Brute-force attack - How can I assess the damage?
 

This morning I came in to work to find my FC3 box being brute force attacked. I ran top when I noticed some major lag in performance and found about 50 processes by the name of "brute." I killed all of them and ran a "who" command, which told me someone had logged in using the account "test" on pts9. Killed the terminal's process and checked out /home/test. ls -al didn't reveal much more than
It says total 48 but thats obviously not 48 files. I checked the contents of .bash_history (way to not cover the trail!) and got this:
What I would like to know:
1) Is there any way to find the extent of the damage, if any?
2) How can I prevent this again?

Thanks!

1) Is there any way to find the extent of the damage, if any?
Local integrity check using Aide or Samhain or alike. If you're haven't got any of those, using a package manager with verification option: at least to some extent the possibility of checking binaries and config files. Otherwise: none but diffing against backups, practically speaking.


2) How can I prevent this again?
Only allow what you know is needed in terms of (LAN or publicly accessable) (secure or chrooted) networked services, user accounts and please have a look at the LQ security refs: http://www.linuxquestions.org/questi...threadid=45261 for hardening the box. One example: if you where running a kernel with Grsecurity patches, she wouldn't even be *able* to open an outbound socket unless you specifically allowed that account to have that privilege.

I found this quite ironic really. Amongst the trail, is the link - http://www.moused.as.ro/udp.pl and the perl script and then when you go the index page it is all about securing your server. Just had to smile - sorry. I feel for you but what possessed you to have a user named test with these permissions? Really an accident waiting to happen.
if you download and have a look at the file scan.tgz he was using your system to scan other systems in the ip ranges of the various scripts contained in the package along with all the possible names of users and passwords. A very interesting insight into the mind of a cracker and what they can do.
Your answer is really recover any data and then if=/dev/zero of=/dev/hdx bs=1M and re-install.

Thanks for the replies. I know the "test" user looks quite like a rookie admin mistake, and probably is, but I have no recall of ever setting up a user like that, nor would I with such a pressumably weak password. This makes me wonder how the account came in to creation. Well, it looks as though nothing was compromised. Diff'ing against backups isn't much of an option as I don't keep regular backups of my work machine though I probably should. And yeah, I'm gonna stay clear of the dd'ing my hard disk to zero for the moment :D

looks quite like a rookie admin mistake, and probably is, but I have no recall of ever setting up a user like that, nor would I with such a pressumably weak password. This makes me wonder how the account came in to creation.
One of the reasons root account users should keep a logfile, appropriately harden boxen and regularly inspected them for changes (Get Aide or Samhain plus Tiger or LSAT plus Chkrootkit and/or Rkhunter). OTOH there still is SW that installs crappy default login:pass combo's, an audit would have caught that. Tiger for instance can inspect the password files and run JTR, and Rkhunter does inspect the password files as well.


Well, it looks as though nothing was compromised.
Meaning you decided the actual state of the box using what? Without proper means of determining that's worth close to nothing.


And yeah, I'm gonna stay clear of the dd'ing my hard disk to zero for the moment
In any case compromised boxen shouldn't stay connected to the 'net until you find the cause or wiped it clear and reinstalled the whole setup (TigerOC is right about that) as it does not only affect your situation but possibly others as well if a compromised box is being allowed to be used as intermediate.