Think I got hacked

[sourceninja]

For my home a few layers of defense.

1) A DNS service that blocks known malware URLs (openDNS, quad9, etc)
2) Use a good adblock that supports malware lists
3) Use no-script tools for risky clicks (I white list scripts on websites I trust)
4) Privacy Badger
5) A Pi-Hole - adds even more control over malware blocking at the DNS level.
6) Use strong passwords (duh) and MFA everywhere. I use hardware keys everywhere possible. I even use MFA on home logins.
6a) Centralized account management. I used to use AD, currently using JumpCloud.
7) A anti-malware scanner to protect against known threats
8) Everything is kept up to date
9) A ephemeral virtual machine for super risky clicks
10) On windows I prevent the running of applications in the user profile
10a) I also run as limited user with a separate admin account for installing software
10b) I've also enabled controlled folder access
10c) On macs I also do not run as admin, nor do I run as a user with sudo access on my linux systems. I will SU to a user who has sudo privileges. (There are sourceninja users and sourceninja-a users only a users can perform admin tasks)
11) All logs are sent to a logging system that looks for interesting things and sends me alerts (on my servers anyways)
12) All systems have data backups and sanity checks for known malicious file extensions (quick detection of ransomware). Triggers are in place to remove that system's access to the network if those extensions are discovered, limiting exposure.
13) No inbound ports are open to my home network, UPnP is disabled. Router management is disabled from the WAN.
14) Change control management - all systems have their software inventoried on a regular basis, drift is detected and investigated
14a) In most cases, all system configuration is done with tools such as ansible, tests are ran with test kitchen to ensure systems are standardized and compliant.
15) All critical data is kept in encrypted containers that are only mounted/accessed when required. This limits exposure.
16) A stateful firewall with IDS features at the head of the network (this is currently not in my setup because the UTM died, but I will have one again). I was using a meraki firewall and later a pfsense w/ snort.
16a) Limit origin outbound network traffic. I can send unsolicited traffic out port 80 and 443 from all workstations. Anything else requires a manual exception. The pi-hole also is allowed port 53.
17) Canary keys. I have many fake things hidden around the network. Fake AWS access keys, fake files on my computer, fake bitcoin wallets, etc. If any of those are touched, I get an alert.

I got a little off topic and I'm sure there are more things, but that's my basic list.

 

[paperfist]

For my home a few layers of defense.

1) A DNS service that blocks known malware URLs (openDNS, quad9, etc)
2) Use a good adblock that supports malware lists
3) Use no-script tools for risky clicks (I white list scripts on websites I trust)
4) Privacy Badger
5) A Pi-Hole - adds even more control over malware blocking at the DNS level.
6) Use strong passwords (duh) and MFA everywhere. I use hardware keys everywhere possible. I even use MFA on home logins.
6a) Centralized account management. I used to use AD, currently using JumpCloud.
7) A anti-malware scanner to protect against known threats
8) Everything is kept up to date
9) A ephemeral virtual machine for super risky clicks
10) On windows I prevent the running of applications in the user profile
10a) I also run as limited user with a separate admin account for installing software
10b) I've also enabled controlled folder access
10c) On macs I also do not run as admin, nor do I run as a user with sudo access on my linux systems. I will SU to a user who has sudo privileges. (There are sourceninja users and sourceninja-a users only a users can perform admin tasks)
11) All logs are sent to a logging system that looks for interesting things and sends me alerts (on my servers anyways)
12) All systems have data backups and sanity checks for known malicious file extensions (quick detection of ransomware). Triggers are in place to remove that system's access to the network if those extensions are discovered, limiting exposure.
13) No inbound ports are open to my home network, UPnP is disabled. Router management is disabled from the WAN.
14) Change control management - all systems have their software inventoried on a regular basis, drift is detected and investigated
14a) In most cases, all system configuration is done with tools such as ansible, tests are ran with test kitchen to ensure systems are standardized and compliant.
15) All critical data is kept in encrypted containers that are only mounted/accessed when required. This limits exposure.
16) A stateful firewall with IDS features at the head of the network (this is currently not in my setup because the UTM died, but I will have one again). I was using a meraki firewall and later a pfsense w/ snort.
16a) Limit origin outbound network traffic. I can send unsolicited traffic out port 80 and 443 from all workstations. Anything else requires a manual exception. The pi-hole also is allowed port 53.
17) Canary keys. I have many fake things hidden around the network. Fake AWS access keys, fake files on my computer, fake bitcoin wallets, etc. If any of those are touched, I get an alert.

I got a little off topic and I'm sure there are more things, but that's my basic list.

That is an impressive list of defense mechanisms!

It would be awesome if you could run most of those at the router level or after it so they don't have to be deployed on each system.

 

[Red Squirrel]

Actually one thing I've always wanted to look into is setting up a syslog server, never really looked too deeply but is there premade free linux based software that can be used to analyze all logs and raise any alerts on unusual activity?

Another thing I've thought of is some kind of program that MD5's (or other hash function) all files on the file system, and tracks when they change. Over time I would create ignore rules, but basically it would look for any changes in config files and raise an alert. If I'm just browsing say, this site, and get hit with a bad advertisement and it starts to modify stuff on all my servers, then I would get an alert. The biggest threat really is RDP type stuff as from there they basically have full access to the whole network.

It almost seems worth it to air gap most of the network though, kinda have to ask myself, how much of my network REALLY needs internet. My main workstation does, but my servers don't. But I do want to be able to access my servers from the workstation... so that's where it gets tricky. Right now I kinda have a compromise, where lot of stuff is vlanned off into different categories based on risk.

 

[sourceninja]

Actually one thing I've always wanted to look into is setting up a syslog server, never really looked too deeply but is there premade free linux based software that can be used to analyze all logs and raise any alerts on unusual activity?

Another thing I've thought of is some kind of program that MD5's (or other hash function) all files on the file system, and tracks when they change. Over time I would create ignore rules, but basically it would look for any changes in config files and raise an alert. If I'm just browsing say, this site, and get hit with a bad advertisement and it starts to modify stuff on all my servers, then I would get an alert. The biggest threat really is RDP type stuff as from there they basically have full access to the whole network.

It almost seems worth it to air gap most of the network though, kinda have to ask myself, how much of my network REALLY needs internet. My main workstation does, but my servers don't. But I do want to be able to access my servers from the workstation... so that's where it gets tricky. Right now I kinda have a compromise, where lot of stuff is vlanned off into different categories based on risk.

You could look into building a ELK stack and creating alerts and monitoring on it. That is a pretty easy free way of processing logs.
You also may be able to use fswatch to get some file change notifications. I still think canaries might be a easier way to detect intrusions here.
In terms of airgap, while it is a very strong defense strategy, security is about a compromised between usability and desired state. I would recommend you keep your servers on a vlan, ensure routing to that vlan passes through a firewall, and limit access through that firewall. No reason to give those servers routes to the internet if they don't need them. A further step would be a bastion host (or jumpbox if you like that term). You only allow ssh to that bastion host from inside your network and you do not allow any other server to be reachable via ssh except from the bastion host. Just pinhole the services required to the rest of the network on the firewall.

If you do build a syslog server, I'd put it and any other security tools on their own vlan, pin hole the ports needed and maybe even ensure the dataflows are one way. So servers can write to the syslog server, but data can't originate the other way. This builds a few layers on your defense in depth strategy and makes it harder for attackers to profile and navigate your network. Now to get to a server they need to compromise your workstation, compromise the bastion host, etc. Once in it's harder for them to open secondary points of entry and it creates a few places that can raise read flags. They log into that bastion host, see passwords.txt in your home directory. They open that file, but it's a canary and boom you just got a notification.

 

[Plar]

I'm sure that this is a fraud. Don't pay attention to this letter. You need to monitor security, but you shouldn't send money.

 

[paperfist]

@Red Squirrel how did you make out with this?

I just got a similar email which somehow looks like it's coming from my own email account and the 'hacker' notes that he sent it from within my account so don't bother changing my password because his malware will track it.

 

[Red Squirrel]

I just changed all my passwords everywhere for now. I got more of them, they also hacked my email server, which is odd because they could have done WAY more damage if they wanted to. There must be an exploit in Dovecot that they used to get in. The password they had was wrong though, so I really don't know where they got that password from.

This kinda sent me down the rabbit hole and I also started to improve my password manager as it was juts code I threw together real quick with a hard coded encryption key, which was not the best way to go about it. Once that is all done I will go through and change all my passwords again just to be safe, just in case the server that the password manger is on is actually what is hacked.

I still need to look at completely formatting my entire network and rebuilding everything though just to play things safe, and also rethink my network topology. While I'm at it I'll probably look at a new Linux distro that I want to use for servers and use it as an opportunity to upgrade everything to a newer distro.

I think the biggest thing to do is to split the web browsing from the network though, as my network is fairly well locked down from the outside ex: anything that has an open port to the outside is on a separate vlan. So they probably got in through a browser exploit through a hacked ad server or something. Maybe something I clicked on Facebook too. Lots of bad stuff on there if not careful.

I didn't end up sending money or anything though. The video stuff is bogus because I don't look at porn. I still don't like the idea that they may have looked at my screen though. I should still reformat in case there's a keylogger on my machine now... Just been so busy with work. Don't get lot of time off lately and was busy with other stuff when I did have time off.

 

[sourceninja]

Did you verify they actually got in or that they just got that password from a old breach of some service you used to use? Sorry if you already answered this, I looked back but didn't see any verification that they actually got in.

I have been getting a slew of emails accusing me of watching porn and threatening blackmail and of old passwords from old hacks on services I used years ago.

I did reply back to the blackmail guy though asking for the video of me watching porn. I offered to pay him for delivering it, then pay him again for a video of me watching a video of me watching porn. Just because I really wanted a meta video like that to show my friends. He never replied.

 

[Red Squirrel]

I'm honestly not even sure how to really check, I don't see anything in logs that catches my eye and I have fail2ban setup so they would have known what they're doing to try to hide their traces. I have not seen any suspicious files or activity or anything but I imagine someone that knows how to hack properly and is not just a script kiddie knows how to hide their traces. I've been working so much that I have not really had a chance to fully sit down and figure this out yet. I'm kinda hoping that it's a bluff but can't be too safe. I have two factor auth setup on my domain registrar and other important services so at the very least that I know they can't touch. As long as I own my domains I also control my email technically. The real danger is if someone found a way to start transferring my domains away then I'd really be screwed.

One of these days I do want to write an application that MD5's every file on the system and then alerts me if they changed. Would make it so I could detect if someone hacked and change stuff. Ideally the app would store the info in memory as if it's stored in a file then they can just change that file to match new changes. But I guess someone that knows what they're doing can also change the memory... Not sure what the best approach would be but basically I think I need a better thread detection setup. I always just went with the idea that as long as I keep everything up to date it won't happen to me, but that was not exactly a good approach.

 

[Amol S.]

Thats sad to hear that poor squirrel might have gotten hacked. I once got an e-mail 3 years ago that I signed up for a # an milf website, as the subject of the email. I never did sign up for something like that. So I placed it as spam. Didn't get anything like that afterwards.

In your case you said an old password of yours was the subject of the email. In that case, someone who you may know and migbt have told the old password too might be either playing a disgusting prank on you, or is trying to extort money from you. You should try to recall if you ever gave your old password to anybody, since if you still talk to them, it could happen again.

 

[Red Squirrel]

I would never give a password away. Chances are they got it from one of the many sites that got leaked over the years. Thankfully that password is not used anymore but this seems to just be the tip of the ice burg, because I keep getting more of these email and it's all different services that they say they hacked, one of which is my email which is the one that is the most alarming as it's a server I host myself... I would like to think that my security is good but apparently it's not if they managed to hack it.

 

[sourceninja]

You could probably get drift detection off the ground faster with ansible or chef. I deploy all my systems via ansible and use drift detection to ensure nothing has been changes. I combine that with a strong apparmor/selinux (os dependent) controls to limit things such as running bins in places where only files should be stored.

Another interesting tool closer to your idea is https://github.com/emcrisostomo/fswatch you could pipe the output into some filtering and a notification scheme.

I personally like to use packer w/ ansible to build images and harden them (CIS/NIST/my own crazy ideas). I then deploy with terraform (all my servers liven in the 'cloud'). My workstation is currently a macbook pro, I manage that with ansible and homebrew. It's purpose is to mostly leverage cloud9. I have a script that deploys and new cloud9 workstation w/ all my requirements every single time I need to do development work. Making the development workstation ephemeral is just amazing.

 

[Red Squirrel]

Most of all that sounds like Chinese to me. So is a normal Linux distro with normal config not secure enough on it's own? I don't know what any of that stuff is without having to spend tons of time on Google. Is there not a simpler way of doing things?

Anyway so with RH being gone and most likely CentOS with it, I'm starting to think I should pick a new distro to go with for my servers, and I'm due for an upgrade anyway, it will get me up to date in terms of package versions available in the repos etc. Might just redo my whole network. What a pain though having to resetup everything.

I imagine with how insecure browsers are now days, I probably got some crap get loaded in my machine by simply visiting a bad site by error and I probably have a rootkit or something. Suppose I should format my workstation as a start. Is there a way to run a browser in a VM but make it more seamless? Like instead of having to start the VM each time it could be setup in a way that when I double click the firefox icon on my desktop it's running as a window, but in a VM? I suppose that will help in terms of security.

 

[sourceninja]

In my opinion there really isn't any reason to leave redhat. Even with the IBM purchase it will be years before we see any meaningful change. Plus the CentOS team can just keep going on their own. I wouldn't run any OS install out of the box without applying some form of hardening to it. There are lots of hardening strategies, pick what works best for you.

In terms of configuration management, I'd say it's well worth learning how to use ansible and packer. Packer will also help if you move into containers at some point. Ansible is a great tool to control and configure systems. Let's look at a very simple ansible playbook.

    ---
    - hosts: all
      become: true
      tasks:
         - name: Update apt-cache
           apt: update_cache=yes

         - name: Install Vim
           apt: name=vim state=latest

As you can probably see, ansible will then look at all of your hosts and ensure the apt cache is updated and vim is installed and is the latest version. If you uninstall vim and re-run the playbook, it gets put back, if a new version is out, it gets updated, if someone downgrades or replaces vim with a 'custom' version, it gets replaced. It gets more powerful from there though, we can use loops.

---
- hosts: all
  sudo: true
  vars:
     packages: [ 'vim', 'git', 'wget' ]
  tasks:
     - name: Install Package
       apt: name={{ item }} state=latest
       with_items: packages

As you can see, we are using a loop to install packages on all hosts. You can also do conditionals:

tasks:
  - name: "shut down CentOS 6 and Debian 7 systems"
    command: /sbin/shutdown -t now
    when: (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "6") or
          (ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] == "7")

and even leverage templates:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot {{ doc_root }}

    <Directory {{ doc_root }}>
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

---
- hosts: all
  become: true
  vars:
    doc_root: /var/www/example
  tasks:
    - name: Update apt
      apt: update_cache=yes

    - name: Install Apache
      apt: name=apache2 state=latest

    - name: Create custom document root
      file: path={{ doc_root }} state=directory owner=www-data group=www-data

    - name: Set up HTML file
      copy: src=index.html dest={{ doc_root }}/index.html owner=www-data group=www-data mode=0644

    - name: Set up Apache virtual host file
      template: src=vhost.tpl dest=/etc/apache2/sites-available/000-default.conf
      notify: restart apache
  handlers:
    - name: restart apache
      service: name=apache2 state=restarted

I stole these examples so I could get this post up faster, but as you can see, it's really easy to use ansible to manage systems.

Packer is similarly easy, here's a example of RHEL 7 w/ packer https://github.com/jmassara/packer-rhel7-vms/blob/master/rhel-7.0-vmware.json. As you can see it's just a json file describing what the instance should look like, and then it runs some scripts. Turn those scripts it runs into ansible and you have a very powerful tool for building idempotent images. Take it up a notch from there and add it inspec to do tests on your images before deploying to ensure they meet your requirements.

if os[:family] == 'redhat'
  describe file('/etc/ssh/sshd_config') do
    it { should exist }
    its('content') { should include("PasswordAuthentication no") }
  end
end

Testing that password authentication is never enabled, if it is the test will fail.

So what did we get with all that. We got a repeatable, idempotent way of building systems. We can run those tools at anytime on our systems to ensure state has not drifted. We have a way of building images from those tools, and finally we have a suite of tests to ensure all of our changes actual happen. A modern, repeatable, error resistant way of managing systems. With a bit more work we can make the systems ephemeral and you can just throw them away rather than patch.

You could also use chef by itself for almost all of this ,but I really think ansible is a superior tool. I've got a list of reason, but it's not really on topic.

 

[killster1]

interesting read, i wonder if hax0rs know not to try reading the passwords.txt file that it is a trap.. i know i dont use any password managers just write them down on a paper using code or 1 off's.

We are all usually to lazy until something happens then we go and do the things we should have done before. going to redo my pfsense box soon and try one of those password.txt dummy files sounds like great fun to get alerts like that. going to try most of source ninja's ideas minus the scripts as i dont run unix on my workstation.

 

[Bardock]

Keepass works well for me.

>shrugs<

Keep the database on usb, ayyy forget about it.

 

[Red Squirrel]

All that seems so complicated. I guess if I can write a program or script to automate all of it it would not be so bad.

Still getting tons of these threats. Not really sure what to do anymore as I don't even know what system is hacked or if one even is hacked. I know the allegations about me watching porn are BS, but it's the fact that they may have access to my system that worries me more.

Is there some kind of scanner utility I can run that analyzes a Linux server to tell me if there's any security breaches or potential issues?

 

[bigboxes]

They are phishing with a known password. THE END

 

[Amol S.]

The best password is one that uses all of the following:

• Capital and lowercase letters.
• Numbers.
• Punctuation marks and/or space.
• Alt code characters.

 

[Red Squirrel]

I usually just use passwords that look like this:

GbGvFL3d<r?RG_(?hjAiUXiG0fBhI3

My password manager generates a random 256 character string, I just grab a random portion of it. That way it's not only random characters but random length. More important stuff gets a longer one.

Unfortunately a lot of sites/services are very picky so it does not always work.

Passwords don't do anything if a hacker finds an exploit to get into your network though or get through your browser if you accidentally go to a bad site.

 

[mxnerd]

I wouldn't believe anything these spam emails said. They just use a template and insert your name/email address to make you believe you were hacked.

However, if you host your email & web servers at home, you definitely should fork some money for a better firewall and pay annual subscriptions.

What kind of bad sites you went to? Even if you went to some bad sites, if you didn't type any password on their sites, how could the sites/hackers grab your password? Isn't every tab is in its own process, even if you have banking/gmail account open at another tab?

 

[Red Squirrel]

Didn't go to any bad sites that I know of, but never know what you can land on when googling for any topic or browsing Reddit etc. Some sites also can appear normal but their ad server is hacked.

I do wonder if it would be worth running the browser in a VM though, just a pain to have to do that. But at least if something attacks through the browser the VM could be on a separate vlan and not have access to the rest of the network. I heard Firefox is going to get sandboxing soon though, so that is a good sign. I'll probably just sit tight and wait for that to happen and feel much more safe.

Browser based attacks are the only way I can think of that someone could get on my network as I do run a pretty tight ship as far as the firewall goes. Anything that faces the internet (torrent client, game servers etc) are on a separate isolated vlan. Wifi is on a separate vlan too, so if I picked up something with my phone via data (which is like being connected straight to the internet without a condom as there's no local router involved) it would not make it on my main network.

Like more I think about it, chances are I didn't get hacked, but getting so many of these threatening emails is quite unnerving.

One thing I do need to start doing is setting up a bunch of email aliases and then each service would use a separate email. That way when I get this stuff I can better trace it to a specific service so I know who leaked my info. Could also kill the alias so they get a bounce back.

 

[mxnerd]

I really doubt browser based attacks can reach your network. More likely it's the files you downloaded through torrent or via browser itself.

Direct browser hacking is not that easy.

 

[Verndewdimus]

ive had ransomeware, hidden user accounts on my mac ddos, dos, and redirect hijacks on my router. This type of thing is insidious. If you find yourself victim then you either need to pay for an ids ips, report it to the feds at IC3.com, or do what i did and learn how to do cybersecurity by endlessly searching terminal or command prompt tricks and apps that give you greater control. Once youre on a hackers radar, it isnt likely they will drop that unless theres an intervention that stops them.
here is an article i wrote containing a very small number of things i did in my mac to fight back, some of which are doable on windows, like nmap, tcpdump and whatever else.

If you wish to post your entire article here, that is fine. We don't, however, allow self-promotion links.

administrator allisolm

 

[Verndewdimus]

For my home a few layers of defense.

1) A DNS service that blocks known malware URLs (openDNS, quad9, etc)
2) Use a good adblock that supports malware lists
3) Use no-script tools for risky clicks (I white list scripts on websites I trust)
4) Privacy Badger
5) A Pi-Hole - adds even more control over malware blocking at the DNS level.
6) Use strong passwords (duh) and MFA everywhere. I use hardware keys everywhere possible. I even use MFA on home logins.
6a) Centralized account management. I used to use AD, currently using JumpCloud.
7) A anti-malware scanner to protect against known threats
8) Everything is kept up to date
9) A ephemeral virtual machine for super risky clicks
10) On windows I prevent the running of applications in the user profile
10a) I also run as limited user with a separate admin account for installing software
10b) I've also enabled controlled folder access
10c) On macs I also do not run as admin, nor do I run as a user with sudo access on my linux systems. I will SU to a user who has sudo privileges. (There are sourceninja users and sourceninja-a users only a users can perform admin tasks)
11) All logs are sent to a logging system that looks for interesting things and sends me alerts (on my servers anyways)
12) All systems have data backups and sanity checks for known malicious file extensions (quick detection of ransomware). Triggers are in place to remove that system's access to the network if those extensions are discovered, limiting exposure.
13) No inbound ports are open to my home network, UPnP is disabled. Router management is disabled from the WAN.
14) Change control management - all systems have their software inventoried on a regular basis, drift is detected and investigated
14a) In most cases, all system configuration is done with tools such as ansible, tests are ran with test kitchen to ensure systems are standardized and compliant.
15) All critical data is kept in encrypted containers that are only mounted/accessed when required. This limits exposure.
16) A stateful firewall with IDS features at the head of the network (this is currently not in my setup because the UTM died, but I will have one again). I was using a meraki firewall and later a pfsense w/ snort.
16a) Limit origin outbound network traffic. I can send unsolicited traffic out port 80 and 443 from all workstations. Anything else requires a manual exception. The pi-hole also is allowed port 53.
17) Canary keys. I have many fake things hidden around the network. Fake AWS access keys, fake files on my computer, fake bitcoin wallets, etc. If any of those are touched, I get an alert.

I got a little off topic and I'm sure there are more things, but that's my basic list.

this post is excellent