Successful SSH Attack - Need help cleaning up

Daniel teletautala at gmail.com
Tue Oct 31 14:26:25 MST 2006


Brian,

/var/log/secure will contain logs for the ssh server.  It's nice to
have a log dedicated to a service.



On 10/31/06, Brian Hawkins <brianhks at activeclickweb.com> wrote:
> Good thread by the way.  It made me aware of the ongoing attacks against
> my own ssh server.
>
> It was mentioned several times about /var/log/secure.  It seemed
> significant that ssh was not logging to secure but to messages.  On my
> machine (Suse 9) I do not have a /var/log/secure file.  Please enlighten
> me as to this files significants and how it pertains to being hacked?
>
> Thanks
> Brian
>
> Daniel wrote:
> > On 10/27/06, Ryan Simpkins <plug at ryansimpkins.com> wrote:
> >> Secondly, and to back up a bit, how do you know that it was via SSH
> >> they gained
> >> access? Is SSH the only service running on your system?
> >>
> >> Did they infiltrate your system using another method, and then gain
> >> escalated access
> >> via SSH? If so - reinstalling and changing SSH ports won't slow them
> >> down much.
> >>
> > I plead the 5th on who's fault it is, but there was a test user that
> > was created with a weak password for testing purposes.  This was done
> > on a Thursday or Friday.  The following Tuesday morning we found that
> > someone was scanning ports and trying to ssh different servers.
> > I installed a rootkithunter and found nothing then froze so I killed
> > it.  I did a top and saw pscan2.  I then did lsof on pscan2.  I found
> > that it was in /dev/shm/.\ /hosts/
> > --w-------  1 1234565 123123     307 May 11 01:32 a
> > --w-------  1 1234565 123123     200 Oct 10 08:45 nobash.txt
> > --w-------  1 1234565 123123  121007 May 11 01:35 pass.txt
> > --w-------  1 1234565 123123    5944 May 15  2005 pscan2
> > --w-------  1 1234565 123123    5797 May 15  2005 pscan2.c
> > --w-------  1 1234565 123123     307 May 11 01:33 scan
> > --w-------  1 1234565 123123       0 Oct 10 11:11 scan.log
> > --w-------  1 1234565 123123 1384518 Jun  5  2005 sshd
> > --w-------  1 1234565 123123    3632 May 11 01:33 start
> > --w-------  1 1234565 123123      47 Oct 10 05:18 vuln.txt
> >
> > I did chmod a-x on all the files in that folder.  pscan2 stopped.  I
> > copied these files to the security officer for analysis.  I thought
> > everything was fine so I opened up port 22.  I shut off outside access
> > through port 22 when I found out it wasn't logging to /var/log/secure.
> > It was logging to /var/log/messages instead.  I have now reinstalled
> > ssh and it is logging to /var/log/secure.
> > This is probably way too much information, but this is what happened.
> > I need to give the patrons notice that the webserver will be down so I
> > will reinstall the OS on Friday.  I will try to use a different port
> > and implement the iptables approach to deterring attacks.
> >
> > Thanks for all your help.
> > -Daniel
> >
> > /*
> > PLUG: http://plug.org, #utah on irc.freenode.net
> > Unsubscribe: http://plug.org/mailman/options/plug
> > Don't fear the penguin.
> > */
> >
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>



More information about the PLUG mailing list