rootkit?

[Chasecreek Systemhouse]

On 12/11/05, Craig White <craigwhite at azapple.com> wrote:

> > Whats the general removal procedure for this, and better yet, how did
> > they get in?
> ----
> it would seem that ssh, root allowed to login via password would be the
> magic combination of bad judgement...it's been so thoroughly discussed
> on this list as of late.

About three months ago I reported a box I admin'ed was accessed thru
DDoS on the ssh access port -- the sshd was hit 90,000 times a hour
and the attacker gained access.  They didn't get to do much as the box
had no compiler, no Perl, and was locked up by SELinux.  I made the
report to both openssh and to the RedHat ssh developers.  I was
running FC4 with the then current patches up-to-date.

Anyhow...  After they (the attacker, who arrived via S.America) spent
a few minutes trying to install a eBay spammer and a sendmail backdoor
-- both attempts failed -- they deleted some files and gave up.  This
attack, access, and discovery all happened in less than a 5 hour
period.  The attacker either was a novice or didn't care to cover
their tracks.

Now, before you say that ssh allowed root access - I can assure you
that root was not allowed to access the system -- not via ssh; only
via the local console.  Since that attack I have reformatted the
drives and tossed out all the data and installed clean backups.  I
have also limited - via cron -- when ssh is available for remote use;
hopefully that will reduce the window of opportunity.

I would say there is a ssh brute force hack floating around that has
not been documented yet; as such it is all Server admins best
interests to remain vigilant.
--
WC -Sx- Jones | http://ccsh.us/ | Open Source Consulting