[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Help: System intrusion through ssh and a weak password



we're using freenx through ssh to remote control all the school that are installed with ltsp

what we did is moved the ssh port somewhere high in the port list, it solved all the "scanning" and trying to "break in" log entries that we used to see in the log file :-)

(i wonder how long it will last)

On 5/5/07, James P. Kinney III <jkinney localnetsolutions com > wrote:
Jim,

Welcome to Hell. Be sure to stock up on antacid. Strong drinks are also
advised.

First off: the ONLY sure solution is to wipe the drives and reinstall
from scratch. Don't even think of doing anything else.

Just before you wipe the drives, backup all your critical config files
and go over them manually to verify they are good (always keeps a backup
copy of critical config offline somewhere).

Once you reinstall, turn off root login with ssh without keys. This will
block 99% of all of the brute force attacks as the keys can't be
guessed.

This happens to everyone eventually so don't be too hard on yourself.

You can run some rootkit detectors (rkhunter is actively updated) but it
won't solve the problem. However, it can alert you to the intrusion.
Other things to do are to the install the ssh brute force detection
tools (there are many - sshdeny, sshblock - names are fuzzy, tired -
sorry). These tools will use iptables to block access from remote sites
that are trying to break in using brute force methods.

Keep us posted. I'll help out as best I can.

Ugh. No fun for Jim tonight...

On Fri, 2007-05-04 at 14:15 -0700, Jim Christiansen wrote:
> Hello All-  I've got a problem here with 3 complaints from our
> school's internet provider.  All of them have been brute force attacks
> to other systems in the world...
>
> Here is a clip from one log sent to me:
> Tag Name        Status  Severity        Event Count     Source Count
> Target Count    Object Count    Earliest Event  Latest Event
> SSH_Brute_Force Attack failure (blocked by Proventia appliance) High
> 128198  1       18723   1       2007-05-03 06:00:00 PDT 2007-05-04
> 09:00:00 PDT
> HTTP_IIS_Unicode_Wide_Encoding  Detected attack (vuln not scanned
> recently)     High    50      1       20      1       2007-05-01
> 08:00:00 PDT 2007-05-03 14:00:00 PDT
> SSH_ChallengeResponse_Bo        Attack failure (blocked by Proventia
> appliance) High    5       1       5       1       2007-05-03 22:00:00
> PDT 2007-05-04 08:00:00 PDT
> HTTP_cookieOverflow     Detected attack (vuln not scanned recently)
> High    2       1       1       1       2007-05-02 14:00:00 PDT
> 2007-05-02 14:00:00 PDT
> SSH_Vulnerable_OpenSSH  Detected event  Medium  7067    1       235
> 1       2007-05-03 06:00:00 PDT 2007-05-04 08:00:00 PDT
> HTTP_IIS_Double_Eval_Evasion    Detected event  Medium  112     1
> 20      1       2007-05-01 08:00:00 PDT 2007-05-04 09:00:00 PDT
> HTTP_IIS_Percent_Evasion        Detected event  Medium  46      1
> 18      1       2007-05-01 08:00:00 PDT 2007-05-04 09:00:00 PDT
> HTTP_Proxy_Cache_Poisoning      Attack failure (blocked by Proventia
> appliance) Medium  39      1       15      1       2007-05-01 08:00:00
> PDT 2007-05-04 08:00:00 PDT
>
> Here is a clip from the first log sent to me:
>
> SSH_Brute_Force | 15690 | 2007-05-03 05:17:37 | 2007-05-03 10:43:27 |
> | TCP_Service_Sweep | 471 | 2007-05-03 05:18:10 | 2007-05-03 11:50:14
> |
> | HTTP_Proxy_Cache_Poisoning | 5 | 2007-05-02 12:42:36 | 2007-05-03
> 11:39:10 |
> +-----------------------------------+--------------+----------------------+----------------------+
> Top 20 Events for SSH_Brute_Force Total Count 15690
> +-------------------+--------------------+----------+----------+--------------+----------------------+----------------------+
>
> + Source Address + Dest Address + SPort + DPort + Count + Min
> Time(PST) + Max Time(PST) +
> +-------------------+--------------------+----------+----------+--------------+----------------------+----------------------+
>
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious: 66.221.9.56 | 0 | 22 | 447 | 2007-05-03 05:28:08 |
> 2007-05-03 06:16:10 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.95.3 | 0 | 22 | 421 | 2007-05-03 05:37:05 |
> 2007-05-03 06:27:41 |
> | MailScanner warning: numerical links are often
> malicious: 142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.94.120 | 0 | 22 | 403 | 2007-05-03 05:41:28 |
> 2007-05-03 06:29:37 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.95.148 | 0 | 22 | 364 | 2007-05-03 05:29:36 |
> 2007-05-03 06:28:44 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious: 66.221.91.216 | 0 | 22 | 325 | 2007-05-03 05:36:06 |
> 2007-05-03 06:06:58 |
> | MailScanner warning: numerical links are often
> malicious: 142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.91.169 | 0 | 22 | 302 | 2007-05-03 05:41:13 |
> 2007-05-03 06:29:07 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.91.190 | 0 | 22 | 284 | 2007-05-03 05:28:54 |
> 2007-05-03 06:04:53 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious: 66.221.90.87 | 0 | 22 | 258 | 2007-05-03 05:44:23 |
> 2007-05-03 06:15:11 |
> | MailScanner warning: numerical links are often
> malicious: 142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.90.180 | 0 | 22 | 202 | 2007-05-03 05:33:38 |
> 2007-05-03 05:51:53 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.92.31 | 0 | 22 | 181 | 2007-05-03 05:30:57 |
> 2007-05-03 06:09:46 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious: 66.221.95.24 | 0 | 22 | 180 | 2007-05-03 05:42:34 |
> 2007-05-03 06:05:13 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.91.186 | 0 | 22 | 179 | 2007-05-03 06:04:53 |
> 2007-05-03 06:28:27 |
> | MailScanner warning: numerical links are often
> malicious: 142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.94.240 | 0 | 22 | 175 | 2007-05-03 05:42:45 |
> 2007-05-03 06:11:20 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.84.109 | 0 | 22 | 163 | 2007-05-03 05:28:01 |
> 2007-05-03 06:11:30 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious: 66.221.87.194 | 0 | 22 | 139 | 2007-05-03 05:46:59 |
> 2007-05-03 06:09:38 |
> | MailScanner warning: numerical links are often
> malicious: 142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.91.218 | 0 | 22 | 137 | 2007-05-03 05:33:31 |
> 2007-05-03 06:01:05 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.92.112 | 0 | 22 | 136 | 2007-05-03 05:27:47 |
> 2007-05-03 06:06:57 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious: 66.221.89.69 | 0 | 22 | 134 | 2007-05-03 05:30:01 |
> 2007-05-03 06:07:31 |
> | MailScanner warning: numerical links are often
> malicious: 142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.95.97 | 0 | 22 | 127 | 2007-05-03 05:45:18 |
> 2007-05-03 05:59:54 |
> | MailScanner warning: numerical links are often
> malicious:142.26.181.80 | MailScanner warning: numerical links are
> often malicious:66.221.94.204 | 0 | 22 | 125 | 2007-05-03 05:40:19 |
> 2007-05-03 05:53:41 |
> +-------------------+--------------------+----------+----------+--------------+----------------------+----------------------+
>
> Top 20 Events for TCP_Service_Sweep Total Count 471
>
>
> I found files in /dev/shm/zH and /dev/shm/.info.  They don't belong
> and didn't have root access??  Standard user access belonging to
> username 'josh'...  I didn't think /dev was writable...???
>
> I've cleaned it out and have had a ton of ports blocked...
>
>
> Any help would be welcomed.
>
> Thanks,  Jim
> _______________________________________________
> K12OSN mailing list
> K12OSN redhat com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see < http://www.k12os.org>
--
James P. Kinney III
CEO & Director of Engineering
Local Net Solutions,LLC
770-493-8244
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney localnetsolutions com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7

_______________________________________________
K12OSN mailing list
K12OSN redhat com
https://www.redhat.com/mailman/listinfo/k12osn
For more info see <http://www.k12os.org>



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]