It looks like my CentOS 4.2 box is attacking other people with some type of ftp attack. I got an email from somebody saying they were being attacked by my IP address.
Further investigation /var/log/messages shows a whole bunch of sshd attacks on me, none of which appear successful. I'm running ethereal right now and I can see that my system is doing some kind of ftp attacks on others.
I've think I've stopped the outgoing attacks at my firewall, but how do I proceed from here?
Thanks, James
On Sun, 2006-02-05 at 02:51 -0500, James Pifer wrote:
It looks like my CentOS 4.2 box is attacking other people with some type of ftp attack. I got an email from somebody saying they were being attacked by my IP address.
Further investigation /var/log/messages shows a whole bunch of sshd attacks on me, none of which appear successful. I'm running ethereal right now and I can see that my system is doing some kind of ftp attacks on others.
I've think I've stopped the outgoing attacks at my firewall, but how do I proceed from here?
The first thing to do is run "ps auxfwwww" and look for anything that looks out of place. Feel free to post it here if you need help.
The first thing to do is run "ps auxfwwww" and look for anything that looks out of place. Feel free to post it here if you need help.
The only thing that looks out of place to me is the section of things being done by my hotmail account. I do have a hotmail account that I forward mail to using gotmail. Other than that I don't see anything obvious.
Thanks, James
ps auxfwwww USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 2992 484 ? S 2005 0:13 init [5] root 2 0.0 0.0 0 0 ? S 2005 0:01 [migration/0] root 3 0.0 0.0 0 0 ? SN 2005 0:02 [ksoftirqd/0] root 4 0.0 0.0 0 0 ? S 2005 0:01 [migration/1] root 5 0.0 0.0 0 0 ? SN 2005 0:16 [ksoftirqd/1] root 6 0.0 0.0 0 0 ? S 2005 0:02 [migration/2] root 7 0.0 0.0 0 0 ? SN 2005 0:01 [ksoftirqd/2] root 8 0.0 0.0 0 0 ? S 2005 0:08 [migration/3] root 9 0.0 0.0 0 0 ? SN 2005 0:14 [ksoftirqd/3] root 10 0.0 0.0 0 0 ? S< 2005 0:00 [events/0] root 14 0.0 0.0 0 0 ? S< 2005 0:00 _ [khelper] root 15 0.0 0.0 0 0 ? S< 2005 0:00 _ [kacpid] root 39 0.0 0.0 0 0 ? S< 2005 0:00 _ [kblockd/0] root 40 0.0 0.0 0 0 ? S< 2005 0:00 _ [kblockd/1] root 41 0.0 0.0 0 0 ? S< 2005 0:00 _ [kblockd/2] root 42 0.0 0.0 0 0 ? S< 2005 0:00 _ [kblockd/3] root 55 0.0 0.0 0 0 ? S< 2005 0:00 _ [aio/0] root 56 0.0 0.0 0 0 ? S< 2005 0:00 _ [aio/1] root 57 0.0 0.0 0 0 ? S< 2005 0:00 _ [aio/2] root 58 0.0 0.0 0 0 ? S< 2005 0:00 _ [aio/3] root 219 0.0 0.0 0 0 ? S< 2005 0:00 _ [kmirrord] root 220 0.0 0.0 0 0 ? S< 2005 0:00 _ [kmir_mon] root 1699 0.0 0.0 0 0 ? S< 2005 0:00 _ [kauditd] root 13003 0.0 0.0 0 0 ? S Feb03 0:03 _ [pdflush] root 11 0.0 0.0 0 0 ? S< 2005 0:00 [events/1] root 12 0.0 0.0 0 0 ? S< 2005 0:00 [events/2] root 13005 0.0 0.0 0 0 ? S Feb03 0:03 _ [pdflush] root 13 0.0 0.0 0 0 ? S< 2005 0:00 [events/3] root 43 0.0 0.0 0 0 ? S 2005 0:00 [khubd] root 54 0.0 0.0 0 0 ? S 2005 1:41 [kswapd0] root 131 0.0 0.0 0 0 ? S 2005 0:00 [kseriod] root 199 0.0 0.0 0 0 ? S 2005 0:00 [scsi_eh_0] root 205 0.0 0.0 0 0 ? S 2005 0:00 [scsi_eh_1] root 228 0.0 0.0 0 0 ? S 2005 3:41 [kjournald] root 1293 0.0 0.0 0 0 ? S 2005 0:00 [shpchpd_event] root 1518 0.0 0.0 0 0 ? S 2005 0:00 [scsi_eh_2] root 1519 0.0 0.0 0 0 ? S 2005 0:48 [usb- storage] root 1747 0.0 0.0 0 0 ? S 2005 0:00 [kjournald] root 2151 0.0 0.1 2244 572 ? Ss 2005 0:50 syslogd - m 0 root 2155 0.0 0.0 2560 456 ? Ss 2005 0:00 klogd -x root 2166 0.0 0.0 3452 452 ? Ss 2005 0:05 irqbalance rpc 2177 0.0 0.0 2568 476 ? Ss 2005 0:00 portmap rpcuser 2197 0.0 0.1 2220 572 ? Ss 2005 0:00 rpc.statd root 2230 0.0 0.1 4044 844 ? Ss 2005 0:00 rpc.idmapd root 2316 0.0 0.0 3276 420 ? Ss 2005 0:00 /usr/sbin/acpid root 2326 0.0 0.1 4200 904 ? Ss 2005 0:41 /usr/sbin/dovecot root 2336 0.0 0.2 6728 1124 ? S 2005 0:48 _ dovecot-auth dovecot 25840 0.0 0.2 3516 1432 ? S 02:50 0:00 _ pop3- login dovecot 25922 0.0 0.2 4444 1428 ? S 02:56 0:00 _ pop3- login dovecot 25972 0.0 0.2 3548 1428 ? S 03:00 0:00 _ pop3- login root 2392 0.0 0.2 5244 1232 ? Ss 2005 0:16 /usr/sbin/sshd root 15763 0.0 0.3 8020 1676 ? Ss Feb03 0:00 _ sshd: hotmail [priv] hotmail 15765 0.0 0.3 8184 1724 ? S Feb03 0:03 | _ sshd: hotmail@pts/7 hotmail 15766 0.0 0.2 5604 1168 pts/7 Ss Feb03 0:00 | _ -sh hotmail 6441 0.0 0.1 5160 656 pts/7 S+ Feb04 0:00 | _ screen hotmail 6442 0.0 0.1 5348 720 ? Ss Feb04 0:00 | _ SCREEN hotmail 6443 0.0 0.2 5472 1084 pts/3 Ss+ Feb04 0:00 | _ /bin/sh hotmail 6445 0.0 0.1 4428 856 pts/3 S Feb04 0:00 | _ /bin/sh ./s 63.200.0.0/16 hotmail 6446 0.1 0.0 308976 484 pts/3 Sl Feb04 1:25 | | _ ./f -h 63.200.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C hotmail 6477 0.0 0.1 5572 856 pts/3 S Feb04 0:00 | _ /bin/sh ./s 63.109.0.0/16 hotmail 6478 0.0 0.0 308972 456 pts/3 Sl Feb04 0:15 | | _ ./f -h 63.109.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C hotmail 6509 0.0 0.1 5836 856 pts/3 S Feb04 0:00 | _ /bin/sh ./s 213.74.0.0/16 hotmail 6510 0.0 0.0 298732 480 pts/3 Sl Feb04 0:47 | | _ ./f -h 213.74.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C hotmail 6541 0.0 0.1 6004 856 pts/3 S Feb04 0:00 | _ /bin/sh ./s 211.23.0.0/16 hotmail 6542 0.0 0.1 308976 560 pts/3 Sl Feb04 0:58 | | _ ./f -h 211.23.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C hotmail 6573 0.0 0.1 5264 856 pts/3 S Feb04 0:00 | _ /bin/sh ./s 209.99.0.0/16 hotmail 6574 0.0 0.0 308976 480 pts/3 Sl Feb04 0:58 | | _ ./f -h 209.99.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C hotmail 6605 0.0 0.1 6068 856 pts/3 S Feb04 0:00 | _ /bin/sh ./s 162.33.0.0/16 hotmail 6606 0.0 0.0 308976 488 pts/3 Sl Feb04 0:17 | | _ ./f -h 162.33.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C hotmail 6637 0.0 0.1 6132 856 pts/3 S Feb04 0:00 | _ /bin/sh ./s 207.65.0.0/16 hotmail 6638 0.3 0.1 308976 564 pts/3 Sl Feb04 3:23 | | _ ./f -h 207.65.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C hotmail 6669 0.0 0.1 5592 856 pts/3 S Feb04 0:00 | _ /bin/sh ./s 200.0.0.0/16 hotmail 6670 0.2 0.1 308972 576 pts/3 Sl Feb04 2:10 | | _ ./f -h 200.0.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C hotmail 6701 0.0 0.1 5436 856 pts/3 S Feb04 0:00 | _ /bin/sh ./s 199.106.0.0/16 hotmail 6702 0.1 0.0 216776 460 pts/3 Sl Feb04 1:17 | | _ ./f -h 199.106.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C hotmail 6733 0.0 0.1 6000 856 pts/3 S Feb04 0:00 | _ /bin/sh ./s 80.90.0.0/16 hotmail 6734 0.0 0.0 308972 456 pts/3 Sl Feb04 0:04 | | _ ./f -h 80.90.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C hotmail 6765 0.0 0.1 4708 856 pts/3 S Feb04 0:00 | _ /bin/sh ./s 132.234.0.0/16 hotmail 6766 0.0 0.0 308972 460 pts/3 Sl Feb04 0:12 | | _ ./f -h 132.234.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C hotmail 6797 0.0 0.1 4668 856 pts/3 S Feb04 0:00 | _ /bin/sh ./s 203.206.0.0/16 hotmail 6798 0.2 0.1 308976 756 pts/3 Sl Feb04 2:16 | | _ ./f -h 203.206.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C hotmail 6829 0.0 0.1 5916 856 pts/3 S Feb04 0:00 | _ /bin/sh ./s 12.146.0.0/16 hotmail 6830 0.1 0.0 308976 480 pts/3 Sl Feb04 1:40 | | _ ./f -h 12.146.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C hotmail 6861 0.0 0.1 5264 856 pts/3 S Feb04 0:00 | _ /bin/sh ./s 68.15.0.0/16 hotmail 6862 0.1 0.1 308976 684 pts/3 Sl Feb04 2:10 | _ ./f -h 68.15.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C root 22011 0.0 0.3 7924 1748 ? Ss Feb03 0:00 _ sshd: jpifer [priv] jpifer 22013 0.5 0.4 9124 2308 ? S Feb03 13:11 | _ sshd: jpifer@pts/2 jpifer 22014 0.0 0.2 5628 1348 pts/2 Ss+ Feb03 0:00 | _ -bash jpifer 25732 0.0 0.9 15364 4692 pts/2 S 02:36 0:00 | _ ethereal root 25733 0.0 0.1 6200 1004 pts/2 S 02:36 0:00 | _ /usr/sbin/userhelper -w ethereal root 25737 4.2 24.8 169668 128092 pts/2 S 02:36 1:03 | _ ethereal root 25947 0.4 3.9 36928 20160 pts/2 S 03:00 0:00 | _ ethereal-capture -i eth0 -f host not 192.168.1.25 root 25444 0.0 0.3 7680 1848 ? Ss 02:19 0:00 _ sshd: root@pts/4 root 25446 0.0 0.2 5400 1348 pts/4 Ss 02:19 0:00 _ - bash root 26029 0.0 0.1 2472 836 pts/4 R+ 03:01 0:00 _ ps auxfwwww root 2410 0.0 0.1 2716 580 ? Ss 2005 0:00 xinetd - stayalive -pidfile /var/run/xinetd.pid ntp 2423 0.0 1.1 5784 5784 ? SLs 2005 0:01 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g root 2443 0.0 0.1 5024 608 ? Ss 2005 0:00 rpc.rquotad root 2456 0.0 0.0 0 0 ? S 2005 0:01 [nfsd] root 2452 0.0 0.0 0 0 ? S 2005 0:01 [nfsd] root 2455 0.0 0.0 0 0 ? S 2005 0:02 [nfsd] root 2453 0.0 0.0 0 0 ? S 2005 0:01 [nfsd] root 2454 0.0 0.0 0 0 ? S 2005 0:03 [nfsd] root 2459 0.0 0.0 0 0 ? S 2005 0:03 [nfsd] root 2457 0.0 0.0 0 0 ? S 2005 0:01 [nfsd] root 2458 0.0 0.0 0 0 ? S 2005 0:01 [nfsd] root 2460 0.0 0.0 0 0 ? S 2005 0:00 [lockd] root 2461 0.0 0.0 0 0 ? S 2005 0:00 [rpciod] root 2465 0.0 0.1 3244 700 ? Ss 2005 0:00 rpc.mountd root 2486 0.0 0.1 2680 796 ? Ss 2005 0:06 /usr/sbin/dhcpd root 2530 0.0 0.7 23040 3904 ? Ss 2005 0:01 /usr/bin/perl - I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf root 20174 0.0 5.2 39136 26980 ? S Feb04 0:02 _ /usr/bin/perl - I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf root 23481 0.0 4.1 39136 21424 ? S Feb04 0:02 _ /usr/bin/perl - I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf root 23709 0.0 5.3 39164 27416 ? S Feb04 0:02 _ /usr/bin/perl - I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf root 24159 0.0 5.1 39136 26576 ? S 00:35 0:02 _ /usr/bin/perl - I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf root 24776 0.0 2.5 39144 13368 ? S 01:11 0:02 _ /usr/bin/perl - I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf root 2543 0.0 0.0 2644 440 ? Ss 2005 0:00 gpm - m /dev/input/mice -t imps2 root 2564 0.0 0.1 5632 740 ? Ss 2005 0:00 crond root 25975 0.0 0.2 6212 1144 ? S 03:01 0:00 _ crond root 25976 0.0 0.1 3760 912 ? Ss 03:01 0:00 _ /bin/bash /usr/bin/run-parts /etc/cron.hourly root 25996 0.0 0.1 2528 884 ? S 03:01 0:00 _ /bin/bash /etc/cron.hourly/update_virus_scanners root 25999 0.0 0.2 4660 1164 ? S 03:01 0:00 | _ perl -e sleep int(rand(600)); root 25997 0.0 0.1 2628 548 ? S 03:01 0:00 _ awk -v progname=/etc/cron.hourly/update_virus_scanners progname {????? print progname ":\n"????? progname="";???? }???? { print; } xfs 2590 0.0 0.1 4312 692 ? Ss 2005 0:00 xfs - droppriv -daemon root 2608 0.0 0.2 10432 1316 ? Ss 2005 0:01 smbd -D root 2624 0.0 0.2 10432 1192 ? S 2005 0:00 _ smbd -D root 13004 0.0 0.3 11260 1580 ? S Jan14 0:00 _ smbd -D root 17817 0.0 0.3 13300 1788 ? S Jan17 6:41 _ smbd -D root 2612 0.0 0.2 8928 1460 ? Ss 2005 0:53 nmbd -D root 2632 0.0 0.1 2812 624 ? Ss 2005 0:00 /usr/sbin/atd dbus 2651 0.0 0.1 3020 608 ? Ss 2005 0:00 dbus- daemon-1 --system root 2661 0.0 0.1 4108 616 ? Ss 2005 0:00 cups- config-daemon root 2672 0.0 0.3 8204 2032 ? Ss 2005 9:26 hald root 2908 0.0 0.1 3904 724 ? S 2005 0:00 /usr/bin/slpuasa root 2917 0.0 0.5 7708 2744 ? Ss 2005 0:00 /usr/bin/perl /usr/libexec/webmin/miniserv.pl /etc/webmin/miniserv.conf root 2923 0.0 0.0 2756 356 tty1 Ss+ 2005 0:00 /sbin/mingetty tty1 root 2924 0.0 0.0 3284 356 tty2 Ss+ 2005 0:00 /sbin/mingetty tty2 root 2925 0.0 0.0 2832 356 tty3 Ss+ 2005 0:00 /sbin/mingetty tty3 root 2927 0.0 0.0 2932 356 tty4 Ss+ 2005 0:00 /sbin/mingetty tty4 root 2928 0.0 0.0 2752 356 tty5 Ss+ 2005 0:00 /sbin/mingetty tty5 root 2936 0.0 0.0 2272 356 tty6 Ss+ 2005 0:00 /sbin/mingetty tty6 root 2937 0.0 0.1 11004 960 ? Ss 2005 0:00 /usr/bin/gdm-binary -nodaemon root 3343 0.0 0.2 11532 1212 ? S 2005 0:00 _ /usr/bin/gdm-binary -nodaemon root 3346 0.1 0.3 12088 1644 ? S 2005 83:58 _ /usr/X11R6/bin/X :0 -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7 gdm 3416 0.0 0.7 21008 4108 ? Ss 2005 1:33 _ /usr/bin/gdmgreeter root 3491 0.0 0.0 0 0 ? S 2005 0:53 [kjournald] jpifer 3505 0.0 0.4 12368 2132 ? S 2005 0:05 /usr/libexec/gconfd-2 13 jpifer 26398 0.1 0.6 57628 3484 ? S Jan16 29:18 nt root 18874 0.0 0.4 18916 2304 ? Ss Jan17 0:02 /usr/sbin/httpd apache 32504 0.0 0.5 19048 2924 ? S Jan29 0:00 _ /usr/sbin/httpd apache 32505 0.0 0.5 19048 2928 ? S Jan29 0:00 _ /usr/sbin/httpd apache 32506 0.0 0.5 19048 2864 ? S Jan29 0:00 _ /usr/sbin/httpd apache 32507 0.0 0.5 19048 2896 ? S Jan29 0:00 _ /usr/sbin/httpd apache 32508 0.0 0.5 19048 2872 ? S Jan29 0:00 _ /usr/sbin/httpd apache 32509 0.0 0.5 19048 2888 ? S Jan29 0:00 _ /usr/sbin/httpd apache 32510 0.0 0.5 19048 2996 ? S Jan29 0:00 _ /usr/sbin/httpd apache 32512 0.0 0.5 19048 3000 ? S Jan29 0:00 _ /usr/sbin/httpd apache 24210 0.0 0.5 19048 2856 ? S 00:43 0:00 _ /usr/sbin/httpd root 4455 0.0 0.2 17884 1272 ? S Jan18 0:39 Xvnc :1 - desktop porky.obrien-pifer.com:1 (root) -httpd /usr/share/vnc/classes - auth /root/.Xauthority -geometry 1024x768 -depth 16 -rfbwait 30000 - rfbauth /root/.vnc/passwd -rfbport 5901 -pn root 4459 0.0 0.1 4004 624 ? S Jan18 0:00 vncconfig -iconic root 4460 0.0 0.1 11060 976 ? S Jan18 0:00 xterm - geometry 80x24+10+10 -ls -title porky.obrien-pifer.com:1 (root) Desktop root 4463 0.0 0.2 6304 1088 pts/5 Ss+ Jan18 0:00 _ -bash root 4461 0.0 0.5 21284 3044 ? S Jan18 0:00 gnome- session root 4495 0.0 0.1 2988 708 ? S Jan18 0:00 /usr/bin/gnome-keyring-daemon root 4497 0.0 0.2 7772 1088 ? Ss Jan18 0:00 /usr/libexec/bonobo-activation-server --ac-activate --ior-output- fd=18 root 4499 0.0 0.5 19680 2612 ? S Jan18 0:00 /usr/libexec/gnome-settings-daemon --oaf-activate- iid=OAFIID:GNOME_SettingsDaemon --oaf-ior-fd=22 root 4505 0.0 0.1 3884 928 ? S Jan18 0:00 /usr/libexec/gam_server root 4536 0.0 0.5 13912 2812 ? Ss Jan18 0:03 /usr/bin/metacity --sm-client-id=default1 root 4540 0.0 0.6 22724 3192 ? Ss Jan18 0:01 gnome- panel --sm-client-id default2 root 4542 0.0 0.6 39124 3196 ? Ssl Jan18 0:01 nautilus --no-default-window --sm-client-id default3 root 4544 0.0 0.4 18108 2552 ? Ss Jan18 0:00 gnome- volume-manager --sm-client-id default6 root 4548 0.0 0.4 12540 2312 ? Ss Jan18 0:00 pam- panel-icon --sm-client-id default0 root 4551 0.0 0.0 2148 496 ? S Jan18 0:00 _ /sbin/pam_timestamp_check -d root root 4554 0.0 0.3 20860 1620 ? Sl Jan18 0:00 /usr/libexec/gnome-vfs-daemon --oaf-activate- iid=OAFIID:GNOME_VFS_Daemon_Factory --oaf-ior-fd=28 root 4562 0.0 0.1 2420 580 ? S Jan18 0:00 /usr/libexec/mapping-daemon root 4564 0.0 0.6 22184 3276 ? S Jan18 0:03 /usr/libexec/wnck-applet --oaf-activate- iid=OAFIID:GNOME_Wncklet_Factory --oaf-ior-fd=30 root 4566 0.0 0.6 22484 3308 ? S Jan18 0:00 /usr/libexec/mixer_applet2 --oaf-activate- iid=OAFIID:GNOME_MixerApplet_Factory --oaf-ior-fd=32 root 4568 0.0 0.7 20328 3696 ? S Jan18 0:32 /usr/libexec/clock-applet --oaf-activate- iid=OAFIID:GNOME_ClockApplet_Factory --oaf-ior-fd=34root 4570 0.0 0.5 18280 2672 ? S Jan18 0:00 /usr/libexec/notification- area-applet --oaf-activate- iid=OAFIID:GNOME_NotificationAreaApplet_Factory --oaf-ior-fd=36 root 4572 0.0 0.6 36656 3492 ? Sl Jan18 0:14 /usr/bin/gnome-terminal root 4573 0.0 0.0 3060 476 ? S Jan18 0:00 _ gnome-pty-helper root 4574 0.0 0.2 4936 1084 pts/6 Ss+ Jan18 0:00 _ bash root 5191 0.0 0.0 2560 400 ? S<s Jan18 0:00 udevd root 19720 0.0 0.2 6816 1476 ? S Jan18 0:00 /usr/libexec/gconfd-2 4 root 24456 0.9 13.3 629252 68908 pts/6 Sl Jan19 219:28 /usr/stoneware/bin/../jre/bin/java -server -Xms64m -Xmx256m - Djava.endorsed.dirs=/usr/stoneware/bin/endorsed com.zerog.lax.LAX /usr/stoneware/bin/webNetwork.lax /tmp/env.properties.24456 jpifer 26962 0.0 0.2 28028 1248 ? Ss Jan19 0:00 /usr/bin/spamd --port 7830 --local --daemonize jpifer 26964 0.0 0.2 28392 1300 ? S Jan19 0:00 _ spamd child jpifer 26965 0.0 0.2 28028 1248 ? S Jan19 0:00 _ spamd child jpifer 26966 0.0 0.2 28028 1248 ? S Jan19 0:00 _ spamd child jpifer 26967 0.0 0.2 28028 1248 ? S Jan19 0:00 _ spamd child jpifer 26968 0.0 0.2 28028 1248 ? S Jan19 0:00 _ spamd child named 5809 0.0 0.6 38916 3220 ? Ssl Jan19 5:08 /usr/sbin/named -u named -t /var/named/chroot jpifer 15442 0.0 0.5 28860 2900 ? S Jan23 11:20 Xvnc :2 - desktop porky.obrien-pifer.com:2 (jpifer) -httpd /usr/share/vnc/classes -auth /home/jpifer/.Xauthority -geometry 1024x768 -depth 16 -rfbwait 30000 -rfbauth /home/jpifer/.vnc/passwd -rfbport 5902 -pn jpifer 15446 0.0 0.1 4124 744 ? S Jan23 0:00 vncconfig -iconic jpifer 15447 0.0 0.7 21084 3752 ? S Jan23 0:00 gnome- session jpifer 15450 0.0 0.1 2680 720 ? S Jan23 0:00 /usr/bin/gnome-keyring-daemon jpifer 15452 0.0 0.3 8532 1844 ? Ss Jan23 0:00 /usr/libexec/bonobo-activation-server --ac-activate --ior-output- fd=18 jpifer 15454 0.0 0.6 19572 3172 ? S Jan23 0:00 /usr/libexec/gnome-settings-daemon --oaf-activate- iid=OAFIID:GNOME_SettingsDaemon --oaf-ior-fd=22 jpifer 15460 0.0 0.2 4232 1448 ? S Jan23 0:38 /usr/libexec/gam_server jpifer 15468 0.0 0.2 4756 1344 ? S Jan23 0:03 xscreensaver -nosplash jpifer 15492 0.0 0.6 14224 3460 ? Ss Jan23 3:14 /usr/bin/metacity --sm-client-id=default1 jpifer 15496 0.0 0.7 23224 4080 ? Ss Jan23 0:02 gnome- panel --sm-client-id default2 jpifer 15498 0.0 0.8 38372 4248 ? Ssl Jan23 0:02 nautilus --no-default-window --sm-client-id default3 jpifer 15500 0.0 0.6 19356 3092 ? Ss Jan23 0:00 gnome- volume-manager --sm-client-id default6 jpifer 15504 0.0 0.5 12956 2728 ? Ss Jan23 0:00 pam- panel-icon --sm-client-id default0 root 15507 0.0 0.0 1960 492 ? S Jan23 0:00 _ /sbin/pam_timestamp_check -d root jpifer 15506 0.0 1.6 36868 8508 ? SNs Jan23 1:23 /usr/bin/python /usr/bin/rhn-applet-gui --sm-client-id default4 jpifer 15510 0.0 0.3 20552 1840 ? Sl Jan23 0:00 /usr/libexec/gnome-vfs-daemon --oaf-activate- iid=OAFIID:GNOME_VFS_Daemon_Factory --oaf-ior-fd=28 jpifer 15518 0.0 0.1 3660 592 ? S Jan23 0:00 /usr/libexec/mapping-daemon jpifer 15520 0.0 0.8 20244 4200 ? S Jan23 3:35 /usr/libexec/wnck-applet --oaf-activate- iid=OAFIID:GNOME_Wncklet_Factory --oaf-ior-fd=30 jpifer 15523 0.0 0.7 22416 3672 ? S Jan23 0:00 /usr/libexec/mixer_applet2 --oaf-activate- iid=OAFIID:GNOME_MixerApplet_Factory --oaf-ior-fd=32 jpifer 15528 0.0 0.8 20420 4240 ? S Jan23 0:19 /usr/libexec/clock-applet --oaf-activate- iid=OAFIID:GNOME_ClockApplet_Factory --oaf-ior-fd=34jpifer 15530 0.0 0.6 18256 3264 ? S Jan23 0:00 /usr/libexec/notification- area-applet --oaf-activate- iid=OAFIID:GNOME_NotificationAreaApplet_Factory --oaf-ior-fd=36 jpifer 15575 0.0 0.6 112140 3276 ? Sl Jan23 0:03 /usr/libexec/evolution-data-server-1.0 --oaf-activate- iid=OAFIID:GNOME_Evolution_DataServer_InterfaceCheck --oaf-ior-fd=42 jpifer 15590 0.0 0.6 65044 3400 ? Sl Jan23 0:00 /usr/libexec/evolution/2.0/evolution-alarm-notify --oaf-activate- iid=OAFIID:GNOME_Evolution_Calendar_AlarmNotify_Factory:2.0 --oaf-ior- fd=44 root 21663 0.0 0.3 8404 1888 ? Ss Jan23 0:00 sendmail: Queue runner@00:15:00 for /var/spool/mqueue smmsp 21664 0.0 0.3 8268 1876 ? Ss Jan23 0:00 sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue root 21667 0.0 0.4 7968 2084 ? Ss Jan23 0:07 sendmail: accepting connections root 32314 0.0 0.2 8644 1496 ? Ss Jan29 0:00 cupsd jpifer 22042 0.1 8.1 184796 41976 pts/2 Sl Feb03 2:26 evolution jpifer 22043 0.1 1.6 99244 8688 pts/2 Sl Feb03 2:51 /usr/lib/mozilla-1.7.12/mozilla-bin -UILocale en-US jpifer 22044 0.3 1.4 61740 7372 pts/2 Sl Feb03 6:50 nt jpifer 22045 0.0 0.7 37716 3876 pts/2 S Feb03 0:01 konqueror jpifer 22051 0.0 0.4 26212 2232 ? Ss Feb03 0:00 kdeinit: Running... jpifer 22056 0.0 0.4 26668 2080 ? S Feb03 0:00 _ kdeinit: klauncher jpifer 22074 0.0 0.4 27628 2408 ? S Feb03 0:00 _ kdeinit: kio_file file /tmp/ksocket-jpifer/klauncherZ1QYAa.slave- socket /tmp/ksocket-jpifer/konqueror8aWSVa.slave-socket jpifer 22054 0.0 0.3 25420 1856 ? S Feb03 0:00 kdeinit: dcopserver --nosid --suicide jpifer 22058 0.0 0.5 26152 2836 ? S Feb03 0:00 kdeinit: kded
On Sun, 2006-02-05 at 03:07 -0500, James Pifer wrote:
The first thing to do is run "ps auxfwwww" and look for anything that looks out of place. Feel free to post it here if you need help.
The only thing that looks out of place to me is the section of things being done by my hotmail account. I do have a hotmail account that I forward mail to using gotmail. Other than that I don't see anything obvious.
root 2392 0.0 0.2 5244 1232 ? Ss 2005 0:16 /usr/sbin/sshd root 15763 0.0 0.3 8020 1676 ? Ss Feb03 0:00 _ sshd: hotmail [priv] hotmail 15765 0.0 0.3 8184 1724 ? S Feb03 0:03 | _ sshd: hotmail@pts/7
Looks like someone may have guessed the password to this account. Use "netstat -plan" to find out what PID 15763 is connected to.
hotmail 6445 0.0 0.1 4428 856 pts/3 S Feb04 0:00 | _ /bin/sh ./s 63.200.0.0/16 hotmail 6446 0.1 0.0 308976 484 pts/3 Sl Feb04 1:25 | | _ ./f -h 63.200.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C
Also find out what these 2 executables are about. If they're binary then run strings on them.
And most importantly, run "usermod -s /sbin/nologin hotmail".
Looks like someone may have guessed the password to this account. Use "netstat -plan" to find out what PID 15763 is connected to.
The foreign address is coming from a whole bunch of different places.
hotmail 6445 0.0 0.1 4428 856 pts/3 S Feb04 0:00 | _ /bin/sh ./s 63.200.0.0/16 hotmail 6446 0.1 0.0 308976 484 pts/3 Sl Feb04 1:25 | | _ ./f -h 63.200.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C
Also find out what these 2 executables are about. If they're binary then run strings on them.
How do I tell where these executables are? And when I find them, how do I runs strings on them?
And most importantly, run "usermod -s /sbin/nologin hotmail".
I ran this.
Really appreciate your help.
James
On Sun, 2006-02-05 at 03:27 -0500, James Pifer wrote:
Looks like someone may have guessed the password to this account. Use "netstat -plan" to find out what PID 15763 is connected to.
The foreign address is coming from a whole bunch of different places.
Okay, we'll kill it after, but don't do it just yet.
hotmail 6445 0.0 0.1 4428 856 pts/3 S Feb04 0:00 | _ /bin/sh ./s 63.200.0.0/16 hotmail 6446 0.1 0.0 308976 484 pts/3 Sl Feb04 1:25 | | _ ./f -h 63.200.0.0 16 -u users -p pass -t 3 -c 30 -o log -d -k -C
Also find out what these 2 executables are about. If they're binary then run strings on them.
How do I tell where these executables are? And when I find them, how do I runs strings on them?
Find one of the processes that's still alive and do "ls -l /proc/<pid>". That will give you some info about it. The exe entry should be a link to the executable itself.
How do I tell where these executables are? And when I find them, how do I runs strings on them?
Find one of the processes that's still alive and do "ls -l /proc/<pid>". That will give you some info about it. The exe entry should be a link to the executable itself.
Well, I get:
ls -l /proc/6446 total 0 dr-xr-xr-x 2 hotmail hotmail 0 Feb 5 03:40 attr -r-------- 1 hotmail hotmail 0 Feb 5 03:40 auxv -r--r--r-- 1 hotmail hotmail 0 Feb 5 03:39 cmdline lrwxrwxrwx 1 hotmail hotmail 0 Feb 5 03:40 cwd -> /dev/shm/.. /nt -r-------- 1 hotmail hotmail 0 Feb 5 03:40 environ lrwxrwxrwx 1 hotmail hotmail 0 Feb 5 03:40 exe -> /dev/shm/.. /nt/f dr-x------ 2 hotmail hotmail 0 Feb 5 03:39 fd -rw-r--r-- 1 hotmail hotmail 0 Feb 5 03:40 loginuid -r-------- 1 hotmail hotmail 0 Feb 5 03:40 maps -rw------- 1 hotmail hotmail 0 Feb 5 03:40 mem -r--r--r-- 1 hotmail hotmail 0 Feb 5 03:40 mounts lrwxrwxrwx 1 hotmail hotmail 0 Feb 5 03:40 root -> / -r--r--r-- 1 hotmail hotmail 0 Feb 5 03:39 stat -r--r--r-- 1 hotmail hotmail 0 Feb 5 03:39 statm -r--r--r-- 1 hotmail hotmail 0 Feb 5 03:39 status dr-xr-xr-x 3 hotmail hotmail 0 Feb 5 03:40 task -r--r--r-- 1 hotmail hotmail 0 Feb 5 03:40 wchan
Here's an ls -al on /dev/shm ls -al /dev/shm total 0 drwxrwxrwt 3 root root 60 Feb 2 19:27 . drwxr-xr-x 8 root root 5700 Jan 18 09:26 .. drwxr-xr-x 3 hotmail hotmail 80 Feb 2 19:28 ..
Sorry for my ignorance, but I'm still not finding the executable. Guess I don't understand the symlink.
Also, does this mean that I was compromised on Feb 2?
Thanks, James
Find one of the processes that's still alive and do "ls -l /proc/<pid>". That will give you some info about it. The exe entry should be a link to the executable itself.
ok, I found it. Now what? You said run strings? I get:
strings f /lib/ld-linux.so.2 libpthread.so.0 recv connect pthread_create send pthread_mutex_unlock pthread_mutex_lock pthread_mutex_init _Jv_RegisterClasses fcntl pthread_join libc.so.6 __strtol_internal fscanf memcpy perror feof malloc optarg socket select fflush fprintf inet_addr strstr signal strncpy getopt memset inet_ntoa sprintf fclose getpeername stderr fputc fwrite exit fopen _IO_stdin_used __libc_start_main strchr free __gmon_start__ GLIBC_2.1 GLIBC_2.0 PTRh QVhP t+WVj XZh2 XZhA 220 GdRSh FdVSh USER %s RMD sarcaxxo QUIT PASS %s IP: %s USER: %s PASS: %s Telnet SSH Telnet check_user() return: %d Connecting to: %s t:c:h:u:p:o:vdbskC Start IP: %s End IP: %s Scan end... Error in joining thread Error in creating thread Can't open output file /dev/stdout Max num of thread... Usage: -u Users file -p Password file -o Output file -v Verbose mode -C Check RMDIR command Can't open input file! "null" socket the ftp do a strange reply... IP:%s USER:%s PASS:%s REPLY:%s Testing USER: %s PASS: %s IP: %s Multi-thread FTP scanner v0.2.5 by Inode inode@wayreth.eu.org Please specify user and password files %s -h <arg> -u <arg> -p <arg> [-t <arg>] [-c <arg>] [-o <arg>] [-b] [-d] [-v] [-s] [-k] -h Host/s to scan (ex 192.168.0.0/24) -t Timeout in seconds (default 5) -c Number of thread (default 20) -b Store banner in output file -d Stop bruteforce after a valid user -s Store strange ftp reply in output file -k Check SSH and Telnet on host with a valid user Connecting to: %s on port: %d Can't create socket try to decrase the number of threads...
James Pifer wrote:
Find one of the processes that's still alive and do "ls -l /proc/<pid>". That will give you some info about it. The exe entry should be a link to the executable itself.
ok, I found it. Now what? You said run strings? I get: Multi-thread FTP scanner v0.2.5 by Inode inode@wayreth.eu.org
That looks like the ftp scanner which can be found at http://wayreth.eu.org/ - somebody is probably using your box to find insecure ftp servers for sharing files.
Can you do an "ls -lah /dev/shm/..\ /"?
Ralph
On Sun, 2006-02-05 at 10:01 +0100, Ralph Angenendt wrote:
James Pifer wrote:
Find one of the processes that's still alive and do "ls -l /proc/<pid>". That will give you some info about it. The exe entry should be a link to the executable itself.
ok, I found it. Now what? You said run strings? I get: Multi-thread FTP scanner v0.2.5 by Inode inode@wayreth.eu.org
That looks like the ftp scanner which can be found at http://wayreth.eu.org/ - somebody is probably using your box to find insecure ftp servers for sharing files.
Can you do an "ls -lah /dev/shm/..\ /"?
Yep, I get:
ls -lah /dev/shm/..\ / total 24K drwxr-xr-x 3 hotmail hotmail 80 Feb 2 19:28 . drwxrwxrwt 3 root root 60 Feb 2 19:27 .. drwxr-xr-x 2 hotmail hotmail 180 Feb 6 2005 nt -rw-r--r-- 1 hotmail hotmail 24K Feb 2 19:27 nt.tar.gz
James
James Pifer wrote:
On Sun, 2006-02-05 at 10:01 +0100, Ralph Angenendt wrote:
Can you do an "ls -lah /dev/shm/..\ /"?
Yep, I get:
drwxr-xr-x 2 hotmail hotmail 180 Feb 6 2005 nt
And now please the contents of this directory ...
Ralph
On Sun, 2006-02-05 at 10:23 +0100, Ralph Angenendt wrote:
James Pifer wrote:
On Sun, 2006-02-05 at 10:01 +0100, Ralph Angenendt wrote:
Can you do an "ls -lah /dev/shm/..\ /"?
Yep, I get:
drwxr-xr-x 2 hotmail hotmail 180 Feb 6 2005 nt
And now please the contents of this directory ...
Contents are:
# pwd /dev/shm/.. /nt # ls -l total 76 -rwxr-xr-x 1 hotmail hotmail 22400 Feb 6 2005 f -rw-r--r-- 1 hotmail hotmail 17266 Nov 1 2004 f.c -rw-r--r-- 1 hotmail hotmail 2574 Feb 5 02:22 log -rw-r--r-- 1 hotmail hotmail 16122 Jun 9 2005 pass -rw-r--r-- 1 hotmail hotmail 109 Feb 6 2005 README -rwxr-xr-x 1 hotmail hotmail 64 Feb 6 2005 s -rw-r--r-- 1 hotmail hotmail 59 Jun 9 2005 users
James
James Pifer wrote:
-rw-r--r-- 1 hotmail hotmail 2574 Feb 5 02:22 log -rw-r--r-- 1 hotmail hotmail 16122 Jun 9 2005 pass -rw-r--r-- 1 hotmail hotmail 109 Feb 6 2005 README -rwxr-xr-x 1 hotmail hotmail 64 Feb 6 2005 s -rw-r--r-- 1 hotmail hotmail 59 Jun 9 2005 users
As there is a log file in there: you might want to take a look at it to see if it shows some other server broken into from your box. You might want to warn the people running that box. But only if you're sure that their box has been opened.
Ralph
James Pifer wrote:
On Sun, 2006-02-05 at 10:23 +0100, Ralph Angenendt wrote:
James Pifer wrote:
On Sun, 2006-02-05 at 10:01 +0100, Ralph Angenendt wrote:
Can you do an "ls -lah /dev/shm/..\ /"?
Yep, I get:
drwxr-xr-x 2 hotmail hotmail 180 Feb 6 2005 nt
And now please the contents of this directory ...
Contents are:
# pwd /dev/shm/.. /nt # ls -l total 76 -rwxr-xr-x 1 hotmail hotmail 22400 Feb 6 2005 f -rw-r--r-- 1 hotmail hotmail 17266 Nov 1 2004 f.c -rw-r--r-- 1 hotmail hotmail 2574 Feb 5 02:22 log -rw-r--r-- 1 hotmail hotmail 16122 Jun 9 2005 pass -rw-r--r-- 1 hotmail hotmail 109 Feb 6 2005 README -rwxr-xr-x 1 hotmail hotmail 64 Feb 6 2005 s -rw-r--r-- 1 hotmail hotmail 59 Jun 9 2005 users
James
You might want to do a ls -al on that directory, as I've seen hackers use hidden files or directories which don't show using just -l. Also, you might want to take a look in the usual suspects, like /tmp.. /var/tmp.. again, ls -al to see if you can find anything perhaps left for later use.
Gee.. ain't it fun?
John Hinton
John Hinton wrote:
James Pifer wrote:
On Sun, 2006-02-05 at 10:23 +0100, Ralph Angenendt wrote:
James Pifer wrote:
On Sun, 2006-02-05 at 10:01 +0100, Ralph Angenendt wrote:
Can you do an "ls -lah /dev/shm/..\ /"?
Yep, I get:
drwxr-xr-x 2 hotmail hotmail 180 Feb 6 2005 nt
And now please the contents of this directory ...
Contents are:
# pwd /dev/shm/.. /nt # ls -l total 76 -rwxr-xr-x 1 hotmail hotmail 22400 Feb 6 2005 f -rw-r--r-- 1 hotmail hotmail 17266 Nov 1 2004 f.c -rw-r--r-- 1 hotmail hotmail 2574 Feb 5 02:22 log -rw-r--r-- 1 hotmail hotmail 16122 Jun 9 2005 pass -rw-r--r-- 1 hotmail hotmail 109 Feb 6 2005 README -rwxr-xr-x 1 hotmail hotmail 64 Feb 6 2005 s -rw-r--r-- 1 hotmail hotmail 59 Jun 9 2005 users
James
You might want to do a ls -al on that directory, as I've seen hackers use hidden files or directories which don't show using just -l. Also, you might want to take a look in the usual suspects, like /tmp.. /var/tmp.. again, ls -al to see if you can find anything perhaps left for later use.
Gee.. ain't it fun?
Lot's of good advice. I'd also check for rootkits. There are a couple of "rootkit checkers" available. You just download the source and compile/execute them. I've used this one with some success to de-louse a friend's game server:
It's also a good practice to disconnect a suspect machine from the net and do your hacking from the console if you suspect it's been burgled. That way, it's not actively hosing other people while you're troubleshooting the problem. 8-) That is...unless you've got the skills to track the burgler back to their hideout.....
Cheers,
An awesome thread, great learning material and answers from rocking people. Invaluable mailing list. Chapeau! -- Eduardo Grosclaude Universidad Nacional del Comahue Neuquen, Argentina
Chris Mauritz wrote:
Lot's of good advice. I'd also check for rootkits. There are a couple of "rootkit checkers" available. You just download the source and compile/execute them. I've used this one with some success to de-louse a friend's game server:
That would be a very dumb rootkit if one was installed on the server, as the offending processes could be found with "ps" and "ls" showed the directory and the files in there. Yes, one can never know *if* a rootkit was installed, but I don't think so in this case.
But as always: If possible - rebuild the machine from scratch. If you cannot do that *monitor* the machine closely for suspect traffic. If possible from another clean machine on the same network.
It's also a good practice to disconnect a suspect machine from the net and do your hacking from the console if you suspect it's been burgled. That way, it's not actively hosing other people while you're troubleshooting the problem.
Yes.
That is...unless you've got the skills to track the burgler back to their hideout.....
Which probably is just another cracked machine. The last time I did that the tracks got lost somewhere in Malaysia.
Ralph
On Feb 5, 2006, at 9:15 AM, Chris Mauritz wrote:
John Hinton wrote:
James Pifer wrote:
On Sun, 2006-02-05 at 10:23 +0100, Ralph Angenendt wrote:
James Pifer wrote:
On Sun, 2006-02-05 at 10:01 +0100, Ralph Angenendt wrote:
Can you do an "ls -lah /dev/shm/..\ /"?
Yep, I get: drwxr-xr-x 2 hotmail hotmail 180 Feb 6 2005 nt
And now please the contents of this directory ...
Contents are:
# pwd /dev/shm/.. /nt # ls -l total 76 -rwxr-xr-x 1 hotmail hotmail 22400 Feb 6 2005 f -rw-r--r-- 1 hotmail hotmail 17266 Nov 1 2004 f.c -rw-r--r-- 1 hotmail hotmail 2574 Feb 5 02:22 log -rw-r--r-- 1 hotmail hotmail 16122 Jun 9 2005 pass -rw-r--r-- 1 hotmail hotmail 109 Feb 6 2005 README -rwxr-xr-x 1 hotmail hotmail 64 Feb 6 2005 s -rw-r--r-- 1 hotmail hotmail 59 Jun 9 2005 users
James
You might want to do a ls -al on that directory, as I've seen hackers use hidden files or directories which don't show using just -l. Also, you might want to take a look in the usual suspects, like /tmp.. /var/tmp.. again, ls -al to see if you can find anything perhaps left for later use.
Gee.. ain't it fun?
Lot's of good advice. I'd also check for rootkits. There are a couple of "rootkit checkers" available. You just download the source and compile/execute them. I've used this one with some success to de-louse a friend's game server:
It's also a good practice to disconnect a suspect machine from the net and do your hacking from the console if you suspect it's been burgled. That way, it's not actively hosing other people while you're troubleshooting the problem. 8-) That is...unless you've got the skills to track the burgler back to their hideout.....
Cheers,
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Sorry for the late response, but you should also check out lsof as another method for finding which processes have which ports/files open. It's a good way to double-check netstat, etc. You can find it in the base CentOS repo.
Michael Grinnell Network Security Administrator The American University
That looks like the ftp scanner which can be found at http://wayreth.eu.org/ - somebody is probably using your box to find insecure ftp servers for sharing files.
Can you do an "ls -lah /dev/shm/..\ /"?
Ralph
Besides killing what's running, how do I get this all cleaned up?
The hotmail account has been denied logins now. I've also set a new password on the account.
Thanks, James
James Pifer wrote:
Besides killing what's running, how do I get this all cleaned up?
The hotmail account has been denied logins now. I've also set a new password on the account.
Drop Passwords for SSH completely and use public key based authentification. There, one problem gone.
More on http://sial.org/howto/openssh/publickey-auth/
If you *have* to use passwords somewhere: Don't use weak ones.
Ralph
On Sun, 2006-02-05 at 10:30 +0100, Ralph Angenendt wrote:
James Pifer wrote:
Besides killing what's running, how do I get this all cleaned up?
The hotmail account has been denied logins now. I've also set a new password on the account.
Drop Passwords for SSH completely and use public key based authentification. There, one problem gone.
More on http://sial.org/howto/openssh/publickey-auth/
If you *have* to use passwords somewhere: Don't use weak ones.
Ralph/Ignacio,
Thank you very much for your help!!!! I think it's all cleaned up now. I will look at using public key based auth and disabling ssh passwords.
Thanks again. James
On Sun, Feb 05, 2006 at 04:46:25AM -0500, James Pifer wrote:
On Sun, 2006-02-05 at 10:30 +0100, Ralph Angenendt wrote:
James Pifer wrote:
Besides killing what's running, how do I get this all cleaned up?
Most hackers install multiple backdoors on a system once they get in. Your system has been compromised and you have know way of knowing what executables on your system have been replaced by trojans.
You have only one choice:
You must reformat the hard drive and re-install from the beginning
This is the only way you can be sure that you have removed all the backdoors from the system. Unless you devote a lot of time to figuring out what backdoors might have been installed, and have a lot of expertise to know what you're looking for, you won't be able to be sure that the hackers have been locked out.
Once you have addressed the break-in to your satisfaction, try running a trip wire program like Samhain (http://la-samhna.de/samhain/). It will tell you the details of any changes to system files. Few hackers would have the time and savvy to defeat it though I'm sure it's possible.
There are a variety of countermeasures you can install to prevent future attempts but the general rule is to disable all unnecessary applications. If you don't use sshd to get access from outside: install a firewall and block port 22.
Definitely don't run an ftp server. Use scp if needed.
The hotmail account has been denied logins now. I've also set a new password on the account.
Drop Passwords for SSH completely and use public key based authentification. There, one problem gone.
More on http://sial.org/howto/openssh/publickey-auth/
If you *have* to use passwords somewhere: Don't use weak ones.
Ralph/Ignacio,
Thank you very much for your help!!!! I think it's all cleaned up now. I will look at using public key based auth and disabling ssh passwords.
Thanks again. James
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Jeff Kinz wrote:
Most hackers install multiple backdoors on a system once they get in. Your system has been compromised and you have know way of knowing what executables on your system have been replaced by trojans.
You have only one choice:
You must reformat the hard drive and re-install from the beginning
This is the only way you can be sure that you have removed all the backdoors from the system.
Where practical, I also agree with this statement. That really is the only way to be sure. Though you also have to sit down and consider how the naughty people compromised your machine in the first place and make sure that vulnerability is fixed on the fresh install....or you'll just be doing this again in a few days.
Cheers,
On Sun, 2006-02-05 at 10:10 -0500, Chris Mauritz wrote:
Where practical, I also agree with this statement.
It would be a good idea to at least:
# rpm -e --nodeps procps # find / -name ps -ls # find / -name top -ls # yum install procps
This will remove ps and top, verify that no other ps or top executables exist, and reinstall known good ps and top binaries.
These binaries are often replaced with trojans which act like the originals, but mask the back doors.
-Steve
Steve Bergman wrote:
# rpm -e --nodeps procps # find / -name ps -ls # find / -name top -ls # yum install procps
Another neat trick is let RPM help you find altered executables that it knows about, in case the rootkit replaced some other things (again, better to reinstall from scratch):
rpm -Va
The first three characters are the most important to look at, they'll tell you if the size/md5sum is off. Here's a quick cheatsheet paste from the man page:
S file Size differs M Mode differs (includes permissions and file type) 5 MD5 sum differs D Device major/minor number mismatch L readLink(2) path mismatch U User ownership differs G Group ownership differs T mTime differs
You'll see a lot of stuff, don't panic -- it's very common to get changes listed in /etc/ and /usr/share/, among others. Pay keen attention to anything in bin (/bin, /sbin, /usr/bin, /usr/sbin, etc) as they are the most likely targets.
-te
On Mon, 2006-02-06 at 09:09 -0800, Troy Engel wrote:
Another neat trick is let RPM help you find altered executables that it knows about, in case the rootkit replaced some other things (again, better to reinstall from scratch):
rpm -Va
Well, that's certainly handy.
However, on my own personal system, with a relatively fresh installof CentOS 4.2, with good passwords and updates applied within 24 hours of issue, behind a hardware firewall with sshd being the only exposed service, and that being tcpwrapper protected to only accept connections from a few trusted machines, I get the output below from 'rpm -Va | grep -e libexec -e '/bin/'.
Also, how do rpm -V and prelink interact? Are the binaries in an rpm already prelinked?
S.5....T. /usr/bin/activation-client S.5....T. /usr/bin/bonobo-activation-run-query S.5....T. /usr/libexec/bonobo-activation-server S.5....T. /usr/bin/dbus-cleanup-sockets S.5....T. /usr/bin/dbus-daemon-1 S.5....T. /usr/bin/dbus-send S.5....T. /usr/bin/fc-cache S.5....T. /usr/bin/fc-list S.5....T. /usr/bin/gconf-merge-tree S.5....T. /usr/bin/gconftool-2 S.5....T. /usr/libexec/gconf-sanity-check-2 S.5....T. /usr/libexec/gconfd-2 S.5....T. /usr/libexec/gam_server S.5....T. /usr/bin/cjpeg S.5....T. /usr/bin/djpeg S.5....T. /usr/bin/jpegtran S.5....T. /usr/bin/rdjpgcom S.5....T. /usr/bin/wrjpgcom S.5....T. /usr/bin/alsalisp S.5....T. /usr/bin/aserver S.5....T. /usr/bin/gnomevfs-cat S.5....T. /usr/bin/gnomevfs-copy S.5....T. /usr/bin/gnomevfs-info S.5....T. /usr/bin/gnomevfs-ls S.5....T. /usr/bin/gnomevfs-mkdir S.5....T. /usr/bin/gnomevfs-rm S.5....T. /usr/libexec/gnome-vfs-daemon S.5....T. /usr/bin/chattr S.5....T. /usr/bin/lsattr S.5....T. /usr/bin/uuidgen S.5....T. /usr/bin/dbus-glib-tool S.5....T. /usr/bin/dbus-monitor S.5....T. /usr/bin/fax2ps S.5....T. /usr/bin/fax2tiff S.5....T. /usr/bin/gif2tiff S.5....T. /usr/bin/pal2rgb S.5....T. /usr/bin/ppm2tiff S.5....T. /usr/bin/ras2tiff S.5....T. /usr/bin/raw2tiff S.5....T. /usr/bin/rgb2ycbcr S.5....T. /usr/bin/thumbnail S.5....T. /usr/bin/tiff2bw S.5....T. /usr/bin/tiff2pdf S.5....T. /usr/bin/tiff2ps S.5....T. /usr/bin/tiff2rgba S.5....T. /usr/bin/tiffcmp S.5....T. /usr/bin/tiffcp S.5....T. /usr/bin/tiffdither S.5....T. /usr/bin/tiffdump S.5....T. /usr/bin/tiffinfo S.5....T. /usr/bin/tiffmedian S.5....T. /usr/bin/tiffset S.5....T. /usr/bin/tiffsplit S.5....T. /usr/libexec/evolution-data-server-1.0 S.5....T. /usr/bin/xmlwf S.5....T. /usr/bin/hal-get-property S.5....T. /usr/bin/hal-set-property S.5....T. /usr/bin/lshal S.5....T. /usr/libexec/hal-hotplug-map S.5....T. /usr/libexec/hal.dev S.5....T. /usr/libexec/hal.hotplug S.5....T. /usr/bin/sfconvert S.5....T. /usr/bin/sfinfo S.5....T. /usr/bin/gpg-error S.5....T. /usr/bin/esd S.5....T. /usr/bin/esdcat S.5....T. /usr/bin/esdctl S.5....T. /usr/bin/esdfilt S.5....T. /usr/bin/esdloop S.5....T. /usr/bin/esdmon S.5....T. /usr/bin/esdplay S.5....T. /usr/bin/esdrec S.5....T. /usr/bin/esdsample S.5....T. /usr/bin/xmlcatalog S.5....T. /usr/bin/xmllint S.5....T. /usr/bin/gnome-open
Steve Bergman wrote:
from a few trusted machines, I get the output below from 'rpm -Va | grep -e libexec -e '/bin/'.
Also, how do rpm -V and prelink interact? Are the binaries in an rpm already prelinked?
I don't believe so, but I've never researched what they do upstream. It seems logistically difficult to build and prelink a binary while making a RPM from a gut instinct point of view.
I think your list is, as you guess, a set of victims that don't fit due to a prelink. I usually only use that command on server systems and don't see a lot of those entries.
-te
On Mon, 2006-02-06 at 17:50, Troy Engel wrote:
Steve Bergman wrote:
from a few trusted machines, I get the output below from 'rpm -Va | grep -e libexec -e '/bin/'.
Also, how do rpm -V and prelink interact? Are the binaries in an rpm already prelinked?
I don't believe so, but I've never researched what they do upstream. It seems logistically difficult to build and prelink a binary while making a RPM from a gut instinct point of view.
I think your list is, as you guess, a set of victims that don't fit due to a prelink. I usually only use that command on server systems and don't see a lot of those entries.
-te
It was my understanding that rpm was prelink aware. I know things like tripwire are not prelink aware and will report changes if you initialize its database prior to prelink running.
Sorry I am new to this and have been trying to read deep into this post to figure things out... If I run the rpm -Va on my machine to see if any of these files have been changed just for learning purposes... What exactly am I looking for? And what should be causes for concern?
If one does find a file that's been altered by a rootkit or whatnot, what is the next step from there? Remove and Reinstall or is there a simple fix?
Are there any good apps out there to guard against rootkits or this problem?
Forgive me for the n00bness if I am completely off track as I am trying to learn new stuff everyday as well as keep up with security as this sounds like a pretty severe security issue...
From an overall security point of view, does anyone know any good links or
direct me to some good information for securing linux server systems if its not behind a hardware firewall? I read all the security updates for specific daemons such as httpd, bind, etc.. and ensure those measures are in place and or patched. However, when it comes to the actual OS itself I just want to make sure all security measures are in place for it as well. Yum update does run on a nightly basis, but not sure if there is more to it than that.
Thanks! James
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Scot L. Harris Sent: February 6, 2006 3:58 PM To: CentOS mailing list Subject: Re: [CentOS] I appear to be attacking others
On Mon, 2006-02-06 at 17:50, Troy Engel wrote:
Steve Bergman wrote:
from a few trusted machines, I get the output below from 'rpm -Va | grep -e libexec -e '/bin/'.
Also, how do rpm -V and prelink interact? Are the binaries in an rpm already prelinked?
I don't believe so, but I've never researched what they do upstream. It seems logistically difficult to build and prelink a binary while making a RPM from a gut instinct point of view.
I think your list is, as you guess, a set of victims that don't fit due to a prelink. I usually only use that command on server systems and don't see a lot of those entries.
-te
It was my understanding that rpm was prelink aware. I know things like tripwire are not prelink aware and will report changes if you initialize its database prior to prelink running.
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 06/02/06, James Gagnon jamesg@nucleus.com wrote:
From an overall security point of view, does anyone know any good links or direct me to some good information for securing linux server systems if its not behind a hardware firewall? I read all the security updates for specific daemons such as httpd, bind, etc.. and ensure those measures are in place and or patched. However, when it comes to the actual OS itself I just want to make sure all security measures are in place for it as well. Yum update does run on a nightly basis, but not sure if there is more to it than that.
The O'Reilly Linux Server Security book's a good read if you have at least a little Unix admin/user experience. It re-iterates a lot of the good advice that's been covered on the list about securing SSH by running on a non-standard port, only allowing key based auth and then only for a limited subset of users/groups.
They also cover bastion firewalling. Essentially, anything internet facing (or security sensitive), even if behind another firewall, it's good practice to firewall to the hilt. The more layers the better.
Secure your OS. Secure your apps. Secure your network. A lot of it's just common sense. Unless you're full time job is nothing but security and you can track all the current vulnerabilities and infer where the next ones will be just assume every thing's a risk and lock down/remove everything you don't absolutely require to mitigate the likelihood of getting owned.
Link-wise, I'd say the more you read the better.
http://www.google.co.uk/search?hl=en&q=hardening+linux&btnG=Search&a...
http://www.google.co.uk/search?hl=en&q=hardening+redhat&btnG=Search&...
Start with those. :)
Bear in mind, if you're messing with stuff you're not sure about, use a test machine/have backups/make sure you can reinstall from scratch if you break somethign or get burned somehow.
Will.
The O'Reilly Linux Server Security book's a good read if you have at least a little Unix admin/user experience. It re-iterates a lot of the good advice that's been covered on the list about securing SSH by running on a non-standard port, only allowing key based auth and then only for a limited subset of users/groups.
They also cover bastion firewalling. Essentially, anything internet facing (or security sensitive), even if behind another firewall, it's good practice to firewall to the hilt. The more layers the better.
Secure your OS. Secure your apps. Secure your network. A lot of it's just common sense. Unless you're full time job is nothing but security and you can track all the current vulnerabilities and infer where the next ones will be just assume every thing's a risk and lock down/remove everything you don't absolutely require to mitigate the likelihood of getting owned.
Link-wise, I'd say the more you read the better.
http://www.google.co.uk/search?hl=en&q=hardening+linux&btnG=Search&a...
http://www.google.co.uk/search?hl=en&q=hardening+redhat&btnG=Search&...
Start with those. :)
Bear in mind, if you're messing with stuff you're not sure about, use a test machine/have backups/make sure you can reinstall from scratch if you break somethign or get burned somehow.
Will.
Thanks Will. One thing I have always done with SSH is run it on a non-default port. Its funny I left it on 22 once and watched the log reports every morning in my email for a few days and the amount of people trying to login as the root user was amazing... the report was 40-50 lines longer than normal just from all the attempts... I then chose a port over 10000 as they say most port scanners usually scan port 1-10000. Once I did that I have not seen one attempt to try and access root through SSH or any user for that matter. Good tip though... =)
And yeah I always have a test machine for breaking stuff on... I think thats how I have learnt most of what I know about linux is breaking it and re-installing it many many times ;)
Thanks for the info, very much appreciated... Gonna check out EBAY for that book and check out those links so I have some reading to do.. thanks again!
James
On Monday 06 February 2006 17:46, James Gagnon wrote:
Thanks Will. One thing I have always done with SSH is run it on a non-default port. Its funny I left it on 22 once and watched the log reports every morning in my email for a few days and the amount of people trying to login as the root user was amazing... the report was 40-50 lines longer than normal just from all the attempts... I then chose a port over 10000 as they say most port scanners usually scan port 1-10000. Once I did that I have not seen one attempt to try and access root through SSH or any user for that matter. Good tip though... =)
Not only do I use a *high* port, but I also restrict acceptable connections to just a few IP addresses, with one machine having *ONLY* an ssh port globally open, accepting only keys, no passwords, on a high port as a "gateway" for when I need to get in from someplace other than the small list of approved addresses.
I've had ZERO problems with this. But, when SSH was on 22, and open to the world, I saw something like 30,000 attempts on the root account in a single 24 hour period. Holy fscking sh--! (Not that it did any good, you couldn't login as root without an RSA key)
-Ben
using denyhosts is sufficient for me. After several password attempts, it simply disables the ip address. I now have 133 denied ips in /etc/hosts.deny Of course, you have to make sure that you don't use simple passwords
sshd: 193.137.229.185 sshd: 213.208.182.254 sshd: 69.50.188.122 sshd: 82.226.217.40 sshd: 64.193.62.162 sshd: 61.100.9.207 sshd: 65.82.89.30 sshd: 211.248.193.1 sshd: 72.4.5.31 sshd: 217.172.186.91 sshd: 80.81.106.212 sshd: 213.223.64.10 sshd: 81.233.245.217 sshd: 67.88.4.148 sshd: 61.97.32.29 sshd: 69.164.235.110 sshd: 195.130.116.161 sshd: 59.106.44.135 sshd: 207.10.28.19 sshd: 210.76.127.4 sshd: 82.103.77.100 sshd: 207.234.145.109 sshd: 61.131.80.30 sshd: 159.226.149.11 sshd: 82.229.209.252 sshd: 82.56.36.56 sshd: 212.94.83.10 sshd: 220.121.34.64 sshd: 207.234.224.210 sshd: 64.34.193.58 sshd: 222.235.64.140 sshd: 195.188.250.172 sshd: 220.76.0.194 sshd: 210.118.94.55 sshd: 148.204.183.218 sshd: 203.197.163.88 sshd: 217.156.68.203 sshd: 69.90.169.29 sshd: 213.143.66.142 sshd: 202.181.105.170 sshd: 69.38.48.20 sshd: 71.11.240.144 sshd: 65.164.58.2 sshd: 216.120.241.232 sshd: 64.182.50.244 sshd: 211.233.14.177 sshd: 83.18.27.210 sshd: 67.85.188.177 sshd: 62.15.230.129 sshd: 212.93.158.100 sshd: 202.222.28.22 sshd: 220.225.119.9 sshd: 202.181.96.33 sshd: 202.54.26.218 sshd: 211.252.207.187 sshd: 202.30.198.233 sshd: 218.145.207.133 sshd: 142.166.47.97 sshd: 59.144.2.102 sshd: 65.119.133.242 sshd: 218.25.82.157 sshd: 200.89.74.80 sshd: 212.114.221.99 sshd: 82.76.19.38 sshd: 200.67.134.217 sshd: 200.71.43.105 sshd: 148.88.201.30 sshd: 221.251.1.69 sshd: 64.239.2.119 sshd: 212.72.175.43 sshd: 195.97.98.240 sshd: 160.75.27.251 sshd: 216.97.13.46 sshd: 220.189.255.22 sshd: 200.175.254.60 sshd: 194.158.245.243 sshd: 60.248.229.120 sshd: 24.75.39.218 sshd: 200.138.65.1 sshd: 66.36.231.120 sshd: 193.54.239.198 sshd: 211.63.252.38 sshd: 216.120.255.208 sshd: 62.117.114.180 sshd: 216.191.184.30 sshd: 221.122.43.104 sshd: 202.76.88.72 sshd: 220.123.212.149 sshd: 61.221.57.89 sshd: 61.222.49.59 sshd: 220.248.13.48 sshd: 69.110.112.188 sshd: 195.128.252.8 sshd: 200.247.170.7 sshd: 200.47.112.149 sshd: 65.112.21.144 sshd: 69.53.127.51 sshd: 210.193.21.162 sshd: 80.53.170.10 sshd: 84.44.16.28 sshd: 62.5.231.86 sshd: 24.83.214.74 sshd: 203.144.229.199 sshd: 67.32.49.180 sshd: 82.225.213.87 sshd: 213.201.30.250 sshd: 64.34.165.199 sshd: 213.39.251.205 sshd: 219.123.39.114 sshd: 201.134.90.201 sshd: 220.194.55.123 sshd: 161.67.6.23 sshd: 202.108.13.91 sshd: 218.24.139.109 sshd: 217.172.181.107 sshd: 69.36.3.66 sshd: 61.208.89.194 sshd: 62.121.94.218 sshd: 69.70.19.237 sshd: 218.248.33.225 sshd: 61.193.164.226 sshd: 62.194.80.137 sshd: 61.152.160.155 sshd: 213.145.140.14
Thanks Will. One thing I have always done with SSH is run it on a non-default port. Its funny I left it on 22 once and watched the log reports every morning in my email for a few days and the amount of people trying to login as the root user was amazing... the report was 40-50 lines longer than normal just from all the attempts... I then chose a port over 10000 as they say most port scanners usually scan port 1-10000. Once I did that I have not seen one attempt to try and access root through SSH or any user for that matter. Good tip though... =)
And yeah I always have a test machine for breaking stuff on... I think thats how I have learnt most of what I know about linux is breaking it and re-installing it many many times ;)
Thanks for the info, very much appreciated... Gonna check out EBAY for that book and check out those links so I have some reading to do.. thanks again!
James _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
sophana wrote:
using denyhosts is sufficient for me. After several password attempts, it simply disables the ip address. I now have 133 denied ips in /etc/hosts.deny Of course, you have to make sure that you don't use simple passwords
I find it easier to deny all and then allow the very few who actually use ssh. But, this can get you into trouble if you suddenly find you need to shell in when out of town. A backdoor somewhere is a good idea!
John Hinton
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of John Hinton Sent: February 7, 2006 9:29 AM To: CentOS mailing list Subject: Re: [CentOS] I appear to be attacking others
I find it easier to deny all and then allow the very few who actually use ssh. But, this can get you into trouble if you suddenly find you need to shell in when out of town. A backdoor somewhere is a good idea!
John Hinton
If its on a network with windows boxes like mine is, I just remote desktop into a windows XP box then I can VNC or SSH into the linux box locally. I was under the impression that using the local network to connect to your linux box was a bit more secure than going through the WAN. But of course, not every linux server is setup on a network where a windows XP box is on the same LAN. Just one little step I do to help security since my server is at home. But then again... one has to wonder how secure remote desktop for windows really is... guess it's a win/lose situation =)
James
On Tue, 2006-02-07 at 09:41 -0700, James Gagnon wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of John Hinton Sent: February 7, 2006 9:29 AM To: CentOS mailing list Subject: Re: [CentOS] I appear to be attacking others
I find it easier to deny all and then allow the very few who actually use ssh. But, this can get you into trouble if you suddenly find you need to shell in when out of town. A backdoor somewhere is a good idea!
John Hinton
If its on a network with windows boxes like mine is, I just remote desktop into a windows XP box then I can VNC or SSH into the linux box locally. I was under the impression that using the local network to connect to your linux box was a bit more secure than going through the WAN. But of course, not every linux server is setup on a network where a windows XP box is on the same LAN. Just one little step I do to help security since my server is at home. But then again... one has to wonder how secure remote desktop for windows really is... guess it's a win/lose situation =)
heh - if I was betting on security ... I would do the opposite. Allow secure access to the linux box (NX/FreeNX) and then open the XP stuff (using rdesktop).
I don't ever let the Internet actually touch an XP box with remotely initiated traffic :)
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Johnny Hughes Sent: February 7, 2006 9:48 AM To: CentOS ML Subject: RE: [CentOS] I appear to be attacking others
heh - if I was betting on security ... I would do the opposite. Allow secure access to the linux box (NX/FreeNX) and then open the XP stuff (using rdesktop).
I don't ever let the Internet actually touch an XP box with remotely initiated traffic :)
Good point. I always just trusted the windows xp box behind the router. Damn that's bad of me to trust a Microsoft product!
James
On Tuesday 07 February 2006 11:41 am, James Gagnon wrote:
But then again... one has to wonder how secure remote desktop for windows really is... guess it's a win/lose situation =)
Not as secure as SSH....but I definitely think you are on to something.
An interesting solution is to have a really locked down but low-end machine (p2/64 MB RAM) on your LAN that serves one purpose - to be an SSH server.
Strip the software on this box to SSH and not much else. Set up some firewall rules that deny access to nearly everything but the SSH ports. Run sshd on an oddball port. Deny root logins.
Restrict all SSH traffic on your server to the SSH server machine on your LAN. Authenticate via host keys, not password.
If you are REALLY paranoid, turn off the SSH server when you are on your LAN. To break in, an attacker will need to: 1. Guess the SSH port. 2. Guess when you are not on the LAN (when you are home, you've probably powered down the SSH box). 3. Guess or bruteforce the SSH password. 4. Once inside, execute some hack to get root privileges. 5. Guess what the machine is actually used for (SSH gateway to real server).
On Tue, 2006-02-07 at 21:08 -0500, ryan wrote:
On Tuesday 07 February 2006 11:41 am, James Gagnon wrote:
But then again... one has to wonder how secure remote desktop for windows really is... guess it's a win/lose situation =)
Not as secure as SSH....but I definitely think you are on to something.
An interesting solution is to have a really locked down but low-end machine (p2/64 MB RAM) on your LAN that serves one purpose - to be an SSH server.
Strip the software on this box to SSH and not much else. Set up some firewall rules that deny access to nearly everything but the SSH ports. Run sshd on an oddball port. Deny root logins.
Restrict all SSH traffic on your server to the SSH server machine on your LAN. Authenticate via host keys, not password.
If you are REALLY paranoid, turn off the SSH server when you are on your LAN. To break in, an attacker will need to:
- Guess the SSH port.
- Guess when you are not on the LAN (when you are home, you've probably
powered down the SSH box). 3. Guess or bruteforce the SSH password.
If you turn off passwords and only connect via keys ... they would have to get your private key.
- Once inside, execute some hack to get root privileges.
- Guess what the machine is actually used for (SSH gateway to real server).
On Tuesday 07 February 2006 18:08, ryan wrote:
On Tuesday 07 February 2006 11:41 am, James Gagnon wrote:
But then again... one has to wonder how secure remote desktop for windows really is... guess it's a win/lose situation =)
Not as secure as SSH....but I definitely think you are on to something.
An interesting solution is to have a really locked down but low-end machine (p2/64 MB RAM) on your LAN that serves one purpose - to be an SSH server.
I do something very similar. I work as a freelance admin at three different locations, all set up virtually the same:
1) I have a host that does backups. It is a cheap-o system, lots of diskspace, running a backup script I wrote: http://www.effortlessis.com/backupbuddy/ 2) SSHd is on a "goofy" port, somewhere high and random. 3) I permit root without-password - RSA key needed to get in, passwords are irrelevant. 4) Backup host accepts SSH connections from world - but there are NO PASSWORDS ON THE MACHINE. The only way to get in is as root, and then only with RSA (ssh2) keys. 5) All other hosts on the network have DENY rules on their input for anything but from the backup host and my house. 6) Since the backup host HAS to have root access to the other servers, (in order to read all the files!) then logging into the backup server (via RSA keys) gives access to all other hosts on the LAN. 7) Backup host is some otherwise retired PII/PIII with a few hundred MB of RAM and a few cheapo pricewatch.com IDE drives globbed together with software RAID/LVM to provide gobs of cheap storage space.
I've been using this framework for a few years now, and it's very successful. When I'm at "home" (home/office) I get unfettered SSH access to all the hosts via RSA keys. When I'm on vacation, and logging in via some hotel network to fix a problem, I login with my laptop via the backup host and then to the server in question to figure it out.
Food for thought, hope it helps.
-Ben
John Hinton wrote:
sophana wrote:
using denyhosts is sufficient for me. After several password attempts, it simply disables the ip address. I now have 133 denied ips in /etc/hosts.deny Of course, you have to make sure that you don't use simple passwords
I find it easier to deny all and then allow the very few who actually use ssh. But, this can get you into trouble if you suddenly find you need to shell in when out of town. A backdoor somewhere is a good idea!
Just be careful. I was in China last month and had a server in NYC that needed some minor surgery. I ssh'ed in and spent about 10 minutes fixing things. Even though this machine is running ssh on a non-standard port, within MINUTES that port (and only that port) was being probed from inside China. And I was connecting from a 5 star hotel in Beijing (not some Internet cafe). The world is truly becoming a dangerous place in terms of computer security.
Cheers,
sophana wrote:
using denyhosts is sufficient for me. After several password attempts, it simply disables the ip address. I now have 133 denied ips in /etc/hosts.deny
I might throw this out -- I also offer RPMs for RHEL4, FC4, and CentOS4 (i386) of portsentry; look here:
http://rpmfind.net/linux/rpm2html/search.php?query=portsentry&submit=Sea......
...look for 'Falsehope' towards the middle, all my RPMs are tagged with .te.; I install portsentry on any server that exposes a service through a firewall (or no firewall at all), and it catches a *lot* of stuff for you.
Portsentry's ability to catch a portscan right away and block the IP can help save you in the long run. I have no idea why it's not in the official upstream sources anymore, it disappeared a couple of versions ago.
-te
Am Di, den 07.02.2006 schrieb Troy Engel um 18:10:
I might throw this out -- I also offer RPMs for RHEL4, FC4, and CentOS4 (i386) of portsentry; look here:
http://rpmfind.net/linux/rpm2html/search.php?query=portsentry&submit=Sea......
...look for 'Falsehope' towards the middle, all my RPMs are tagged with .te.; I install portsentry on any server that exposes a service through a firewall (or no firewall at all), and it catches a *lot* of stuff for you.
Portsentry's ability to catch a portscan right away and block the IP can help save you in the long run. I have no idea why it's not in the official upstream sources anymore, it disappeared a couple of versions ago.
-te
portsentry is just a dead software project (since Cisco bought the company where it was developed). Check out for "psad"
http://www.cipherdyne.com/psad/
and see the FAQ part
http://www.cipherdyne.com/projects/psad/faq.html#diff_portsentry
With all these tools: be careful when using on remote-only systems to not lock out yourself by accident or get locked out by an attacker spoofing your own data.
Alexander
Alexander Dalloz wrote:
http://www.cipherdyne.com/projects/psad/faq.html#diff_portsentry
Thanks for that, never had heard of it -- seeing as how I never use the linux firewall code itself (opting for the hardware instead), there's really only the following issue:
* portsentry cannot detect any probes that utilize the icmp protocol.
IMHO, the rest of the things on that list are fluff - nice things to have, but not important. For a dead project, it still works swimmingly well to this day. Who knows though, some day I may try psad.
-te
On Tuesday 07 February 2006 00:12, James Gagnon wrote:
Sorry I am new to this and have been trying to read deep into this post to figure things out... If I run the rpm -Va on my machine to see if any of these files have been changed just for learning purposes... What exactly am I looking for? And what should be causes for concern?
First, "man rpm" is the primary source for information re. how to read this output.
rpm spits out a line for each file that differs in any way (from how it was when it was installed). This includes not only changed content but also timestamps, permissions... etc.
What you're looking for is normally a "5", that stands for md5sum differs, that is, file content differs. This is sometimes ok (think config files) but sometimes not at all (think /bin/bash).
So, something like: rpm -Va | grep "5" | grep bin
is a very rough but helpful thing to run. Possibly piped to less and then you scan through it looking for important files that an evil person might want to change (ls, ps, netstat, ssh, bash...)
/Peter
If one does find a file that's been altered by a rootkit or whatnot, what is the next step from there? Remove and Reinstall or is there a simple fix?
1) contanct your IRT if there is one and let them decide what to do
...either way, it's really a case of reinstall the entire machine and restore data from backups. Only a fool or a person with no options left tries to restore a root compromised machine (IMHO).
Are there any good apps out there to guard against rootkits or this problem?
1) updates (prevent) 2) root-kit checkers (like chkrootkit, rkhunter, tripwire) (search for) 3) security systems like selinux, rsbac, LIDS, ... (prevent, limit damage)
/Peter
Forgive me for the n00bness if I am completely off track as I am trying to learn new stuff everyday as well as keep up with security as this sounds like a pretty severe security issue...
From an overall security point of view, does anyone know any good links or
direct me to some good information for securing linux server systems if its not behind a hardware firewall? I read all the security updates for specific daemons such as httpd, bind, etc.. and ensure those measures are in place and or patched. However, when it comes to the actual OS itself I just want to make sure all security measures are in place for it as well. Yum update does run on a nightly basis, but not sure if there is more to it than that.
Thanks! James
On Sunday 05 February 2006 10:10 am, Chris Mauritz wrote:
Where practical, I also agree with this statement. That really is the only way to be sure. Though you also have to sit down and consider how the naughty people compromised your machine in the first place and make sure that vulnerability is fixed on the fresh install....or you'll just be doing this again in a few days.
In the case that you can not figure it out, here are some very easy to use tools to help lock down your system:
http://www.bastille-linux.org/ Bastille will walk you through the basic steps of locking down your system.
http://www.fs-security.com/ If you aren't real firewall or iptables savvy, firestarter make is easy to set up a very secure firewall.
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-tcpwrappe... TCP Wrappers can be used in conjunction with firewall rules.
http://freshmeat.net/projects/chkrootkit/ chkrootkit will check for signs of a rootkit.
On Sun, Feb 05, 2006 at 09:52:34AM -0500, Jeff Kinz wrote:
Your system has been compromised and you have know way of knowing what
^^^^ should be "no".
Why my fingers would choose to type a longer homonym rather than a shorter one I can only attribute to insufficient caffeine levels. :-)
James Pifer wrote:
On Sun, 2006-02-05 at 10:30 +0100, Ralph Angenendt wrote:
James Pifer wrote:
Besides killing what's running, how do I get this all cleaned up?
The hotmail account has been denied logins now. I've also set a new password on the account.
Drop Passwords for SSH completely and use public key based authentification. There, one problem gone.
More on http://sial.org/howto/openssh/publickey-auth/
If you *have* to use passwords somewhere: Don't use weak ones.
Ralph/Ignacio,
Thank you very much for your help!!!! I think it's all cleaned up now. I will look at using public key based auth and disabling ssh passwords.
Thanks again. James
Just a thought... It might also be a good measure to use hosts.allow/hosts.deny for limiting access by ip address to your box from the internet.