[K12OSN] Help: System intrusion through ssh and a weak password
James P. Kinney III
jkinney at localnetsolutions.com
Fri May 4 22:09:50 UTC 2007
Jim,
Welcome to Hell. Be sure to stock up on antacid. Strong drinks are also
advised.
First off: the ONLY sure solution is to wipe the drives and reinstall
from scratch. Don't even think of doing anything else.
Just before you wipe the drives, backup all your critical config files
and go over them manually to verify they are good (always keeps a backup
copy of critical config offline somewhere).
Once you reinstall, turn off root login with ssh without keys. This will
block 99% of all of the brute force attacks as the keys can't be
guessed.
This happens to everyone eventually so don't be too hard on yourself.
You can run some rootkit detectors (rkhunter is actively updated) but it
won't solve the problem. However, it can alert you to the intrusion.
Other things to do are to the install the ssh brute force detection
tools (there are many - sshdeny, sshblock - names are fuzzy, tired -
sorry). These tools will use iptables to block access from remote sites
that are trying to break in using brute force methods.
Keep us posted. I'll help out as best I can.
Ugh. No fun for Jim tonight...
On Fri, 2007-05-04 at 14:15 -0700, Jim Christiansen wrote:
> Hello All- I've got a problem here with 3 complaints from our
> school's internet provider. All of them have been brute force attacks
> to other systems in the world...
>
> Here is a clip from one log sent to me:
> Tag Name Status Severity Event Count Source Count
> Target Count Object Count Earliest Event Latest Event
> SSH_Brute_Force Attack failure (blocked by Proventia appliance) High
> 128198 1 18723 1 2007-05-03 06:00:00 PDT 2007-05-04
> 09:00:00 PDT
> HTTP_IIS_Unicode_Wide_Encoding Detected attack (vuln not scanned
> recently) High 50 1 20 1 2007-05-01
> 08:00:00 PDT 2007-05-03 14:00:00 PDT
> SSH_ChallengeResponse_Bo Attack failure (blocked by Proventia
> appliance) High 5 1 5 1 2007-05-03 22:00:00
> PDT 2007-05-04 08:00:00 PDT
> HTTP_cookieOverflow Detected attack (vuln not scanned recently)
> High 2 1 1 1 2007-05-02 14:00:00 PDT
> 2007-05-02 14:00:00 PDT
> SSH_Vulnerable_OpenSSH Detected event Medium 7067 1 235
> 1 2007-05-03 06:00:00 PDT 2007-05-04 08:00:00 PDT
> HTTP_IIS_Double_Eval_Evasion Detected event Medium 112 1
> 20 1 2007-05-01 08:00:00 PDT 2007-05-04 09:00:00 PDT
> HTTP_IIS_Percent_Evasion Detected event Medium 46 1
> 18 1 2007-05-01 08:00:00 PDT 2007-05-04 09:00:00 PDT
> HTTP_Proxy_Cache_Poisoning Attack failure (blocked by Proventia
> appliance) Medium 39 1 15 1 2007-05-01 08:00:00
> PDT 2007-05-04 08:00:00 PDT
>
> Here is a clip from the first log sent to me:
>
> SSH_Brute_Force | 15690 | 2007-05-03 05:17:37 | 2007-05-03 10:43:27 |
> | TCP_Service_Sweep | 471 | 2007-05-03 05:18:10 | 2007-05-03 11:50:14
> |
> | HTTP_Proxy_Cache_Poisoning | 5 | 2007-05-02 12:42:36 | 2007-05-03
> 11:39:10 |
> +-----------------------------------+--------------+----------------------+----------------------+
> Top 20 Events for SSH_Brute_Force Total Count 15690
> +-------------------+--------------------+----------+----------+--------------+----------------------+----------------------+
>
> + Source Address + Dest Address + SPort + DPort + Count + Min
> Time(PST) + Max Time(PST) +
> +-------------------+--------------------+----------+----------+--------------+----------------------+----------------------+
>
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.9.56 | 0 | 22 | 447 | 2007-05-03 05:28:08 |
> 2007-05-03 06:16:10 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.95.3 | 0 | 22 | 421 | 2007-05-03 05:37:05 |
> 2007-05-03 06:27:41 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.94.120 | 0 | 22 | 403 | 2007-05-03 05:41:28 |
> 2007-05-03 06:29:37 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.95.148 | 0 | 22 | 364 | 2007-05-03 05:29:36 |
> 2007-05-03 06:28:44 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.91.216 | 0 | 22 | 325 | 2007-05-03 05:36:06 |
> 2007-05-03 06:06:58 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.91.169 | 0 | 22 | 302 | 2007-05-03 05:41:13 |
> 2007-05-03 06:29:07 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.91.190 | 0 | 22 | 284 | 2007-05-03 05:28:54 |
> 2007-05-03 06:04:53 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.90.87 | 0 | 22 | 258 | 2007-05-03 05:44:23 |
> 2007-05-03 06:15:11 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.90.180 | 0 | 22 | 202 | 2007-05-03 05:33:38 |
> 2007-05-03 05:51:53 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.92.31 | 0 | 22 | 181 | 2007-05-03 05:30:57 |
> 2007-05-03 06:09:46 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.95.24 | 0 | 22 | 180 | 2007-05-03 05:42:34 |
> 2007-05-03 06:05:13 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.91.186 | 0 | 22 | 179 | 2007-05-03 06:04:53 |
> 2007-05-03 06:28:27 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.94.240 | 0 | 22 | 175 | 2007-05-03 05:42:45 |
> 2007-05-03 06:11:20 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.84.109 | 0 | 22 | 163 | 2007-05-03 05:28:01 |
> 2007-05-03 06:11:30 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.87.194 | 0 | 22 | 139 | 2007-05-03 05:46:59 |
> 2007-05-03 06:09:38 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.91.218 | 0 | 22 | 137 | 2007-05-03 05:33:31 |
> 2007-05-03 06:01:05 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.92.112 | 0 | 22 | 136 | 2007-05-03 05:27:47 |
> 2007-05-03 06:06:57 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.89.69 | 0 | 22 | 134 | 2007-05-03 05:30:01 |
> 2007-05-03 06:07:31 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.95.97 | 0 | 22 | 127 | 2007-05-03 05:45:18 |
> 2007-05-03 05:59:54 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.94.204 | 0 | 22 | 125 | 2007-05-03 05:40:19 |
> 2007-05-03 05:53:41 |
> +-------------------+--------------------+----------+----------+--------------+----------------------+----------------------+
>
> Top 20 Events for TCP_Service_Sweep Total Count 471
>
>
> I found files in /dev/shm/zH and /dev/shm/.info. They don't belong
> and didn't have root access?? Standard user access belonging to
> username 'josh'... I didn't think /dev was writable...???
>
> I've cleaned it out and have had a ton of ports blocked...
>
>
> Any help would be welcomed.
>
> Thanks, Jim
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
--
James P. Kinney III
CEO & Director of Engineering
Local Net Solutions,LLC
770-493-8244
http://www.localnetsolutions.com
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/k12osn/attachments/20070504/0720ea15/attachment.sig>
More information about the K12OSN
mailing list