View unanswered posts    View active topics

All times are UTC - 6 hours





Post new topic Reply to topic  [ 10 posts ] 
Print view Previous topic   Next topic  
Author Message
Search for:
PostPosted: Sat Jan 12, 2008 4:38 pm 
Offline
Joined: Sat Feb 03, 2007 12:52 am
Posts: 187
Location: Manitoba, Canada
Ok I was warned and I deserve all the “I told you so’s” that I get.

I normally had port 22,80,8001 forwarded to my mythbox so I could schedule, tinker, and stream at work. I wanted to stream the Canada - US world junior hockey game only to discover that I couldn’t connect. Tried changing every setting I could but couldn’t connect from outside my firewall. I even dropped the firewall for a bit and couldn’t connect. I finally called my ISP and they said they got an email from irc.undernet.org saying they thought I was running a energymech bot so my ISP blocked all my ports. While he was on the phone I unplugged my mythbox from the network and he said the activity disappeared.

I’m hoping someone here can help me get rid of this as I really have no ideas where to start. They said the activity was on 6660 – 7000.

Thanks in advance for any suggestions. I will take security risks more serious now.

Warren.


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jan 12, 2008 4:51 pm 
Offline
Joined: Fri Oct 20, 2006 12:04 pm
Posts: 905
Location: LA, CA
Fist off, quiet sorry for your situation. This is quite sobering for be as well, as I enjoy using my box from afar too.

I can't give you much, but I'd want to do a clean install to make sure nothing stuck around... Maybe you can save your recordings?


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jan 12, 2008 6:10 pm 
Offline
Joined: Sun Sep 25, 2005 3:50 pm
Posts: 1013
Location: Los Angeles
as far as "cleaning up" I think your best bet is to "upgrade" to the same version of KM that you are running. That way, you can be sure anything that was malicously installed is gone as the process of upgrading will reformat your root partition.

After doing that, why not tunnel over SSH with an encryption key? It's much safer than using simple password authentication.

http://www.knoppmythwiki.org/index.php?page=AccessMythWebSecurelyWithSSHandPuTTY

http://www.knoppmythwiki.org/index.php?page=RemoteAccessfromWindows

_________________
Mike
My Hardware Profile


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jan 12, 2008 8:39 pm 
Offline
Joined: Sun Jun 12, 2005 10:55 pm
Posts: 3161
Location: Warwick, RI
Hi,

Before you do the upgrade and while you can put your hands on the system (off the network) I suggest you review the /var/log area. maybe start with auth.log to see who they logged in as. It may give an insight as to what was occurring without your knowledge.

I would not do a backup as "things" could be hidden and you could just restore issues. check the passwd file to see if they added their own user account, (might give a date stamp of the last modifcation)

It could be important to know exactly when you were hacked as if it was after a backup, then an upgrade may just restore some of the original issues. If the date of your backup is 1 Jan 08 and the "entry" was 31 Dec 07 .......

Also I would send tjc a pm and ask for some words of wisdom for some forensics.

Mike


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jan 12, 2008 10:41 pm 
Offline
Joined: Mon May 10, 2004 8:08 pm
Posts: 1891
Location: Adelaide, Australia
Be aware that a backup/restore will leave all of the contents of the root and mythtv home directory. If they have compromised stuff in there you would be best off just installing from scratch.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jan 13, 2008 12:15 pm 
Offline
Joined: Thu Mar 25, 2004 11:00 am
Posts: 9551
Location: Arlington, MA
You can strip the backup down to only include the information about your recordings and settings so you don't lose all of your media files. See the Taking advantage of the enhanced backup and restore scripts thread among others for discussions on how to do this. The password file is not normally restored, so that shouldn't be a risk, but anything in the directories Greg mentions is.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jan 13, 2008 11:56 pm 
Offline
Joined: Sat Feb 03, 2007 12:52 am
Posts: 187
Location: Manitoba, Canada
Thanks guys. I figured the upgrade route would be the most absolute repair. I wasn't sure what all was copied with the backup or what could be tainted. I'll probably just keep the recording database and some customized config files. Going to have to take the plunge soon as I'm running out of guide data with it offline.

mihanson - I had seen those posts but thought it more convenient to be able to access it from any pc with an internet connection without adding extra software. I will be setting it up this time.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jan 14, 2008 7:45 pm 
Offline
Joined: Tue Aug 22, 2006 9:11 am
Posts: 127
Location: Perth
Putty is your friend, small to download and doesn't require installing. Once you to know how to use it you can download and be logged into Mythweb in a matter of minutes.

I figure the minor inconvenience is better then spending hours trying to undo the damage caused by this.

I'm sure there is portable ssh app you could setup on a thumb drive though!

_________________
DRM 'manages access' in the same way that jail 'manages freedom.'
_________________
Intel P4 2.6
Intel Desktop Board
2GB DDR400
nVidia 6600GT
Dvico HDTV+
Dvico Dual 4
200GB WD for Swap /boot & /
2x 500GB WD with LVM & XFS for /myth/tv


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jan 26, 2008 11:09 am 
Offline
Joined: Sat Feb 03, 2007 12:52 am
Posts: 187
Location: Manitoba, Canada
Well we're back online again. I backed up only the recording database and lirc files then started from scratch. I've setup the ssh tunneling and it wasn't as bad as expected. It adds an extra step to viewing mythweb remotely but...it's far more convenient then redoing my box again. The thing I'm wondering is how much I can send trough the tunnel. Can I stream video through it as well or would it add to much overhead to be useful.
Thanks.


Top
 Profile  
 
 Post subject:
PostPosted: Tue Feb 12, 2008 8:22 pm 
Offline
Joined: Tue Aug 22, 2006 9:11 am
Posts: 127
Location: Perth
I have streamed through SSH, from my experience, the overhead isn't to bad.

_________________
DRM 'manages access' in the same way that jail 'manages freedom.'
_________________
Intel P4 2.6
Intel Desktop Board
2GB DDR400
nVidia 6600GT
Dvico HDTV+
Dvico Dual 4
200GB WD for Swap /boot & /
2x 500GB WD with LVM & XFS for /myth/tv


Top
 Profile  
 

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 


All times are UTC - 6 hours




Who is online

Users browsing this forum: No registered users and 17 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group

Theme Created By ceyhansuyu