LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-01-2005, 10:49 AM   #1
AQG
Member
 
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 161

Rep: Reputation: 30
Security problemson my servers urgent!!!!!?


Hello it's me again, i have a problem that originated from several of our Servers a would like for you people to check out the following messages that i received in my email:

"Please note I'd like to file a report for investigation due to abnormal activity against one or several of our systems originated from one of your controlled IP addresses. the remote system of your company was found to have exceeded acceptable login failures on secure5.integrese.com. As such the attacking host has been banned from further accessing this system; for the integrity of your host you shoul investigate this event as soon as possible." the following are 68 login failures from your ip address:"

end of message


all the login attemps where trhough high ports(for example 51043, 51097) trying to use ssh all this was last week, and it happend 2 times in different ip addresses, today i've got another and again in a different ip address..

what can I do..2 machines have SuSE and one Mandrake..

what can i do.. i'm kind of desparate....

Thank you very much for your time!!!!!!
 
Old 07-01-2005, 10:57 AM   #2
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Hrrm. Are you certain no local user could be doing this?

Have you run rkhunter and checkrootkit to see if there are any known rootkits in your system?

If you do believe they are attacking other machines, they should be taken offline IMMEDIATELY.
 
Old 07-01-2005, 11:57 AM   #3
AQG
Member
 
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 161

Original Poster
Rep: Reputation: 30
Can you please define what is a rootkit? and what are the rkhunter a checkrootkit?

thanks!!!
 
Old 07-01-2005, 12:07 PM   #4
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
rkhunter and checkrootkit are tools used to check for rootkits. Rootkits are, generally speaking, tools used by hackers to gain root and cover their tracks on systems.
 
Old 07-01-2005, 12:56 PM   #5
AQG
Member
 
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 161

Original Poster
Rep: Reputation: 30
Ok, and how do i run or install the rkhunter and checkrootkit?
 
Old 07-01-2005, 01:38 PM   #6
AQG
Member
 
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 161

Original Poster
Rep: Reputation: 30
Thanks, i figured out how to run chkrootkit, i'm going to run it on the other servers to see what happens..
Thanks for the info..any other suggestions will be appreciated!!!!
 
Old 07-01-2005, 01:54 PM   #7
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
No problem. Is your firewall configured to prohibit any unnecessary outbound connections?
 
Old 07-01-2005, 01:57 PM   #8
AQG
Member
 
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 161

Original Poster
Rep: Reputation: 30
I don't think so...how can i do that?
 
Old 07-01-2005, 01:59 PM   #9
AQG
Member
 
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 161

Original Poster
Rep: Reputation: 30
this is how my firewall is configured
FW_QUICKMODE="no"
FW_DEV_EXT="eth-id-00:50:ba:56:b2:98"
FW_DEV_INT=""
FW_DEV_DMZ=""
FW_ROUTE="no"
FW_MASQUERADE="no"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS=""
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="no"
FW_SERVICES_EXT_TCP="ssh http https www ftp"
FW_SERVICES_EXT_UDP="21 22"
FW_SERVICES_EXT_IP=""
FW_SERVICES_EXT_RPC=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_REJECT_EXT="0/0,tcp,113"
# $FW_DEV_EXT
# FW_SERVICES_QUICK_TCP="ssh,ftp"
# FW_SERVICES_QUICK_UDP="isakmp"
# FW_SERVICES_QUICK_IP="50"
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY="yes"
FW_ANTISPOOF="no"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
 
Old 07-02-2005, 01:49 AM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
If your host has been reported to be attempting multiple failed ssh logins, then it's very likely to have been compromised and running brutessh. In fact it's very likely that your host was compromised with that same cracking tool if you were using weak passwords. Check for open ssh connections to random hosts (netstat -pantu). If your system was compromised that way, then it's very likely that a check for rootkits would be negative (it's still worth while to run the check though). There is a very long thread near the top of this forum that comtains info on this tool that may be informative.
 
Old 07-04-2005, 11:10 AM   #11
AQG
Member
 
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 161

Original Poster
Rep: Reputation: 30
ok. Capt_Caveman i'll check out the thread you are mentioning but what do i do because i ran netstat and here's a part of what i got, but no ssh connections

2-1120489964
unix 3 [ ] STREAM CONNECTED 82699
unix 3 [ ] STREAM CONNECTED 82682 /tmp/.ICE-unix/dcop17732-1120489964
unix 3 [ ] STREAM CONNECTED 82681
unix 3 [ ] STREAM CONNECTED 82679
unix 3 [ ] STREAM CONNECTED 82678
unix 2 [ ] DGRAM 82482
unix 3 [ ] STREAM CONNECTED 72336 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 72323
unix 2 [ ] DGRAM 10896
unix 2 [ ] DGRAM 9230
unix 2 [ ] DGRAM 8332
unix 2 [ ] DGRAM 8280
unix 2 [ ] DGRAM 8162
unix 2 [ ] DGRAM 8146
unix 3 [ ] STREAM CONNECTED 7180 /var/run/acpid.socket
unix 3 [ ] STREAM CONNECTED 7179
unix 2 [ ] DGRAM 6106
unix 2 [ ] DGRAM 5833
unix 2 [ ] DGRAM 3315
can you be a little more specific of what you wan't me to look for?

thank you very much!!!!!
 
Old 07-04-2005, 12:30 PM   #12
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
That's a list of the local unix sockets, do netstat -pantu instead (make sure to include all of the options to that command). Then look for any connections to port 22 on remote hosts. This would be an example:
Code:
tcp        0      0 192.168.4.101:45197         10.10.10.1:22          ESTABLISHED 9879/xyz
The important items are in red, first is the remote port 22 and the second item is the PID (process ID) number. Take that number and look in /proc/PID/cmdline. In the above example you'd look in /proc/9879/cmdline. That will give you the name of the executable that is establishing ssh connections (or in this case bruteforcing ssh logins). Please try to do this as soon as possible because it's very likely that your machine is actively attacking other systems and should be taken offline ASAP.
 
Old 07-04-2005, 01:21 PM   #13
AQG
Member
 
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 161

Original Poster
Rep: Reputation: 30
ok, i'm checking that right now.
i have another question we think it's someone that has access to our network, we have access to this persons machine, how can i check to what machines he has logged in to.
the operating system he uses is fedora?
 
Old 07-04-2005, 04:08 PM   #14
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Offhand I can't think of anything that keeps a list of machines that you've logged into, however you can take a look at their users bash histories and try a find ssh logins. You can easily see what machines they are currently logged into with the netstat -pantu command.

Also, just to clarify my earlier post, you'll need to run that netstat command on the machine that the attacks were originating from (the machine that was reported by the other sysadmin). One thing to keep in mind is that the brutessh tool usually has a very limited password list and will only compromise hosts that use very poor passwords (like "root" as the root user password), so you may want to ask the user if that was the case (check their bash histories first though).
 
Old 07-05-2005, 10:31 AM   #15
AQG
Member
 
Registered: Jun 2005
Distribution: SuSE, Red Hat
Posts: 161

Original Poster
Rep: Reputation: 30
Could it be possible to intall a program on the machine of the person who we think his hacking our servers so that we can monitor what this person is doing?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Network security and print servers Mrcdm Linux - Security 13 10-16-2005 10:06 PM
" Not Able send mails to the servers with TLS security feature trinath Linux - Security 2 08-28-2004 03:39 PM
installing security patches on prod servers. juanb Linux - Software 0 08-19-2004 03:40 AM
Squid and FTP servers - very strange and urgent problem Zingaro2002 Linux - Networking 1 11-10-2003 04:37 AM
Security on servers Dweezil Linux - Security 8 02-14-2003 04:21 PM


All times are GMT -5. The time now is 04:52 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration