[ILUG] Compromised by ssh...
Conor Daly
conor.daly_ilug at cod.homelinux.org
Wed Nov 1 15:31:50 GMT 2006
On Tue, Oct 31, 2006 at 11:23:51AM +0000 or so it is rumoured hereabouts,
Gavin McCullagh thought:
> On Mon, 30 Oct 2006, Conor Daly wrote:
>
> > I'm rebuilding the server but I'm just wondering if I'll need to clean out
> > all the user accounts too. I have a backup that's fairly recent so
> > there'll be no great loss but I'll have to go to a bit of effort to retain
> > their recent email.
>
> How did you realise you were rooted, chkrootkit? Do you know for sure it
> happened since the last backup?
Simple really, blinkenlights on the cable modem. Came downstairs Saturday
morning early (not normal) and noticed the cable modem lights running
furiously along with the server and firewall ports on the switch. Figured
that this was a bit late for the apt-get download to be running so I
decided to investigate. A ps found about 10 instances of ssh-scan
belonging to the compromised user. I took the machine down, powered off
the cable modem and started to investigate. There was a record of
commands in the user's .bash_history which followed the issuing of 'unset
history' which must have failed (or may have covered the tracks of a full
rootkit install. There was a 'ssh password accepted for <user>' entry in
/var/log/messages after a long list of 'ssh invalid user' messages.
Last backup was a month or so ago so I'm pretty sure that's clean. I had
enabled password authentication in sshd_config two days earlier to test
the NX remote display server stuff so I'm pretty sure of the infection
route.
Anyway, the system is now back up after doing a new install, followed by a
reconfigure of services as per the backed up /etc and the user accounts
are currently being repopulated... I saved the email changes since the
last backup before wiping the machine and put them back so all is pretty
at this point.
As far as the threat risk is concerned, it's primarily me. The rest of
the family do not (as yet) geek, they just use the machines for 'net,
email etc. I'll be investigating further security in the next few days...
Cheers,
Conor
--
More information about the ILUG
mailing list