someone ran brute on my box?
Mark McCulligh
mmcculli at visualtech.ca
Fri Oct 7 22:09:47 UTC 2005
Rick Stevens wrote:
>On Fri, 2005-10-07 at 15:06 -0400, Mark McCulligh wrote:
>
>
>>Bob McClure Jr wrote:
>>
>>
>>
>>>On Fri, Oct 07, 2005 at 01:06:52PM -0400, Mark McCulligh wrote:
>>>
>>>
>>>
>>>
>>>>Hi Group,
>>>>
>>>>I had someone get into my box and run a command called "brute" on my box
>>>>for 3 hours. What is brute and what next steps should I do to see if
>>>>they got anything.
>>>>
>>>>
>>>>
>>>>
>>>I'm not sure, but given what I've seen on the 'Net, it's probably a
>>>brute-force password guesser that works by SSH on other machines. He
>>>already got into your machine, so unless he was trying to crack root's
>>>password (assuming he got in as a mere mortal), he was using your box
>>>as a jumping-off point to another box.
>>>
>>>This may well be what it was, or something similar:
>>>
>>>http://www.frsirt.com/exploits/08202004.brutessh2.c.php
>>>
>>>If that's all it was, then you can change the compromised password and
>>>make sure that "brute" is not brought up by some rc script at boot
>>>time or a cron job. See further down.
>>>
>>>I see these exploits all the time. I sent five nastygrams to various
>>>network admins today about crack attempts from their networks. I
>>>monitor several servers, most of which I have no say about password
>>>selection. One of the machines has had at least two successful cracks
>>>because of crummy passwords. Here are two tools that detect such
>>>crack attempts and cut them off after N tries:
>>>
>>>http://www.aczoom.com/cms/blockhosts/
>>>http://www.pettingers.org/code/SSHBlack.html
>>>
>>>I have some variant of those installed on all machines with SSH
>>>exposure to the 'Net. I've not had a successful crack since.
>>>
>>>On the other hand, if the cracker got root access, he found a
>>>vulnerability in some of your software, probably a buffer overflow.
>>>That's why it's so important not to run old Linux distros without
>>>adequate updates.
>>>
>>>Here are some useful resources if it was a root compromise:
>>>
>>>http://www.cert.org/tech_tips/root_compromise.html
>>>http://www.linuxjournal.com/article/5037
>>>http://www.usenix.org/publications/login/1999-9/features/rootkits.html
>>>
>>>If that's the case, you should save off everything important like home
>>>directories and files in /etc, and do a complete re-install. Unless
>>>you know exactly what the rootkit did, it's the only safe way.
>>>
>>>
>>>
>>>
>>>
>>>>Thanks,
>>>>Mark.
>>>>
>>>>
>>>>
>>>>
>>>Cheers,
>>>
>>>
>>>
>>>
>>Thanks Bob,
>>
>> From what I can find he(or she) created a folder with name " " to make
>>it harder to find. Then tried a lot to crack my root password. I
>>should have seen in my daily logs the attempts where coming from my own
>>IP. Get so many very picked up on it. Then last night started the scan
>>other peoples computers using my box. That is when I caught them, my
>>router logs for outgoing SSH went through the roof.
>>
>>I changed the user's password and killed all processes running by the users.
>>
>>I will take your advice and check for cron jobs and look at those
>>helpful links to make improvements to my box.
>>
>>
>
>You should also run "lastlog" and see which IP the SOB came in on if you
>can and block that IP via iptables.
>
>If it was a dialup or broadband (cable or DSL) line, I'd firewall the
>entire IP block. Check by doing a "whois ip-address". That'll reveal
>who owns the block (and their CIDR) and use that as your address mask.
>
>
>
Thanks for the information. They came from Amsterdam. I will send an
email to the provider. Not sure if they will do anything, but you never
know.
Mark.
>You can also complain to the provider. Give them the IP address and the
>date of last login, and they can trace it to who had that IP at the time
>and bust the bastard. If you can, have the putz drawn, quartered,
>keelhauled and strung up by his gonads. Make it VERY public. Yes, I'm
>vindictive. There is a deterrent value to this.
>
>Make sure that /var/log/lastlog is owned by and writable ONLY by root.
>
>Get "chkrootkit" (www.chkrootkit.org) and run it. You should also set
>up tripwire and set it to run often. Don't set up tripwire unless
>you're CERTAIN your box is clean or it may ignore hacked executables.
>If there's any doubt at all, back up the user data and reinstall...but
>make sure you reformat the drive. You want NO cruft left over.
>
>Welcome to the Internet. Sheesh!
>----------------------------------------------------------------------
>- Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
>- VitalStream, Inc. http://www.vitalstream.com -
>- -
>----------------------------------------------------------------------
>
>_______________________________________________
>Redhat-install-list mailing list
>Redhat-install-list at redhat.com
>https://www.redhat.com/mailman/listinfo/redhat-install-list
>To Unsubscribe Go To ABOVE URL or send a message to:
>redhat-install-list-request at redhat.com
>Subject: unsubscribe
>
>
More information about the Redhat-install-list
mailing list