[K12OSN] Help: System intrusion through ssh and a weak password

James P. Kinney III jkinney at localnetsolutions.com
Fri May 4 22:09:50 UTC 2007 

Jim,

Welcome to Hell. Be sure to stock up on antacid. Strong drinks are also
advised.

First off: the ONLY sure solution is to wipe the drives and reinstall
from scratch. Don't even think of doing anything else.

Just before you wipe the drives, backup all your critical config files
and go over them manually to verify they are good (always keeps a backup
copy of critical config offline somewhere).

Once you reinstall, turn off root login with ssh without keys. This will
block 99% of all of the brute force attacks as the keys can't be
guessed.

This happens to everyone eventually so don't be too hard on yourself.

You can run some rootkit detectors (rkhunter is actively updated) but it
won't solve the problem. However, it can alert you to the intrusion.
Other things to do are to the install the ssh brute force detection
tools (there are many - sshdeny, sshblock - names are fuzzy, tired -
sorry). These tools will use iptables to block access from remote sites
that are trying to break in using brute force methods.

Keep us posted. I'll help out as best I can.

Ugh. No fun for Jim tonight...

On Fri, 2007-05-04 at 14:15 -0700, Jim Christiansen wrote:
> Hello All-  I've got a problem here with 3 complaints from our
> school's internet provider.  All of them have been brute force attacks
> to other systems in the world...
> 
> Here is a clip from one log sent to me: 
> Tag Name        Status  Severity        Event Count     Source Count
> Target Count    Object Count    Earliest Event  Latest Event   
> SSH_Brute_Force Attack failure (blocked by Proventia appliance) High
> 128198  1       18723   1       2007-05-03 06:00:00 PDT 2007-05-04
> 09:00:00 PDT
> HTTP_IIS_Unicode_Wide_Encoding  Detected attack (vuln not scanned
> recently)     High    50      1       20      1       2007-05-01
> 08:00:00 PDT 2007-05-03 14:00:00 PDT
> SSH_ChallengeResponse_Bo        Attack failure (blocked by Proventia
> appliance) High    5       1       5       1       2007-05-03 22:00:00
> PDT 2007-05-04 08:00:00 PDT
> HTTP_cookieOverflow     Detected attack (vuln not scanned recently)
> High    2       1       1       1       2007-05-02 14:00:00 PDT
> 2007-05-02 14:00:00 PDT
> SSH_Vulnerable_OpenSSH  Detected event  Medium  7067    1       235
> 1       2007-05-03 06:00:00 PDT 2007-05-04 08:00:00 PDT
> HTTP_IIS_Double_Eval_Evasion    Detected event  Medium  112     1
> 20      1       2007-05-01 08:00:00 PDT 2007-05-04 09:00:00 PDT
> HTTP_IIS_Percent_Evasion        Detected event  Medium  46      1
> 18      1       2007-05-01 08:00:00 PDT 2007-05-04 09:00:00 PDT
> HTTP_Proxy_Cache_Poisoning      Attack failure (blocked by Proventia
> appliance) Medium  39      1       15      1       2007-05-01 08:00:00
> PDT 2007-05-04 08:00:00 PDT
> 
> Here is a clip from the first log sent to me:
> 
> SSH_Brute_Force | 15690 | 2007-05-03 05:17:37 | 2007-05-03 10:43:27 | 
> | TCP_Service_Sweep | 471 | 2007-05-03 05:18:10 | 2007-05-03 11:50:14
> | 
> | HTTP_Proxy_Cache_Poisoning | 5 | 2007-05-02 12:42:36 | 2007-05-03
> 11:39:10 | 
> +-----------------------------------+--------------+----------------------+----------------------+ 
> Top 20 Events for SSH_Brute_Force Total Count 15690 
> +-------------------+--------------------+----------+----------+--------------+----------------------+----------------------+ 
> 
> + Source Address + Dest Address + SPort + DPort + Count + Min
> Time(PST) + Max Time(PST) + 
> +-------------------+--------------------+----------+----------+--------------+----------------------+----------------------+
> 
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.9.56 | 0 | 22 | 447 | 2007-05-03 05:28:08 |
> 2007-05-03 06:16:10 | 
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.95.3 | 0 | 22 | 421 | 2007-05-03 05:37:05 |
> 2007-05-03 06:27:41 | 
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.94.120 | 0 | 22 | 403 | 2007-05-03 05:41:28 |
> 2007-05-03 06:29:37 | 
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.95.148 | 0 | 22 | 364 | 2007-05-03 05:29:36 |
> 2007-05-03 06:28:44 | 
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.91.216 | 0 | 22 | 325 | 2007-05-03 05:36:06 |
> 2007-05-03 06:06:58 | 
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.91.169 | 0 | 22 | 302 | 2007-05-03 05:41:13 |
> 2007-05-03 06:29:07 | 
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.91.190 | 0 | 22 | 284 | 2007-05-03 05:28:54 |
> 2007-05-03 06:04:53 | 
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.90.87 | 0 | 22 | 258 | 2007-05-03 05:44:23 |
> 2007-05-03 06:15:11 | 
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.90.180 | 0 | 22 | 202 | 2007-05-03 05:33:38 |
> 2007-05-03 05:51:53 | 
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.92.31 | 0 | 22 | 181 | 2007-05-03 05:30:57 |
> 2007-05-03 06:09:46 | 
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.95.24 | 0 | 22 | 180 | 2007-05-03 05:42:34 |
> 2007-05-03 06:05:13 | 
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.91.186 | 0 | 22 | 179 | 2007-05-03 06:04:53 |
> 2007-05-03 06:28:27 | 
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.94.240 | 0 | 22 | 175 | 2007-05-03 05:42:45 |
> 2007-05-03 06:11:20 | 
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.84.109 | 0 | 22 | 163 | 2007-05-03 05:28:01 |
> 2007-05-03 06:11:30 | 
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.87.194 | 0 | 22 | 139 | 2007-05-03 05:46:59 |
> 2007-05-03 06:09:38 | 
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.91.218 | 0 | 22 | 137 | 2007-05-03 05:33:31 |
> 2007-05-03 06:01:05 | 
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.92.112 | 0 | 22 | 136 | 2007-05-03 05:27:47 |
> 2007-05-03 06:06:57 | 
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.89.69 | 0 | 22 | 134 | 2007-05-03 05:30:01 |
> 2007-05-03 06:07:31 | 
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.95.97 | 0 | 22 | 127 | 2007-05-03 05:45:18 |
> 2007-05-03 05:59:54 | 
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.94.204 | 0 | 22 | 125 | 2007-05-03 05:40:19 |
> 2007-05-03 05:53:41 | 
> +-------------------+--------------------+----------+----------+--------------+----------------------+----------------------+
> 
> Top 20 Events for TCP_Service_Sweep Total Count 471
> 
> 
> I found files in /dev/shm/zH and /dev/shm/.info.  They don't belong
> and didn't have root access??  Standard user access belonging to
> username 'josh'...  I didn't think /dev was writable...???
> 
> I've cleaned it out and have had a ton of ports blocked...  
> 
> 
> Any help would be welcomed.
> 
> Thanks,  Jim
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
-- 
James P. Kinney III          
CEO & Director of Engineering 
Local Net Solutions,LLC        
770-493-8244                    
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/k12osn/attachments/20070504/0720ea15/attachment.sig>

More information about the K12OSN mailing list