rootkit?
jdow
jdow at earthlink.net
Tue Dec 13 01:25:12 UTC 2005
From: "Chasecreek Systemhouse" <chasecreek.systemhouse at gmail.com>
> On 12/11/05, Craig White <craigwhite at azapple.com> wrote:
>
>> > Whats the general removal procedure for this, and better yet, how did
>> > they get in?
>> ----
>> it would seem that ssh, root allowed to login via password would be the
>> magic combination of bad judgement...it's been so thoroughly discussed
>> on this list as of late.
>
> About three months ago I reported a box I admin'ed was accessed thru
> DDoS on the ssh access port -- the sshd was hit 90,000 times a hour
> and the attacker gained access. They didn't get to do much as the box
> had no compiler, no Perl, and was locked up by SELinux. I made the
> report to both openssh and to the RedHat ssh developers. I was
> running FC4 with the then current patches up-to-date.
>
> Anyhow... After they (the attacker, who arrived via S.America) spent
> a few minutes trying to install a eBay spammer and a sendmail backdoor
> -- both attempts failed -- they deleted some files and gave up. This
> attack, access, and discovery all happened in less than a 5 hour
> period. The attacker either was a novice or didn't care to cover
> their tracks.
>
> Now, before you say that ssh allowed root access - I can assure you
> that root was not allowed to access the system -- not via ssh; only
> via the local console. Since that attack I have reformatted the
> drives and tossed out all the data and installed clean backups. I
> have also limited - via cron -- when ssh is available for remote use;
> hopefully that will reduce the window of opportunity.
>
> I would say there is a ssh brute force hack floating around that has
> not been documented yet; as such it is all Server admins best
> interests to remain vigilant.
If there is only light ssh traffic to your system this also will reduce
the hacker's ability to get in.
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset
I figure a nice random four letter password would be good for about
90 days on the average if somebody tried all possible character
combinations from a 50 character set of characters. <drily>I use a
few more characters than that.
3 failed tries in the last 120 seconds means you cannot get in anymore
until it's down to 2 failed tries in the last 120 seconds. So he gets
one try every 40 seconds. That makes hacking into the system a slow SLOW
operation, one I'd notice pretty quickly.
{^_^}
More information about the fedora-list
mailing list