ssh-scan

Dag Wieers dag at wieers.com
Tue May 9 12:49:00 UTC 2006 

On Tue, 9 May 2006, Greg Wiggill wrote:

> Thanks for the replies.  Chkrootkit works really well and is easy to use
> but didn't find anything.
> 
> I did find however scan.tgz, relaycheck.pl, a sendmail directory in /tmp
> with references to ebay, 60,000 entries in mailq and more.
> 
> There were 60 odd processes called 'brute' which had a parameter of
> '100'  !
> 
> Cleaned it all up (which seems to have stemmed the $200/hr internet/data
> bill) and will probably rebuild later in the week.

Greg,

The first thing you have to do when you suspect a break-in like this is to 
disconnect the system from the network or from power. Even when it is in 
production your first attention should go to not allow the system to be 
exploited anylonger.

You don't have control over the system, if you think you have, you are 
wrongÂ. You can't trust anything on the system anymore (not even the 
commands you run).

So disconnect the system from the network (and possibly bring it down 
without running a command). Then either start building up a new system 
and/or investigate who broke in and what has been exposed (using a rescue 
image or one of the forensic toolkits). Involve the local federal/national 
crime unit to report whatever evidence you have.

The longer you leave the system running (and connected to the network) to 
bigger the chance is that an action is taken to abuse whatever is on the 
system if it is discovered that they have been exposed. Either 
by destroying data or by copying sensitive data (if that wasn't already 
the case).

If the system has privacy data of customers/partners/employees (contact 
info, social security numbers) you will have to inform all parties that 
the information might have been misused. (depending on the detail of the 
evidence you may conclude that there was no information leak, but that 
could be a deception)

If you don't take any action against these crimes (pursue the case), these 
crimes are free from punishment and criminals have nothing to fear (and 
probably become rich from it too).

Kind regards,
--   dag wieers,  dag at wieers.com,  http://dag.wieers.com/   --
[all I want is a warm bed and a kind word and unlimited power]

More information about the redhat-list mailing list