someone ran brute on my box?

Harold Hallikainen harold at hallikainen.com
Fri Oct 14 15:10:47 UTC 2005 

> On Fri, 2005-10-07 at 15:06 -0400, Mark McCulligh wrote:
>> Bob McClure Jr wrote:
>>
>> >On Fri, Oct 07, 2005 at 01:06:52PM -0400, Mark McCulligh wrote:
>> >
>> >
>> >>Hi Group,
>> >>
>> >>I had someone get into my box and run a command called "brute" on my
>> box
>> >>for 3 hours.  What is brute and what next steps should I do to see if
>> >>they got anything.
>> >>
>> >>
>> >
>> >I'm not sure, but given what I've seen on the 'Net, it's probably a
>> >brute-force password guesser that works by SSH on other machines.  He
>> >already got into your machine, so unless he was trying to crack root's
>> >password (assuming he got in as a mere mortal), he was using your box
>> >as a jumping-off point to another box.
>> >
>> >This may well be what it was, or something similar:
>> >
>> >http://www.frsirt.com/exploits/08202004.brutessh2.c.php
>> >
>> >If that's all it was, then you can change the compromised password and
>> >make sure that "brute" is not brought up by some rc script at boot
>> >time or a cron job.  See further down.
>> >
>> >I see these exploits all the time.  I sent five nastygrams to various
>> >network admins today about crack attempts from their networks.  I
>> >monitor several servers, most of which I have no say about password
>> >selection.  One of the machines has had at least two successful cracks
>> >because of crummy passwords.  Here are two tools that detect such
>> >crack attempts and cut them off after N tries:
>> >
>> >http://www.aczoom.com/cms/blockhosts/
>> >http://www.pettingers.org/code/SSHBlack.html
>> >
>> >I have some variant of those installed on all machines with SSH
>> >exposure to the 'Net.  I've not had a successful crack since.
>> >
>> >On the other hand, if the cracker got root access, he found a
>> >vulnerability in some of your software, probably a buffer overflow.
>> >That's why it's so important not to run old Linux distros without
>> >adequate updates.
>> >
>> >Here are some useful resources if it was a root compromise:
>> >
>> >http://www.cert.org/tech_tips/root_compromise.html
>> >http://www.linuxjournal.com/article/5037
>> >http://www.usenix.org/publications/login/1999-9/features/rootkits.html
>> >
>> >If that's the case, you should save off everything important like home
>> >directories and files in /etc, and do a complete re-install.  Unless
>> >you know exactly what the rootkit did, it's the only safe way.
>> >
>> >
>> >
>> >>Thanks,
>> >>Mark.
>> >>
>> >>
>> >
>> >Cheers,
>> >
>> >
>>
>> Thanks Bob,
>>
>>  From what I can find he(or she) created a folder with name " " to make
>> it harder to find.  Then tried a lot to crack my root password.  I
>> should have seen in my daily logs the attempts where coming from my own
>> IP. Get so many very picked up on it.  Then last night started the scan
>> other peoples computers using my box.   That is when I caught them, my
>> router logs for outgoing SSH went through the roof.
>>
>> I changed the user's password and killed all processes running by the
>> users.
>>
>> I will take your advice and check for cron jobs and look at those
>> helpful links to make improvements to my box.
>
> You should also run "lastlog" and see which IP the SOB came in on if you
> can and block that IP via iptables.
>
> If it was a dialup or broadband (cable or DSL) line, I'd firewall the
> entire IP block.  Check by doing a "whois ip-address".  That'll reveal
> who owns the block (and their CIDR) and use that as your address mask.
>
> You can also complain to the provider.  Give them the IP address and the
> date of last login, and they can trace it to who had that IP at the time
> and bust the bastard.  If you can, have the putz drawn, quartered,
> keelhauled and strung up by his gonads.  Make it VERY public.  Yes, I'm
> vindictive.  There is a deterrent value to this.
>
> Make sure that /var/log/lastlog is owned by and writable ONLY by root.
>
> Get "chkrootkit" (www.chkrootkit.org) and run it.  You should also set
> up tripwire and set it to run often.  Don't set up tripwire unless
> you're CERTAIN your box is clean or it may ignore hacked executables.
> If there's any doubt at all, back up the user data and reinstall...but
> make sure you reformat the drive.  You want NO cruft left over.
>
> Welcome to the Internet.  Sheesh!
> ----------------------------------------------------------------------
> - Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
> - VitalStream, Inc.                       http://www.vitalstream.com -
> -                                                                    -
> ----------------------------------------------------------------------
>


As usual, I find this list EXTREMELY valuable! Based on the above thread,
I've installed SSHBlack. It's fun to watch its log and see all those IPs
be blocked.

Thanks!

Harold


-- 
FCC Rules Updated Daily at http://www.hallikainen.com

More information about the Redhat-install-list mailing list