File '/usr/bin/ssh' is owned by root and has written permissions to anyone.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
File '/usr/bin/ssh' is owned by root and has written permissions to anyone.
Hey guys,
I am running a debian server with OSSEC. Today I got a few warnings likes this:
Code:
Received From: SERVER->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):
File '/usr/bin/ssh' is owned by root and has written permissions to anyone.
same for a few more files:
/usr/sbin/sshd
/etc/rcS.d/S76pdflush
What does that mean and what permissions should I give those? If I try the following it's failing?!
Quote:
SERVER:~# ls -lh /usr/bin/ssh
-rwxrwxrwx 1 root root 372K 14. Dez 2010 /usr/bin/ssh
SERVER:~# chmod a-w /usr/bin/ssh
chmod: Beim Setzen der Zugriffsrechte für „/usr/bin/ssh“: Die Operation ist nicht erlaubt
SERVER:~#
Sorry, that's german. Means no permissions for the operation... and YES I am root.
Even if the program is not setuid root, the fact that it is writable by anyone means that any user could replace
ssh or sshd by any other executable. Since ssh can prompt for passwords on other machines, this can be used to
steal login and passwords for instance.
Can you do chmod 755 /usr/bin/ssh ? Is /usr/bin/ssh an executable file or a symbolic link to (say) /usr/local/bin/ssh ?
In practical terms, when is the last time you ran the program that gave you these warnings ?
Can you check who logged between the 2 runs ? Have you installed any package between the 2 runs ?
Are there any miconfigured daemons on your system that could have changed the permissions of these files ?
File '/usr/bin/ssh' is owned by root and has written permissions to anyone.
- find out if the access rights are default for Debian (they should not be).
Quote:
Originally Posted by Babelduo
Code:
SERVER:~# ls -lh /usr/bin/ssh
-rwxrwxrwx 1 root root 372K 14. Dez 2010 /usr/bin/ssh
SERVER:~# chmod a-w /usr/bin/ssh
chmod: Beim Setzen der Zugriffsrechte für „/usr/bin/ssh“: Die Operation ist nicht erlaubt
SERVER:~#
- run 'lsattr' on the binary. Chances are the immutable bit is set which is a good indication of malicious activity. That being the case you should perform an investigation to learn how the perp got in. After all replacing binaries requires root rights. Until you have investigated it is strongly suggested to treat the machine as unsafe, compromised.
first, thanks all of you! It seems that my server has been compromised, I am getting back that late because I did the only thing you can do in that situations - move to a new one. Quite a hassle but else you never know where some bad stuff has been placed
So some https connections to 58.120.226.31... and when you open this IP in your browser you get a nice message:
Code:
Hi~ My name is Min^^«á
What do you want to do next?
Yep, what do I want to do next? Any ideas how I could trace this back and see what caused it?
I have/had Plesk 11 running (which will be behind htaccess from now on)
And I had two older php-scripts running (http://extplorer.sourceforge.net/ and http://www.frech.ch/online-bookmarks/), which will be behind htaccess as well.
Else just Wordpress installations which I keep always up to date (thanks to email notifications for updates).
I really have to say thanks to Ossec, else I would have never known about it. You use Ossec or something else?
pdflush is a legitimate process that is simply flushing the
disk cache to the hard disk. A whois on 85.25.149.52 gives BSB Service GmbH (you ?) but a whois on 192.71.253.25
gives Hexero Ltd in Cyprus. Is there some NFS/CIFS/AFS or other distributed filesystem mount ? The IP address
58.120.226.31 is in Korea. You can obtain more details from http://whois.nic.or.kr/english/index.html. You should look at the /var/log/messages and /var/log/syslog for the
period between the last normal run of OSSEC and the first abnormal one (although it is quite possible that the
crackers have deleted/modified these files to erase their tracks). You may also use the commands last |head -100
to determine the last 100 logins (with the same caveat) and see it there is something suspicious. Looking at
/etc/passwd to check whether extra accounts have been created is of course necessary. You should also be careful
about the at/batch queues and the crontab, the /etc/sudoers and /etc/ftpusers files, inetd.conf hosts.allow/deny files
and other important system files. If these files have been changed, it might be useful to note the date and time
of the modification. You may also want to look at the shell history files of all your users, especially if you
have located logins at suspicious times with the last command. Of course, all that may return nothing if the crackers
have carefully erased their tracks, but it might give you a hint of the vulnerability they have exploited and of
the software they have installed on your machine.
first, thanks all of you! It seems that my server has been compromised, I am getting back that late because I did the only thing you can do in that situations - move to a new one. Quite a hassle but else you never know where some bad stuff has been placed
That's OK mitigation-wise (and as long as you did not migrate any binaries, and inspected any configuration and web site content beforehand) but like I said before you should still learn the infection vector.
Quote:
Originally Posted by Babelduo
I don't know what its about this pdflush
It's clearly a rogue process.
Quote:
Originally Posted by Babelduo
But it was hidden as "lsof" has been replaced by a script (..) And "pstree" has been replaced by a script as well
Thanks for posting contents. I'd love to get my hands on the changed files. Any chance you can ship them to me as a tar ball? (Please contact me by email.)
Quote:
Originally Posted by Babelduo
So I started "top" and could see two suspicious commands running
Apart from the root compromise you see two shells running as user "www-data". While those processes could have ended up anywhere it's all too common to see web stack exploits due to credentials leeching (infected clients), bad password policies (brute forcing) but most of all stale, deprecated, vulnerable software (or themes, plugins, etc, etc.).
Quote:
Originally Posted by Babelduo
I have/had Plesk 11 running (..) I had two older php-scripts running (http://extplorer.sourceforge.net/ and http://www.frech.ch/online-bookmarks/), which will be behind htaccess as well. Else just Wordpress installations (..).
Wrt the olders scripts: if no current, maintained version exists you should not use them, period. And even if you keep using web-based control panels and CMSes you should not rely solely on access restrictions and automagical update features but be vigilant and periodically check any aspect of them. You know there's still TimThumb-infected hosts out there?
Quote:
Originally Posted by Babelduo
Yep, what do I want to do next? Any ideas how I could trace this back and see what caused it?
edorig is right saying you should do log analysis first. If you don't know how it's probably easiest to copy all log files including archived ones off the machine and process them on another machine using Logwatch.
Quote:
Originally Posted by Babelduo
You use Ossec or something else?
Personally I prefer a combination of hardening, auditd service rules, Samhain and LMD. The most important thing is to know what you use and ensure it covers all aspects that need covering.
Quote:
Originally Posted by edorig
pdflush is a legitimate process that is simply flushing the disk cache to the hard disk.
You're ignoring the fact that the OP already presented nfo showing the fake "pdflush" has a relatively high PID (kernel threads usually have low PIDs), is listening on a port and is actually showing a connection. You got smacked by the old argv[0] trick of taking things at face value.
sure I will send you those as tar file. Where can I find your email or send a pm message in this forum? Can't find it... maybe it's me, maybe the 3rd glass of wine!
Thanks for the tar ball. Seems I'm missing /var/system/pagezero/bufdaemon (or rather: the contents of /var/system/pagezero/, /usr/src/bin/, /etc/X11/applnk/)? Noticing the two PHP backdoors also please check http://www.kb.cert.org/vuls/id/673343. Also when was this system setup? Are there any other anomalous files or files with similar modification dates?
Couple of comments. This setup relies on obfuscation and the careless admin user giving processes no more than a cursory glance as there is no "pdflush" service. The dirty page daemon is a kernel thread called 'pdflush' which is a child of 'kthread' which itself is a child of init. The same goes for "pagezero" and "bufdeamon" which are system processes alright when running BSD. The clumsy grep
is kind of intriguing as it references strings I've not seen files for like "kaud" and "libsslo". The latter (don't misread this as libssl.o) was referenced elsewhere as another immutable file "/usr/lib/libsslo.so" on a compromised server. And /var/system/pagezero/bufdaemon appears to be Iroffer, an IRC fileserver using DCC. Since you were warned on the 6th I think you got lucky (figuratively speaking only of course) because the modification date of /usr/src/bin/ and /var/system/pagezero/ match (though time stamps certainly can be manipulated by root). Running 'strings' and 'readelf' on the regular ssh binaries don't show much except they use less libraries than mine would (but I'm using another distribution) and they show no sign of pass phrase leeching. Nonetheless it requires root rights to replace these binaries so I would alert all users and have all pass phrases changed (you adhere to SSH best practices, do you?) and check the Securing Debian Manual (http://www.debian.org/doc/manuals/se...-debian-howto/) for hardening measures to apply before re-enabling any networked services.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.