someone ran brute on my box?

Bob McClure Jr robertmcclure at earthlink.net
Fri Oct 7 18:48:25 UTC 2005


On Fri, Oct 07, 2005 at 01:06:52PM -0400, Mark McCulligh wrote:
> Hi Group,
> 
> I had someone get into my box and run a command called "brute" on my box 
> for 3 hours.  What is brute and what next steps should I do to see if 
> they got anything.

I'm not sure, but given what I've seen on the 'Net, it's probably a
brute-force password guesser that works by SSH on other machines.  He
already got into your machine, so unless he was trying to crack root's
password (assuming he got in as a mere mortal), he was using your box
as a jumping-off point to another box.

This may well be what it was, or something similar:

http://www.frsirt.com/exploits/08202004.brutessh2.c.php

If that's all it was, then you can change the compromised password and
make sure that "brute" is not brought up by some rc script at boot
time or a cron job.  See further down.

I see these exploits all the time.  I sent five nastygrams to various
network admins today about crack attempts from their networks.  I
monitor several servers, most of which I have no say about password
selection.  One of the machines has had at least two successful cracks
because of crummy passwords.  Here are two tools that detect such
crack attempts and cut them off after N tries:

http://www.aczoom.com/cms/blockhosts/
http://www.pettingers.org/code/SSHBlack.html

I have some variant of those installed on all machines with SSH
exposure to the 'Net.  I've not had a successful crack since.

On the other hand, if the cracker got root access, he found a
vulnerability in some of your software, probably a buffer overflow.
That's why it's so important not to run old Linux distros without
adequate updates.

Here are some useful resources if it was a root compromise:

http://www.cert.org/tech_tips/root_compromise.html
http://www.linuxjournal.com/article/5037
http://www.usenix.org/publications/login/1999-9/features/rootkits.html

If that's the case, you should save off everything important like home
directories and files in /etc, and do a complete re-install.  Unless
you know exactly what the rootkit did, it's the only safe way.

> Thanks,
> Mark.

Cheers,
-- 
Bob McClure, Jr.             Bobcat Open Systems, Inc.
robertmcclure at earthlink.net  http://www.bobcatos.com
Peace at any price is inflationary.




More information about the Redhat-install-list mailing list