someone ran brute on my box?

Mark McCulligh mmcculli at visualtech.ca
Fri Oct 7 19:06:08 UTC 2005 

Bob McClure Jr wrote:

>On Fri, Oct 07, 2005 at 01:06:52PM -0400, Mark McCulligh wrote:
>  
>
>>Hi Group,
>>
>>I had someone get into my box and run a command called "brute" on my box 
>>for 3 hours.  What is brute and what next steps should I do to see if 
>>they got anything.
>>    
>>
>
>I'm not sure, but given what I've seen on the 'Net, it's probably a
>brute-force password guesser that works by SSH on other machines.  He
>already got into your machine, so unless he was trying to crack root's
>password (assuming he got in as a mere mortal), he was using your box
>as a jumping-off point to another box.
>
>This may well be what it was, or something similar:
>
>http://www.frsirt.com/exploits/08202004.brutessh2.c.php
>
>If that's all it was, then you can change the compromised password and
>make sure that "brute" is not brought up by some rc script at boot
>time or a cron job.  See further down.
>
>I see these exploits all the time.  I sent five nastygrams to various
>network admins today about crack attempts from their networks.  I
>monitor several servers, most of which I have no say about password
>selection.  One of the machines has had at least two successful cracks
>because of crummy passwords.  Here are two tools that detect such
>crack attempts and cut them off after N tries:
>
>http://www.aczoom.com/cms/blockhosts/
>http://www.pettingers.org/code/SSHBlack.html
>
>I have some variant of those installed on all machines with SSH
>exposure to the 'Net.  I've not had a successful crack since.
>
>On the other hand, if the cracker got root access, he found a
>vulnerability in some of your software, probably a buffer overflow.
>That's why it's so important not to run old Linux distros without
>adequate updates.
>
>Here are some useful resources if it was a root compromise:
>
>http://www.cert.org/tech_tips/root_compromise.html
>http://www.linuxjournal.com/article/5037
>http://www.usenix.org/publications/login/1999-9/features/rootkits.html
>
>If that's the case, you should save off everything important like home
>directories and files in /etc, and do a complete re-install.  Unless
>you know exactly what the rootkit did, it's the only safe way.
>
>  
>
>>Thanks,
>>Mark.
>>    
>>
>
>Cheers,
>  
>

Thanks Bob,

 From what I can find he(or she) created a folder with name " " to make 
it harder to find.  Then tried a lot to crack my root password.  I 
should have seen in my daily logs the attempts where coming from my own 
IP. Get so many very picked up on it.  Then last night started the scan 
other peoples computers using my box.   That is when I caught them, my 
router logs for outgoing SSH went through the roof.

I changed the user's password and killed all processes running by the users.

I will take your advice and check for cron jobs and look at those 
helpful links to make improvements to my box.

Thanks again,
Mark.

More information about the Redhat-install-list mailing list