Endian Firewall v2.3 got hacked

[Guest]

[endianvbm]

Hi ,
I am using the Endian v2.3 Firewall very happy with it and the changes from the previous version very nice .
A few days ago I found in my inbox a few emails from the Endian Firewall that the root logged in on the system , but the only person knowing the password was me and I didn't logged in to it I got I think 3 of this emails in a interval of 5 minutes and the IP address was of one of my Win7 PC's in the network .
After I seen this I logged in to the webmin to see if everything is ok and the server was working normally , a few hours later i realise a lot of traffic from that PC over my internal network , after a few investigations I realise that it has a virus some trojan back door thing .
I clean that PC and a few others which got infected later but when i tried to log in to Endian to access the webmin the password didn't work same for SSH under root.
1. I am the only person knowing the password
2. It was a 6 digit long password from letters and numbers
3. I never got a email saying "Login failed of user root" like i got now when I tried to log in myself
So my question is how could some one get in to Endian root so easy without having acceess to the server at the console and change my passwords ?
Brute force attack ? ..-> I never had any "Login failed of user root" emails sent to me unless they been supressed some how ?
I am runing endian in VM so I will do  copy before I reset the root and admin password just in case some one from Endian Crew wants to have a look! Or any ideeas !

[Fungyo]

Just a guess, but could your Win7 PC have been accessed and some history of you logging into Endian found?
Trojans often have key loggers, so one scenario, that I can think of is, your W7 machine has a key logger installed which captured you logging into Endian.

The only thing you can do now is re-install Endian from scratch. There is NO way to be 100% sure your Endian setup is clean.
First thing though, make sure that the PC you will log into Endian is clean of trajans and key loggers before installing a new, from scratch Endian.
Beast not to trust only one Anti-virus product either. If you use Norton, don't trust it at all.

Also, despite the lack of Brute Force evidence, a 6 character long password is not very strong. These sites will help you create a strong password:
passwordmeter.com
pctools.com/guides/password/

Basically, for root, you want something very strong and I believe it should consist of a min. of 8+ char. have numbers, letters, mixed case, no similar characters and I personally include punctuation. Be aware punctuation can be problematic too. I think it was a clean Sidux install that I could not log into, latter finding out that my password had been truncated due to the use of $ (IIRC) in my password.

[mrkroket]

By hijacking an admin computer you can probably have any system hacked, so the subject is a bit misleading.

Do what Fungyo says, fresh reinstall of a computer, then fresh reinstall of the firewall.
Do not use an admin account as your daily account on your work computer, instead elevate privileges only when you need to. Harden your core systems (server-firewall-admin computers)

Using an user with admin privileges is very risky.