LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-18-2011, 11:26 AM   #76
tvcnet
LQ Newbie
 
Registered: Jan 2011
Posts: 7

Rep: Reputation: 0

I sent a note off to pr1soner to send me notes as well but no reply.
Anyone receive a reply on this, or is this just a teaser post...

Thanks,
Jim
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 02-18-2011, 12:28 PM   #77
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
I too asked for the notes, but have not received anything.
 
Old 02-18-2011, 02:47 PM   #78
pr1soner
LQ Newbie
 
Registered: May 2010
Location: earth
Distribution: slackware
Posts: 10

Original Poster
Rep: Reputation: 1
hi,

after thinking for a while, there is no point i would need to PM the obvious So, i'll describe how i deal with that spammer.

In my case it was exim 0day that allowed the attacker to send the spam. I readed that some peoples in this thread didn't even used Exim and still faced the 'wanna date' spammer. It is because this guy have more than just one 0day, he keeps using it. After i realized it's 0day in Exim i updated it once the update became avilable but still the spammer was able to send the spam. I later found that sshd binaries was backdoored by the spammer. Replacing it with 'clean' sshd binaries finally stopped that spammer.

someone here pasted:

[root@420 /]# ll /tmp/
total 300860
-rw-r--r-- 1 root root 9177717 Jan 12 04:59 1DW4zEQspT

these files in /tmp are list of mails where the 'wanna date' will be sent and once the script finish sending mails, it's deleted.

So the point is: first find how the spammer gained access on Your system, again, mine got owned because of Exim, your may be owned because of something else.

Once you are sure, update it, then update your ssh. And here is small thing: i don't know if this guy is always backdooring openssh or it was done like that on my servers. On your server something else may be backdoored. But let's hope it's just openssh.

It was happening on:
CentOS: 3,4 and 5

It's almost one month since i've replaced openssh on each and every server and the spam is gone, so, i could carefully say: i've stopped him. did you ?

(sorry if my english is crap, i bet it is
 
1 members found this post helpful.
Old 02-18-2011, 02:57 PM   #79
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Many thank pr1soner, this is helpful.
 
Old 02-18-2011, 06:18 PM   #80
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
pr1soner, please provide accurate evidence (log excerpts, application versions) that allow us to draw our own conclusions. Without that it'll be just words.
 
Old 02-19-2011, 01:54 AM   #81
120
Member
 
Registered: Oct 2010
Posts: 46

Rep: Reputation: 9
One thing crosses my mind with back-dooring sshd. If it is to allow the attacker INBOUND access, then IPTABLES limiting the range of IP's that can connect to port 22 would resolve that. Appreciate that on a compromised system the rule could be taken out, but it would be quite simple to detect. Restoring a drop rule would kill the miscreants access.

On the other hand, if it was back-doored in a reverse tcp context, it would have a hardwired target - which would lead you right back to the attacker with a simple packet capture.

Just a couple of thoughts.
 
Old 02-19-2011, 05:27 AM   #82
pr1soner
LQ Newbie
 
Registered: May 2010
Location: earth
Distribution: slackware
Posts: 10

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by 120 View Post
One thing crosses my mind with back-dooring sshd. If it is to allow the attacker INBOUND access, then IPTABLES limiting the range of IP's that can connect to port 22 would resolve that.
True, this would help, but some systems need to have wide open 22/tcp.

you must know that the whole spam thing seems to be automated, starting from exploiting Exim hole, finishing on returning via backdoored sshd, all automated. Seems it doesn't have matter for attacker if you block his IP or you detect his IP as he doesn't try to hide it (still it's pretty nice attack as we all here had tons of questions, i've written a script that detect the spammer's activity (that works basing on few conditions that are always present when spammer's script is active). The IP is written in ENV SSH variable
here how it looks when you grab it:

captured '/proc/3907/environ' info:
SHELL=/bin/bashSSH_CLIENT=69.57.173.236 49157
22USER=rootLS_COLORS=MAIL=/var/mail/rootPATH=/usr/local/jdk/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/bin:/usr/X11R6/binPWD=/rootJAVA_HOME=/usr/local/jdkEDITOR=picoSHLVL=1HOME=/rootLS_OPTIONS=--color=tty
-F -a -b -T 0LOGNAME=rootVISUAL=picoCLASSPATH=.:/usr/local/jdk/lib/classes.zipSSH_CONNECTION=69.57.173.236 49157 X.X.X.X 22_=/usr/bin/perl

(SSH_CLIENT and SSH_CONNECTION is the spammer's yet-another-IP, i've captured and blocked hundreds of spammer's IP over two months.)

(see: http://www.linuxquestions.org/questi...ml#post4244850 --- tailtwister - hope you replaced your sshd, you have same issue. once your firewall is down, the spammer can get back to you.)

so you can grab it and block it. Each time it's differend. It is not meant to be some fancy backdoor, it just allow sending spam even when the Exim (or whatever else) hole is patched.

That is why when you block the IP it stays blocked. But the spammer is back again, one or two days later, sometimes it take longer before he's back, but he's always back just with differend IP. unless openssh is replaced. That is what happened in my case.

unSpawn: i can't provide anything else than i already pasted because i'm not allowed and it's not up to me to decide.

This is information to others who still investigate the problem and may find my words helpfull (however i hope you all resolved it by now!!!), for others indeed it may be just words but we want to stop the spammer on our servers, using LQ as good way to communicate.
 
Old 02-19-2011, 07:03 AM   #83
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I'll finish off this thread speculating (and I hate speculation when it comes to incident response) this likely is all due to two 2010 vulnerabilities (which I believe tvcnet pointed to earlier on in this thread): CVE-2010-4344 exim remote code execution flaw and CVE-2010-4345 exim privilege escalation, allowing an attacker to gain root.

In short those two were fixed but never marked as security fixes so distribution and web-based server administration software vendors who use older software versions could only back-port fixes when the vulnerability and fix got discussed (also see SANS ISC. Red Hat released RHSA-2010:0970-1 for CVE-2010-4344 on 2010-12-10 and Debian issued DSA-2131-1 for the same on the same date. Red Hat released RHSA-2011-0153 for CVE-2010-4345 on 2010-01-17 and Debian issued DSA-2154 on 2011-01-30 fixing both CVE-2010-4345 and CVE-2011-0017. Also see Exim 4.74 Release.


In closing I'd like to thank Hangdog42 for sticking with this case and anyone who posted tangible information. To all who are affected: do note that just re-installing software and blocking at the firewall may seem like the right "solution" but since the attacker may have gained root proper post-incident procedure should be followed. If anyone thinks they have compelling reasons to not do that please remember that while Linux may be free to use using it is not free of responsibilities.

Last edited by unSpawn; 02-19-2011 at 07:05 AM.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
server compromised? eco Linux - Security 3 09-03-2010 11:58 AM
my server has been compromised, what next? Kropotkin Linux - Security 15 08-27-2009 06:15 AM
Server Compromised? lss1 Linux - Security 7 12-16-2005 12:49 AM
Server Compromised? stlyz3 Linux - Security 6 09-07-2005 04:28 PM
Server was compromised, need help Asiana Linux - Security 3 06-02-2004 12:39 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration