Successful SSH Attack - Need help cleaning up

Brian Hawkins brianhks at activeclickweb.com
Tue Oct 31 11:03:30 MST 2006


Good thread by the way.  It made me aware of the ongoing attacks against 
my own ssh server.

It was mentioned several times about /var/log/secure.  It seemed 
significant that ssh was not logging to secure but to messages.  On my 
machine (Suse 9) I do not have a /var/log/secure file.  Please enlighten 
me as to this files significants and how it pertains to being hacked?

Thanks
Brian

Daniel wrote:
> On 10/27/06, Ryan Simpkins <plug at ryansimpkins.com> wrote:
>> Secondly, and to back up a bit, how do you know that it was via SSH 
>> they gained
>> access? Is SSH the only service running on your system?
>>
>> Did they infiltrate your system using another method, and then gain 
>> escalated access
>> via SSH? If so - reinstalling and changing SSH ports won't slow them 
>> down much.
>>
> I plead the 5th on who's fault it is, but there was a test user that
> was created with a weak password for testing purposes.  This was done
> on a Thursday or Friday.  The following Tuesday morning we found that
> someone was scanning ports and trying to ssh different servers.
> I installed a rootkithunter and found nothing then froze so I killed
> it.  I did a top and saw pscan2.  I then did lsof on pscan2.  I found
> that it was in /dev/shm/.\ /hosts/
> --w-------  1 1234565 123123     307 May 11 01:32 a
> --w-------  1 1234565 123123     200 Oct 10 08:45 nobash.txt
> --w-------  1 1234565 123123  121007 May 11 01:35 pass.txt
> --w-------  1 1234565 123123    5944 May 15  2005 pscan2
> --w-------  1 1234565 123123    5797 May 15  2005 pscan2.c
> --w-------  1 1234565 123123     307 May 11 01:33 scan
> --w-------  1 1234565 123123       0 Oct 10 11:11 scan.log
> --w-------  1 1234565 123123 1384518 Jun  5  2005 sshd
> --w-------  1 1234565 123123    3632 May 11 01:33 start
> --w-------  1 1234565 123123      47 Oct 10 05:18 vuln.txt
>
> I did chmod a-x on all the files in that folder.  pscan2 stopped.  I
> copied these files to the security officer for analysis.  I thought
> everything was fine so I opened up port 22.  I shut off outside access
> through port 22 when I found out it wasn't logging to /var/log/secure.
> It was logging to /var/log/messages instead.  I have now reinstalled
> ssh and it is logging to /var/log/secure.
> This is probably way too much information, but this is what happened.
> I need to give the patrons notice that the webserver will be down so I
> will reinstall the OS on Friday.  I will try to use a different port
> and implement the iptables approach to deterring attacks.
>
> Thanks for all your help.
> -Daniel
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>



More information about the PLUG mailing list