someone ran brute on my box?

Rick Stevens rstevens at vitalstream.com
Fri Oct 7 21:09:46 UTC 2005 

On Fri, 2005-10-07 at 15:06 -0400, Mark McCulligh wrote:
> Bob McClure Jr wrote:
> 
> >On Fri, Oct 07, 2005 at 01:06:52PM -0400, Mark McCulligh wrote:
> >  
> >
> >>Hi Group,
> >>
> >>I had someone get into my box and run a command called "brute" on my box 
> >>for 3 hours.  What is brute and what next steps should I do to see if 
> >>they got anything.
> >>    
> >>
> >
> >I'm not sure, but given what I've seen on the 'Net, it's probably a
> >brute-force password guesser that works by SSH on other machines.  He
> >already got into your machine, so unless he was trying to crack root's
> >password (assuming he got in as a mere mortal), he was using your box
> >as a jumping-off point to another box.
> >
> >This may well be what it was, or something similar:
> >
> >http://www.frsirt.com/exploits/08202004.brutessh2.c.php
> >
> >If that's all it was, then you can change the compromised password and
> >make sure that "brute" is not brought up by some rc script at boot
> >time or a cron job.  See further down.
> >
> >I see these exploits all the time.  I sent five nastygrams to various
> >network admins today about crack attempts from their networks.  I
> >monitor several servers, most of which I have no say about password
> >selection.  One of the machines has had at least two successful cracks
> >because of crummy passwords.  Here are two tools that detect such
> >crack attempts and cut them off after N tries:
> >
> >http://www.aczoom.com/cms/blockhosts/
> >http://www.pettingers.org/code/SSHBlack.html
> >
> >I have some variant of those installed on all machines with SSH
> >exposure to the 'Net.  I've not had a successful crack since.
> >
> >On the other hand, if the cracker got root access, he found a
> >vulnerability in some of your software, probably a buffer overflow.
> >That's why it's so important not to run old Linux distros without
> >adequate updates.
> >
> >Here are some useful resources if it was a root compromise:
> >
> >http://www.cert.org/tech_tips/root_compromise.html
> >http://www.linuxjournal.com/article/5037
> >http://www.usenix.org/publications/login/1999-9/features/rootkits.html
> >
> >If that's the case, you should save off everything important like home
> >directories and files in /etc, and do a complete re-install.  Unless
> >you know exactly what the rootkit did, it's the only safe way.
> >
> >  
> >
> >>Thanks,
> >>Mark.
> >>    
> >>
> >
> >Cheers,
> >  
> >
> 
> Thanks Bob,
> 
>  From what I can find he(or she) created a folder with name " " to make 
> it harder to find.  Then tried a lot to crack my root password.  I 
> should have seen in my daily logs the attempts where coming from my own 
> IP. Get so many very picked up on it.  Then last night started the scan 
> other peoples computers using my box.   That is when I caught them, my 
> router logs for outgoing SSH went through the roof.
> 
> I changed the user's password and killed all processes running by the users.
> 
> I will take your advice and check for cron jobs and look at those 
> helpful links to make improvements to my box.

You should also run "lastlog" and see which IP the SOB came in on if you
can and block that IP via iptables.

If it was a dialup or broadband (cable or DSL) line, I'd firewall the
entire IP block.  Check by doing a "whois ip-address".  That'll reveal
who owns the block (and their CIDR) and use that as your address mask.

You can also complain to the provider.  Give them the IP address and the
date of last login, and they can trace it to who had that IP at the time
and bust the bastard.  If you can, have the putz drawn, quartered,
keelhauled and strung up by his gonads.  Make it VERY public.  Yes, I'm
vindictive.  There is a deterrent value to this.

Make sure that /var/log/lastlog is owned by and writable ONLY by root.

Get "chkrootkit" (www.chkrootkit.org) and run it.  You should also set
up tripwire and set it to run often.  Don't set up tripwire unless
you're CERTAIN your box is clean or it may ignore hacked executables.
If there's any doubt at all, back up the user data and reinstall...but
make sure you reformat the drive.  You want NO cruft left over.

Welcome to the Internet.  Sheesh!
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list