11:  [preauth]
May 28 22:13:02 HomeServer sshd[3164]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.195.189.84  user=root
May 28 22:13:10 HomeServer sshd[3166]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.195.189.84  user=root
May 28 22:13:12 HomeServer sshd[3166]: Failed password for root from 122.195.189.84 port 45431 ssh2
May 28 22:13:16 HomeServer sshd[3166]: Failed password for root from 122.195.189.84 port 45431 ssh2
May 28 22:13:19 HomeServer sshd[3166]: Failed password for root from 122.195.189.84 port 45431 ssh2
May 28 22:13:19 HomeServer sshd[3166]: Received disconnect from 122.195.189.84: 11:  [preauth]
May 28 22:13:19 HomeServer sshd[3166]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.195.189.84  user=root
May 28 22:13:28 HomeServer sshd[3168]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.195.189.84  user=root
May 28 22:13:31 HomeServer sshd[3168]: Failed password for root from 122.195.189.84 port 47328 ssh2
May 28 22:13:33 HomeServer sshd[3168]: Failed password for root from 122.195.189.84 port 47328 ssh2
May 28 22:13:35 HomeServer sshd[3168]: Failed password for root from 122.195.189.84 port 47328 ssh2
May 28 22:13:36 HomeServer sshd[3168]: Received disconnect from 122.195.189.84: 11:  [preauth]
May 28 22:13:36 HomeServer sshd[3168]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.195.189.84  user=root
May 28 22:14:22 HomeServer sshd[3174]: Accepted password for root from 192.168.0.78 port 56830 ssh2
May 28 22:14:22 HomeServer sshd[3174]: pam_unix(sshd:session): session opened for user root by (uid=0)
May 28 22:15:01 HomeServer CRON[3222]: pam_unix(cron:session): session opened for user root by (uid=0)
May 28 22:15:03 HomeServer CRON[3222]: pam_unix(cron:session): session closed for user root
May 28 22:15:53 HomeServer sshd[3298]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.160.51  user=root
May 28 22:15:55 HomeServer sshd[3298]: Failed password for root from 222.186.160.51 port 34121 ssh2
May 28 22:15:57 HomeServer sshd[3298]: Failed password for root from 222.186.160.51 port 34121 ssh2
May 28 22:16:00 HomeServer sshd[3298]: Failed password for root from 222.186.160.51 port 34121 ssh2
May 28 22:16:00 HomeServer sshd[3298]: Received disconnect from 222.186.160.51: 11:  [preauth]
May 28 22:16:00 HomeServer sshd[3298]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.160.51  user=root
May 28 22:23:25 HomeServer sshd[3482]: Failed password for root from 221.229.166.28 port 45018 ssh2
May 28 22:23:27 HomeServer sshd[3482]: Failed password for root from 221.229.166.28 port 45018 ssh2
May 28 22:23:29 HomeServer sshd[3482]: Failed password for root from 221.229.166.28 port 45018 ssh2
May 28 22:23:30 HomeServer sshd[3482]: Received disconnect from 221.229.166.28: 11:  [preauth]
May 28 22:23:30 HomeServer sshd[3482]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.229.166.28  user=root
May 28 22:23:37 HomeServer sshd[3505]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.229.166.28  user=root
May 28 22:23:39 HomeServer sshd[3505]: Failed password for root from 221.229.166.28 port 34563 ssh2
May 28 22:23:41 HomeServer sshd[3505]: Failed password for root from 221.229.166.28 port 34563 ssh2
May 28 22:23:44 HomeServer sshd[3505]: Failed password for root from 221.229.166.28 port 34563 ssh2
May 28 22:23:44 HomeServer sshd[3505]: Received disconnect from 221.229.166.28: 11:  [preauth]
May 28 22:23:44 HomeServer sshd[3505]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.229.166.28  user=root
May 28 22:23:52 HomeServer sshd[3598]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.229.166.28  user=root
May 28 22:23:54 HomeServer sshd[3598]: Failed password for root from 221.229.166.28 port 54854 ssh2
May 28 22:23:57 HomeServer sshd[3598]: Failed password for root from 221.229.166.28 port 54854 ssh2
May 28 22:23:59 HomeServer sshd[3598]: Failed password for root from 221.229.166.28 port 54854 ssh2
May 28 22:23:59 HomeServer sshd[3598]: Received disconnect from 221.229.166.28: 11:  [preauth]
May 28 22:23:59 HomeServer sshd[3598]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.229.166.28  user=root
May 28 22:24:07 HomeServer sshd[3647]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.229.166.28  user=root
May 28 22:24:09 HomeServer sshd[3647]: Failed password for root from 221.229.166.28 port 47785 ssh2
May 28 22:24:11 HomeServer sshd[3647]: Failed password for root from 221.229.166.28 port 47785 ssh2

Alles anzeigen

Jetzt mitmachen!