Quote:
Originally Posted by zaeem
I can see many process like pscan2, scanssh and ./sshf processing on 'top'. The owner of these processes is non root account.
|
sshf and pscan2 are some of the scanners (ELF binaries in this case) I've seen reported in systems after a non-root compromise. Commonly infection vectors are running vulnerable versions of web stack software (PHP remote file inclusions for instance) or unprotected services (VNC on Ubuntu anyone?) often in combination with incorrect permissions, net-accessible accounts with weak or no passwords. In your case it's obvious the "tivoli" user account was used and it has gained a directory "/home/tivoli
/ /game" (note the space) out of which processes run.
Best approach would be to
- read the
CERT Intruder Detection Checklist to know what you'll be doing,
- raise your firewall to only allow traffic to and from your management IP or range,
- verbosely list processes, open files and network connections and save those logs,
- stop web-accessible and related services (web server, database),
- list and kill rogue processes,
- disable the "tivoli" account.
Next
- check all login records, system and daemon logs using the CERT checklist and Logwatch for clues,
- check software of services you provide for versions and vulnerability fixes,
- check services you provide for configuration errors.
All that and in that order before doing anything else.
Quote:
Originally Posted by zaeem
Can anybody let me know what can be the extent of loss due to these suspicious scripts?
|
If the "tivoli" account is an unprivileged user account and if only the "tivoli" user account was used to gain access and run processes, and if the perps did not have a need for breaching root then the damage
may be limited to only (setting up an IRC bot, sending spam? and or) scanning other systems. Only an investigation of the system can provide evidence for that anything else is speculation.
Quote:
Originally Posted by zaeem
How can I permanently remove these scripts from my server.
|
You should not "destroy evidence" until you have isolated the machine from the network, made a backup of "/home/tivoli/\ /game" and started investigating what actually happened.