Latest LQ Deal: Linux Power User Bundle
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 09-15-2005, 11:30 PM   #1
Registered: Sep 2003
Location: Kuwait
Distribution: Slack 10.0 @ Kernel 2.4.27
Posts: 63

Rep: Reputation: 15
Compromised by SSH bruteforce

After reading the article, I realised that I was hacked.


Yesterday, I slept at 7 pm and woke up today at 3:30, to find that my PC has restarted.

I jumped to /var/log and started looking there..

in messages I found this to be interesting ::

Sep 15 17:38:19 MBH kernel:  sda: I/O error: dev 08:00, sector 0
Sep 15 18:00:48 MBH -- MARK --
Sep 15 18:20:48 MBH -- MARK --
Sep 15 18:40:48 MBH -- MARK --
Sep 15 19:00:48 MBH -- MARK --
Sep 15 19:20:48 MBH -- MARK --
Sep 15 19:40:48 MBH -- MARK --
Sep 15 20:00:48 MBH -- MARK --
Sep 15 20:20:48 MBH -- MARK --
Sep 15 20:40:48 MBH -- MARK --
Sep 15 21:00:48 MBH -- MARK --
Sep 15 21:20:48 MBH -- MARK --
Sep 15 21:40:48 MBH -- MARK --
Sep 15 22:00:48 MBH -- MARK --
Sep 15 22:19:51 MBH kernel: eth0: Setting half-duplex based on MII #8 link partner capability of 0000.
Sep 15 22:20:01 MBH kernel: eth0: Setting full-duplex based on MII #8 link partner capability of 45e1.
Sep 15 22:40:48 MBH -- MARK --
Sep 16 00:00:48 MBH -- MARK --
Sep 16 00:20:48 MBH -- MARK --
Sep 16 00:24:16 MBH sshd[9177]: Did not receive identification string from ::ffff:
Sep 16 00:25:41 MBH sshd[9194]: Invalid user 1 from ::ffff:
Sep 16 00:25:41 MBH sshd[9194]: Failed password for invalid user 1 from ::ffff: port 418$
Sep 16 00:40:48 MBH -- MARK --
Sep 16 01:00:48 MBH -- MARK --
Sep 16 01:20:48 MBH -- MARK --
Sep 16 01:40:48 MBH -- MARK --
Sep 16 02:00:48 MBH -- MARK --
Sep 16 02:20:48 MBH -- MARK --
Sep 16 02:40:48 MBH -- MARK --
Sep 16 02:56:30 MBH syslogd 1.4.1: restart.
Sep 16 02:56:32 MBH kernel: klogd 1.4.1, log source = /proc/kmsg started.
Sep 16 02:56:32 MBH kernel: ey):
Sep 16 02:56:32 MBH kernel: IPv6 v0.8 for NET4.0
The I/O error shows the last time I used the PC.
Notice the sshd messages. Someone has been trying to login (and apparently they did), then restarted the PC.

I scanned with nmap and found these ports to be open :: 111,631,3663,45100

Am I correct with my guess? was I hacked? Where else should I look? Should I check for implanted scripts? Where?

The SSH attack article mentioned that compromised computers have IRC bots installed. Where can find these, if any, and how to disable them?

Thanks in advance

Last edited by MBH; 09-16-2005 at 12:06 AM.
Old 09-16-2005, 12:04 AM   #2
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
If the person had logged in successfully you would have seen
a "password accepted" in the log as well ... also, you would most
likely see entries in the output of "last" for it.

If you're concerned about having been compromised, download
some live DISTRO with chkrootkit and rootkithunter on it.

Also, if the machine had gone down by user-interaction, there
would me messages to that effect in the logs. More likely a fluke
in the power-grid or maybe a hardware problem?

Old 09-16-2005, 12:17 AM   #3
Registered: Sep 2003
Location: Kuwait
Distribution: Slack 10.0 @ Kernel 2.4.27
Posts: 63

Original Poster
Rep: Reputation: 15

I'm downloading Slack 10.2 and gonna do a clean install afterwards.

For now, I've stopped & disabled rc.sshd, downloaded rkhunter and did a scan. Only PHP seems to be vulnerable -- which doesn't matter since I don't run apache, only local PHP scripting.
Old 09-16-2005, 10:10 PM   #4
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Unless you had exceptionally poor passwords, then the ssh bruteforce is unlikely to have been successfull as most versions of the tool only use a rudimentry set of usernames and passwords. The command 'last -i' should also show any successfull remote logins. The disk I/O error would seem to suggest a hardware failure as the likely cause of the shutdown as Tink mentioned.

I scanned with nmap and found these ports to be open :: 111,631,3663,45100
How do you perform the scan, locally (i.e like scanning yourself) or from another system? What nmap scan did you use? If you haven't already hosed the system, run 'netstat -pantu' and post the output.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh bruteforce DoS branden_burger Linux - Security 10 03-29-2005 02:53 AM
SSH brute force.... compromised? heri0n Linux - Security 15 11-21-2004 05:51 PM
compromised by SSH login phennon Linux - Security 2 09-19-2004 08:03 PM
Ssh Compromised!!???help!!! Savedadogs Linux - Security 12 02-10-2004 12:48 AM
Ssh Compromised! Savedadogs Linux - General 1 04-28-2002 03:29 PM

All times are GMT -5. The time now is 07:38 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration