Quote:
Originally Posted by sminogue
In response I have tightened up the security a bit on my server starting with rotating all my passwords, increasing password complexity, removing un-used ssh accounts, limiting what users can ssh to the server, and following some of the steps outlined here: http://www.yolinux.com/TUTORIALS/Lin...tSecurity.html |
While mitigation is good
you should really have performed such maintenance already and regularly. It's simply part of good systems administration. Also be aware mitigation may have destruction of any "evidence" as side effect like for instance when you disable and clean up dormant or unwanted accounts. This may hamper your investigation.
Quote:
Originally Posted by sminogue
But my real question is this: I assume in order for an attacker to be using my server as a spring board to crawl other servers (I assume thats what walking subnets means) they would have to have installed some software or script on my server. I can block outgoing connections and block what this software or script is trying to do. But how would I go about finding what they installed or created? I was thinking I could find all files changed in the last say... 48hrs and see if any of them jumped out at me? Is there a better way?
|
For "walking subnets" just substitute "scanning", but if by "registering SIP" they mean probing accounts for future abuse then there definitely is something running and SIPvicious, a commonly (ab)used VoIP auditing tool, has shown up in some compromised servers.
The problem I have with what you posted about your providers account is there is no tangible data to go on. IP addresses and time stamps for instance may help you find out which accounts were active at the time and which files (if uniquely owned and accessed) were accessed. If you provider didn't provide detailed log ask them for it as it makes things easier.
At LQ we don't believe blanket statements like "reinstall again" or "run tool X" should be issued and never on their own anyway. What you should do is check your system integrity (AIDE, Samhain if you installed that or any package management file verification if available), look at accounts (failed logins, login times, IP addresses), processes and open files (if they still exist), system and daemon logs (use 'logwatch' for generating leads) and any files that seem anomalous like binaries or scripts in users homes and directories holding temporary files. Before you go on however best first read the CERT Intruder Detection Checklist
http://web.archive.org/web/200801092...checklist.html. While deprecated it still shows you basic steps to perform.
When you reply please add as much information as possible including:
- distribution and release,
- which services the machine or machines provide including web-based management panels, statistics, web log, forum, shopping cart, plug-ins and other software if any,
- which exact software versions and if the software was kept up to date,
- which logging, access restrictions is in place and hardening was performed,
- if there have been earlier breaches or anomalies,
- results from the actions performed as per the CERT Intruder Detection Checklist.
Complete listings of running (piping to remote over SSH or saving in /dev/shm):
- processes and open files: '/bin/ps acxfwwwe 2>&1; /usr/sbin/lsof -Pwln 2>&1'
- network connections: 'netstat -anpe 2>&1'
- user data: 'lastlog 2>&1; last 2>&1; who -a 2>&1'
- any package management file verification, for instance '/bin/rpm -Vva 2>&1|/bin/grep -v "\.\{8\}" 2>&1' if you run RPM,
* and add anything else you think is worth mentioning.
Also run all system and daemon logs (depending on logrotate configuration) through Logwatch with the "--detail High --service All --range All --archives --numeric --save /path/to/logwatch.log" switches (substitute "/path/to/logwatch.log") and read it. Finally please ask specific questions before performing if necessary and please reply as verbose as possible. Also please stay with the thread (subscribe?) until completion and reply as soon as possible when replies are posted.
