Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Hello it's me again, i have a problem that originated from several of our Servers a would like for you people to check out the following messages that i received in my email:
"Please note I'd like to file a report for investigation due to abnormal activity against one or several of our systems originated from one of your controlled IP addresses. the remote system of your company was found to have exceeded acceptable login failures on secure5.integrese.com. As such the attacking host has been banned from further accessing this system; for the integrity of your host you shoul investigate this event as soon as possible." the following are 68 login failures from your ip address:"
end of message
all the login attemps where trhough high ports(for example 51043, 51097) trying to use ssh all this was last week, and it happend 2 times in different ip addresses, today i've got another and again in a different ip address..
what can I do..2 machines have SuSE and one Mandrake..
If your host has been reported to be attempting multiple failed ssh logins, then it's very likely to have been compromised and running brutessh. In fact it's very likely that your host was compromised with that same cracking tool if you were using weak passwords. Check for open ssh connections to random hosts (netstat -pantu). If your system was compromised that way, then it's very likely that a check for rootkits would be negative (it's still worth while to run the check though). There is a very long thread near the top of this forum that comtains info on this tool that may be informative.
That's a list of the local unix sockets, do netstat -pantu instead (make sure to include all of the options to that command). Then look for any connections to port 22 on remote hosts. This would be an example:
tcp 0 0 192.168.4.101:45197 10.10.10.1:22 ESTABLISHED 9879/xyz
The important items are in red, first is the remote port 22 and the second item is the PID (process ID) number. Take that number and look in /proc/PID/cmdline. In the above example you'd look in /proc/9879/cmdline. That will give you the name of the executable that is establishing ssh connections (or in this case bruteforcing ssh logins). Please try to do this as soon as possible because it's very likely that your machine is actively attacking other systems and should be taken offline ASAP.
ok, i'm checking that right now.
i have another question we think it's someone that has access to our network, we have access to this persons machine, how can i check to what machines he has logged in to.
the operating system he uses is fedora?
Offhand I can't think of anything that keeps a list of machines that you've logged into, however you can take a look at their users bash histories and try a find ssh logins. You can easily see what machines they are currently logged into with the netstat -pantu command.
Also, just to clarify my earlier post, you'll need to run that netstat command on the machine that the attacks were originating from (the machine that was reported by the other sysadmin). One thing to keep in mind is that the brutessh tool usually has a very limited password list and will only compromise hosts that use very poor passwords (like "root" as the root user password), so you may want to ask the user if that was the case (check their bash histories first though).