someone ran brute on my box?

Mark McCulligh mmcculli at visualtech.ca
Fri Oct 7 22:09:47 UTC 2005 


Rick Stevens wrote:

>On Fri, 2005-10-07 at 15:06 -0400, Mark McCulligh wrote:
>  
>
>>Bob McClure Jr wrote:
>>
>>    
>>
>>>On Fri, Oct 07, 2005 at 01:06:52PM -0400, Mark McCulligh wrote:
>>> 
>>>
>>>      
>>>
>>>>Hi Group,
>>>>
>>>>I had someone get into my box and run a command called "brute" on my box 
>>>>for 3 hours.  What is brute and what next steps should I do to see if 
>>>>they got anything.
>>>>   
>>>>
>>>>        
>>>>
>>>I'm not sure, but given what I've seen on the 'Net, it's probably a
>>>brute-force password guesser that works by SSH on other machines.  He
>>>already got into your machine, so unless he was trying to crack root's
>>>password (assuming he got in as a mere mortal), he was using your box
>>>as a jumping-off point to another box.
>>>
>>>This may well be what it was, or something similar:
>>>
>>>http://www.frsirt.com/exploits/08202004.brutessh2.c.php
>>>
>>>If that's all it was, then you can change the compromised password and
>>>make sure that "brute" is not brought up by some rc script at boot
>>>time or a cron job.  See further down.
>>>
>>>I see these exploits all the time.  I sent five nastygrams to various
>>>network admins today about crack attempts from their networks.  I
>>>monitor several servers, most of which I have no say about password
>>>selection.  One of the machines has had at least two successful cracks
>>>because of crummy passwords.  Here are two tools that detect such
>>>crack attempts and cut them off after N tries:
>>>
>>>http://www.aczoom.com/cms/blockhosts/
>>>http://www.pettingers.org/code/SSHBlack.html
>>>
>>>I have some variant of those installed on all machines with SSH
>>>exposure to the 'Net.  I've not had a successful crack since.
>>>
>>>On the other hand, if the cracker got root access, he found a
>>>vulnerability in some of your software, probably a buffer overflow.
>>>That's why it's so important not to run old Linux distros without
>>>adequate updates.
>>>
>>>Here are some useful resources if it was a root compromise:
>>>
>>>http://www.cert.org/tech_tips/root_compromise.html
>>>http://www.linuxjournal.com/article/5037
>>>http://www.usenix.org/publications/login/1999-9/features/rootkits.html
>>>
>>>If that's the case, you should save off everything important like home
>>>directories and files in /etc, and do a complete re-install.  Unless
>>>you know exactly what the rootkit did, it's the only safe way.
>>>
>>> 
>>>
>>>      
>>>
>>>>Thanks,
>>>>Mark.
>>>>   
>>>>
>>>>        
>>>>
>>>Cheers,
>>> 
>>>
>>>      
>>>
>>Thanks Bob,
>>
>> From what I can find he(or she) created a folder with name " " to make 
>>it harder to find.  Then tried a lot to crack my root password.  I 
>>should have seen in my daily logs the attempts where coming from my own 
>>IP. Get so many very picked up on it.  Then last night started the scan 
>>other peoples computers using my box.   That is when I caught them, my 
>>router logs for outgoing SSH went through the roof.
>>
>>I changed the user's password and killed all processes running by the users.
>>
>>I will take your advice and check for cron jobs and look at those 
>>helpful links to make improvements to my box.
>>    
>>
>
>You should also run "lastlog" and see which IP the SOB came in on if you
>can and block that IP via iptables.
>
>If it was a dialup or broadband (cable or DSL) line, I'd firewall the
>entire IP block.  Check by doing a "whois ip-address".  That'll reveal
>who owns the block (and their CIDR) and use that as your address mask.
>
>  
>

Thanks for the information.  They came from Amsterdam.  I will send an 
email to the provider. Not sure if they will do anything, but you never 
know.

Mark.

>You can also complain to the provider.  Give them the IP address and the
>date of last login, and they can trace it to who had that IP at the time
>and bust the bastard.  If you can, have the putz drawn, quartered,
>keelhauled and strung up by his gonads.  Make it VERY public.  Yes, I'm
>vindictive.  There is a deterrent value to this.
>
>Make sure that /var/log/lastlog is owned by and writable ONLY by root.
>
>Get "chkrootkit" (www.chkrootkit.org) and run it.  You should also set
>up tripwire and set it to run often.  Don't set up tripwire unless
>you're CERTAIN your box is clean or it may ignore hacked executables.
>If there's any doubt at all, back up the user data and reinstall...but
>make sure you reformat the drive.  You want NO cruft left over.
>
>Welcome to the Internet.  Sheesh!
>----------------------------------------------------------------------
>- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
>- VitalStream, Inc.                       http://www.vitalstream.com -
>-                                                                    -
>----------------------------------------------------------------------
>
>_______________________________________________
>Redhat-install-list mailing list
>Redhat-install-list at redhat.com
>https://www.redhat.com/mailman/listinfo/redhat-install-list
>To Unsubscribe Go To ABOVE URL or send a message to:
>redhat-install-list-request at redhat.com
>Subject: unsubscribe
>  
>

More information about the Redhat-install-list mailing list