Showing posts with label Ports. Show all posts
Showing posts with label Ports. Show all posts

Wednesday, 5 October 2016

Disk Full - Linux - Hacked or Full of Log Files?

Disk Full - Linux - Hacked or Full of Log Files?

By Strictly-Software

This morning I woke up to find the symptoms of a hack attempt on my LINUX VPS server.

I had the same symptoms when I was ShockWave hacked a few years ago and some monkey overwrote a config file so that when I rebooted, hoping to fix the server, it would reload it in from a script hidden in a US car site.

They probably had no idea that the script was on their site either, but it was basically a script to enable various hacking methods and the WGet command in the config file ensured that my standard config was constantly overwritten when the server was re-started.

Another symptom was that my whole 80GB of disk space had suddenly filled up.

It was 30GB the night before and now with 30 odd HD movies hidden in a secret folder buried in my hard drive I could not FTP anything up to the site, receive or send emails or manually append content to my .htaccess file to give only my IP full control.

My attempts to clear space by clearing cached files was useless and it was only by burrowing through the hard drive folder by folder all night using the following command to show me the biggest files (visible and hidden) that I found the offending folder and deleted it.


du -hs $(ls -A)


However good this command is for finding files and folders and showing their size in KB, MB or GB, it is a laborious task to manually go from your root directory running the command over and over again until you find the offending folder(s).

So today when I thought I had been hacked I used a different process to find out the issue.

The following BASH script can be run from anywhere on your system in a console window and you can either enter a path if you think you know where the problem lies or just enter / when prompted to scan the whole machine.

It will list first the 20 biggest directories in order of size and then the 20 largest files in order of size.

echo -n "Type Filesystem: ";
read FS;NUMRESULTS=20;
resize;clear;date;df -h $FS;
echo "Largest Directories:"; 
du -x $FS 2>/dev/null| sort -rnk1| head -n $NUMRESULTS| awk '{printf "%d MB %s\n", $1/1024,$2}';
echo "Largest Files:"; 
nice -n 20 find $FS -mount -type f -ls 2>/dev/null| sort -rnk7| head -n $NUMRESULTS|awk '{printf "%d MB\t%s\n", ($7/1024)/1024,$NF}'

After running it I found that the problem was not actually a security breach but rather a plugin folder within a website containing log files. Somehow without me noticing the number of archived log files had crept up so much that it had eaten 50GB of space without my knowledge.


As the folder contained both existing and archived log files I didn't want to just truncate it or delete everything instead I removed all archived log files by using a wildcard search for the word ARCHIVED within the filename.


rm *ARCHIVED*


If you wanted to run a recursive find and delete within a folder then you may want to use something a bit different such as: 


ind -type f -name '*ARCHIVED*' -delete


This managed to remove a whole 50GB of files within 10 minutes and just like lightening my sites, email and server started running again as they should have been.

So the moral of the story is that a full disk should be treated first as a symptom of a hacked server, especially if you were not expecting it, and the same methods used to diagnose and fix the problem can be used whether you have been hacked or allowed your server to fill itself up with log files or other content.

Therefore keep an eye on your system so you are not caught out if this does happen to you and if you do suddenly jump from 35GB to 80GB and stop receiving emails or being able to FTP content up (or files being copied up as 0 bytes), then you should immediately put some security measures into place.

My WordPress survival guide on security has some good options to use if you have been hacked but as standard you can do some things to protect yourself such as


  • Replacing the default BASH language with a more basic, older and secure DASH. You can still run BASH once logged into your console but as default it should not be running and allow hackers to run complex commands on your server.
  • You should always use SFTP instead of FTP as its more secure and you should change the default SSH port from 22 to another number in the config file so that standard port scanners don't spot that your server is open and vulnerable to attack.
  • If you are running VirtualMin on your server you should also change the default port for accessing it from 10000 to another number as well. Otherwise attackers will just swap from SSH attacks by console to web attacks where the front end is less protected. Also NEVER store the password in your browser in case you forget to lock your PC one day or your browsers local SQLLite Database is hacked and the passwords compromised.
  • Ensuring your root password and every other user password is strongly typed. Making passwords by joining up phrases or rememberable sentences where you swap the capitals and non capital letters over is a good idea. And always add a number to the start or end, or both as well as some special characters e.g 1967bESTsAIDfRED*_* would take a dictionary cracker a very long time to break.
  • Regularly change your root and other user passwords in case a keylogger has been installed on your PC and discovered them.
  • Also by running DENYHOSTS and Fail2Ban on your server you can ensure anyone who gets the SSH password wrong 3 times in a row is blocked and unable to access your console or SFTP files up to your server. If you forget yourself you can always use the VirtualMin website front end (if installed) to login and remove yourself from the DenyHosts list.
  • If you are running WordPress there are a number of other security tools such as the WordPress Firewall plugin that you can install which will hide your wp-admin login page away behind another URL and redirect people trying to access it to another page. I like the https://www.fbi.gov/wanted/cyber URL myself. It can also ban people who fail to login after a number of attempts for a set amount of time as well a number of other security features.


Most importantly of all regularly check the amount of free space you have on your server and turn off any logging that is not required if you don't need it.

Getting up at 5.30AM to send an email only to believe your site has been hacked due to a full disk is not a fun way to spend your day!


By Strictly-Software

 © 2016 Strictly-Software
By at No comments:
Labels: , , , , , , , , , , , , ,

Wednesday, 4 January 2012

Remote Desktop Access Denied Error

Troubleshooting Issues with Remote Desktop / Terminal Services


This morning I tried remotely accessing my work PC which is always left on from my home laptop.
However after my first attempt I was met with the following error which appears om the login screen on the remote PC.

"the refereced account is currently locked out and cannot be logged on to"


Locked out of PC


I tried pinging the PC and could get a response fine but running the reboot command:


shutdown -m \\mypcname-r -f

I just got an "Access Denied" error.

I could login fine the night before and I hadn't installed anything new. I ran a virus scan which didn't pick anything up.

After connecting to the Virtual Private Network (VPN) I tried running the following command from the RUN prompt.


\\mypcname\c$

But it returned a popup screen with the following message.

"The system detected a possible attempt to compromise security. Please contact the server that authenticated you"

Obviously this was some kind of mistake and from searching the web it seems the problems comes about due to the machine I'm using to access the remote PC which was on a domain and was using different credentials than what I was trying to use to access the resource.

From Microsofts own Knowledge Base article 938457: http://support.microsoft.com/kb/938457


Symptom: When you try to include security settings for a user from a different domain in a local domain folder, you receive the following error message:
The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.


Note: This problem may also occur when you try to browse the Active Directory directory service listings for the nonlocal domain.


Cause: This problem occurs because the network firewall filters Kerberos traffic.


Resolution: To resolve this problem, configure the network firewall so that TCP port 88 and UDP port 88 are not blocked for either domain.


My Firewall was not blocking these ports but I had no idea what had happened the other end on the servers at work.

To get access back I tried terminal servicing into a different computer from my laptop which I knew I had access to. I could gain access to this PC.

Once I had remotely accessed another computer on the network I ran the following reboot command which when run from my own laptop gave me an "Access Denied" error.

I ran the reboot command

shutdown -m \\mypcname-r -f

I then tried pinging the PC from my laptop and couldn't access it so I knew it was rebooting.

After a while the PC came back online and I could re-gain access to it.

I checked the event logs on both machines and found the following items of interest.

On the Remote PC (I couldn't access)

The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: 10.0.9.121.

That IP relates to our server that manages domains om our network.


From looking at the event log on my own PC I could see the following errors at around the time I tried remotely accessing the work PC.

08:32.01
The server could not bind to the transport \Device\NetBT_Tcpip_{AE7A7B4B-3EED-4D2A-B123-1A4F4AB04698} because another computer on the network has the same name. The server could not start.

08:32.03
CoID={C5816EC8-C2E8-4710-A412-F7ECDBC25C42}: The user me successfully established a connection to OurCompanies VPN using the device VPN3-1.

08:32:08
The time provider NtpClient is currently receiving valid time data from domainserver.domain.company.co.uk (ntp.d|0.0.0.0:123->10.0.7.1:123).

08:32:12
The server could not bind to the transport \Device\NetBT_Tcpip_{AE7A7B4B-3EED-4D2A-B123-1A4F4AB04698} because another computer on the network has the same name. The server could not start.

08:33
The password stored in Credential Manager is invalid. This might be caused by the user changing the password from this computer or a different computer. To resolve this error, open Credential Manager in Control Panel, and reenter the password for the credential DOMAIN.COMPANY.CO.UK\me.

08:33.11
The server could not bind to the transport \Device\NetBT_Tcpip_{AE7A7B4B-3EED-4D2A-B123-1A4F4AB04698} because another computer on the network has the same name. The server could not start.


I have since managed to reboot my work PC and home laptop and connect successfully but I hadn't changed my password so I guess it was an issue at the company on their network that caused the problem and looks like an issue with the domain controller and Kerberos which is a network authentication tool designed to use strong authentication for client/server applications by using secret-key cryptography.

Here are some helpful articles related to the same subject if this method doesn't fix the problem for you.

http://www.bluemoonpcrepair.com/wp/?p=20

http://support.microsoft.com/kb/938457



By at No comments:
Labels: , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)