LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-09-2008, 02:06 PM   #1
gianh
Member
 
Registered: Feb 2004
Distribution: Gentoo
Posts: 58

Rep: Reputation: 15
Box is attempting to scan and ssh into random machines using random usernames


Hey guys I have a question it has been brought to my attention that a box i just got put in charge of is attempting ssh into another box with several random username. what should i look for? Thanks
 
Old 11-09-2008, 06:20 PM   #2
Savet
Member
 
Registered: Nov 2004
Distribution: Slackware
Posts: 73

Rep: Reputation: 15
It sounds as if the box has been compromised.

In general, once a box is tainted, a clean OS install is the only 100% sure way to make sure it's clean.

If this is not possible, you should read up on rootkits and securing ssh, as they likely exploited a weak ssh password initially to gain control of the box.
 
Old 11-09-2008, 06:42 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Quote:
Originally Posted by gianh View Post
what should i look for?
Something piggybacking onto a vulnerable setup or a good breach of security. I don't know. No info. I'd say log the full process, open files, user logins and network connection data (off site), then raise the firewall to only allow traffic from and to your management IP (range), then kill all 'net-facing services except SSH, then look around for stray processes. Then post info here to help us help you. For checks after that read the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html.


Quote:
Originally Posted by Savet View Post
In general, once a box is tainted, a clean OS install is the only 100% sure way to make sure it's clean.
...but before you do, you should put some effort into investigating the matter. With breaches of security there's no room for gut feelings, "thinking" or assumptions. If you don't then sure you can harden a box the next time around but you won't know what caused it.


Quote:
Originally Posted by Savet View Post
as they likely exploited a weak ssh password initially to gain control of the box.
What clues did I miss it's that specific vector?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
using /dev/random to output random numbers on a text file guguma Programming 4 04-02-2007 02:42 PM
KDE Random wallpaper or script to create symbolic links to random files cvelasquez Linux - Software 2 02-26-2007 07:48 PM
Found a random linux box at work... what distro is it running?? fatrandy13 Linux - General 2 06-14-2006 08:45 PM
Servers on my linux box put random crap into webpages!! Farthom Linux - Networking 2 12-06-2004 10:18 PM
Creating random numbers from shell with /dev/random khermans Linux - General 1 07-13-2004 01:12 PM


All times are GMT -5. The time now is 05:39 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration