Quote:
Originally Posted by 120
One thing crosses my mind with back-dooring sshd. If it is to allow the attacker INBOUND access, then IPTABLES limiting the range of IP's that can connect to port 22 would resolve that.
|
True, this would help, but some systems need to have wide open 22/tcp.
you must know that the whole spam thing seems to be automated, starting from exploiting Exim hole, finishing on returning via backdoored sshd, all automated. Seems it doesn't have matter for attacker if you block his IP or you detect his IP as he doesn't try to hide it (still it's pretty nice attack as we all here had tons of questions
, i've written a script that detect the spammer's activity (that works basing on few conditions that are always present when spammer's script is active). The IP is written in ENV SSH variable
here how it looks when you grab it:
captured '/proc/3907/environ' info:
SHELL=/bin/bashSSH_CLIENT=69.57.173.236 49157
22USER=rootLS_COLORS=MAIL=/var/mail/rootPATH=/usr/local/jdk/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/bin:/usr/X11R6/binPWD=/rootJAVA_HOME=/usr/local/jdkEDITOR=picoSHLVL=1HOME=/rootLS_OPTIONS=--color=tty
-F -a -b -T 0LOGNAME=rootVISUAL=picoCLASSPATH=.:/usr/local/jdk/lib/classes.zipSSH_CONNECTION=69.57.173.236 49157 X.X.X.X 22_=/usr/bin/perl
(SSH_CLIENT and SSH_CONNECTION is the spammer's yet-another-IP, i've captured and blocked hundreds of spammer's IP over two months.)
(see:
http://www.linuxquestions.org/questi...ml#post4244850 --- tailtwister - hope you replaced your sshd, you have same issue. once your firewall is down, the spammer can get back to you.)
so you can grab it and block it. Each time it's differend. It is not meant to be some fancy backdoor, it just allow sending spam even when the Exim (or whatever else) hole is patched.
That is why when you block the IP it stays blocked. But the spammer is back again, one or two days later, sometimes it take longer before he's back, but he's always back just with differend IP. unless openssh is replaced. That is what happened in my case.
unSpawn: i can't provide anything else than i already pasted because i'm not allowed and it's not up to me to decide.
This is information to others who still investigate the problem and may find my words helpfull (however i hope you all resolved it by now!!!), for others indeed it may be just words but we want to stop the spammer on our servers, using LQ as good way to communicate.