rootkit?

jdow jdow at earthlink.net
Tue Dec 13 01:25:12 UTC 2005 

From: "Chasecreek Systemhouse" <chasecreek.systemhouse at gmail.com>

> On 12/11/05, Craig White <craigwhite at azapple.com> wrote:
> 
>> > Whats the general removal procedure for this, and better yet, how did
>> > they get in?
>> ----
>> it would seem that ssh, root allowed to login via password would be the
>> magic combination of bad judgement...it's been so thoroughly discussed
>> on this list as of late.
> 
> About three months ago I reported a box I admin'ed was accessed thru
> DDoS on the ssh access port -- the sshd was hit 90,000 times a hour
> and the attacker gained access.  They didn't get to do much as the box
> had no compiler, no Perl, and was locked up by SELinux.  I made the
> report to both openssh and to the RedHat ssh developers.  I was
> running FC4 with the then current patches up-to-date.
> 
> Anyhow...  After they (the attacker, who arrived via S.America) spent
> a few minutes trying to install a eBay spammer and a sendmail backdoor
> -- both attempts failed -- they deleted some files and gave up.  This
> attack, access, and discovery all happened in less than a 5 hour
> period.  The attacker either was a novice or didn't care to cover
> their tracks.
> 
> Now, before you say that ssh allowed root access - I can assure you
> that root was not allowed to access the system -- not via ssh; only
> via the local console.  Since that attack I have reformatted the
> drives and tossed out all the data and installed clean backups.  I
> have also limited - via cron -- when ssh is available for remote use;
> hopefully that will reduce the window of opportunity.
> 
> I would say there is a ssh brute force hack floating around that has
> not been documented yet; as such it is all Server admins best
> interests to remain vigilant.

If there is only light ssh traffic to your system this also will reduce
the hacker's ability to get in.

$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
  --rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
  --rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset

I figure a nice random four letter password would be good for about
90 days on the average if somebody tried all possible character
combinations from a 50 character set of characters. <drily>I use a
few more characters than that.

3 failed tries in the last 120 seconds means you cannot get in anymore
until it's down to 2 failed tries in the last 120 seconds. So he gets
one try every 40 seconds. That makes hacking into the system a slow SLOW
operation, one I'd notice pretty quickly.

{^_^}

More information about the fedora-list mailing list