LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-13-2006, 02:21 PM   #1
jsm
LQ Newbie
 
Registered: Sep 2006
Posts: 3

Rep: Reputation: 0
I have been brute forced (ssh)


Well I have this server, FC4, and it usually is only available by lan. But 2 days ago I had to leave so I decided to forward port 22 on my router to this machine. I know there is alot of scanning going on and I had neither changed the default port or set AllowUsers in it's conf. But I wasn't really worried it was only for a while and except for root, there is only my user. The thing is today looking at the logs I found this:

Code:
Sep 13 03:28:54 fc4server sshd[3625]: Invalid user gnax from 207.24.90.102
Sep 13 03:28:56 fc4server sshd[3625]: Failed password for invalid user gnax from 207.24.90.102 port 57591 ssh2
Sep 13 03:28:57 fc4server sshd[3627]: Invalid user gnax from 207.24.90.102
Sep 13 03:28:59 fc4server sshd[3627]: Failed password for invalid user gnax from 207.24.90.102 port 57727 ssh2
Sep 13 04:02:01 fc4server sshd[3840]: reverse mapping checking getaddrinfo for 82-79-157-163.oradea.rdsnet.ro failed - POSSIBLE BREAKIN ATTEMPT!
Sep 13 04:02:03 fc4server sshd[3840]: Accepted password for cyrus from 82.79.157.163 port 61996
Sep 13 05:53:23 fc4server sshd[7190]: reverse mapping checking getaddrinfo for 82-79-157-163.oradea.rdsnet.ro failed - POSSIBLE BREAKIN ATTEMPT!
Sep 13 05:53:27 fc4server sshd[7190]: Accepted password for cyrus from 82.79.157.163 port 62467
Sep 13 13:27:45 fc4server sshd[13631]: Accepted password for root from 10.10.0.67 port 2384 ssh2
At first it's the usual brute force stuff, then when I saw cyrus, I remembered! I had been setting up cyrus-imap following a guide and left in the process of doing it! user=cyrus pass=cyrus that's why it was guessed. The root login was me, 8 hours after! I checked user cyrus, guess what? The password was not cyrus anymore, it had been changed...

I need some help on checking if the server has been compromised! The things I have done for now :
- userdel cyrus (I don't need it, was just testing stuff)
- removed port forwarding rule, server in unreachable from the outside, can't block him on outgoing doh, he is a proxy server...

What else can I check/do ?

Yeah what was cyrus doing?
Code:
Sep 13 07:37:22 fc4server master[7836]: about to exec /usr/lib/cyrus-imapd/ctl_cyrusdb
Sep 13 07:37:22 fc4server ctl_cyrusdb[7836]: checkpointing cyrus databases
Sep 13 07:37:22 fc4server ctl_cyrusdb[7836]: archiving database file: /var/lib/imap/annotations.db
Sep 13 07:37:22 fc4server ctl_cyrusdb[7836]: archiving log file: /var/lib/imap/db/log.0000000001
Sep 13 07:37:22 fc4server ctl_cyrusdb[7836]: archiving database file: /var/lib/imap/mailboxes.db
Sep 13 07:37:22 fc4server ctl_cyrusdb[7836]: archiving log file: /var/lib/imap/db/log.0000000001
Sep 13 07:37:22 fc4server ctl_cyrusdb[7836]: done checkpointing cyrus databases
Sep 13 07:37:22 fc4server master[8367]: process 7836 exited, status 0
Sep 13 07:44:12 fc4server sendmail[2146]: rejecting connections on daemon MTA: load average: 18
Sep 13 07:44:28 fc4server sendmail[2146]: rejecting connections on daemon MTA: load average: 24
Sep 13 07:44:43 fc4server sendmail[2146]: rejecting connections on daemon MTA: load average: 29
Sep 13 07:44:59 fc4server sendmail[2146]: rejecting connections on daemon MTA: load average: 28
Sep 13 07:45:14 fc4server sendmail[2146]: rejecting connections on daemon MTA: load average: 34
Sep 13 07:45:29 fc4server sendmail[2146]: rejecting connections on daemon MTA: load average: 40
Sep 13 07:45:44 fc4server sendmail[2146]: rejecting connections on daemon MTA: load average: 43
Sep 13 07:45:59 fc4server sendmail[2146]: rejecting connections on daemon MTA: load average: 49
Sep 13 07:46:14 fc4server sendmail[2146]: rejecting connections on daemon MTA: load average: 51
help?
 
Old 09-13-2006, 02:38 PM   #2
tito2502
LQ Newbie
 
Registered: Apr 2006
Distribution: Suse 10.1
Posts: 28

Rep: Reputation: 15
Probably some script kiddy, I imagine he looked at some files then tried an rm -rf then left.
 
Old 09-13-2006, 03:20 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Hello and welcome to LQ, hope you like it here.
Sorry to see it had to be on an occasion like this.

I need some help on checking if the server has been compromised!
Check these as reference of things to check:
- Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html
- Steps for Recovering from a UNIX or NT System Compromise (CERT): http://www.cert.org/tech_tips/root_compromise.html
This will come in handy later on:
- LQ FAQ: Security references: http://www.linuxquestions.org/questi...threadid=45261

I understand the box is a server on your LAN and used as SMTP. Is it in a DMZ or not?
- is all software up to date?
- did any auth data change other than the cyrus pass?,
- did any other (unexpected) logins occur in that period (also on adjacent boxen)?,
- did you check all system, daemon and firewall logs?,
- do you run a file integrity checker (Aide, Samhain or even tripwire)?,
- if none available, did you run your distro's package manager in verification mode?
- do/did you run Chkrootkit or Rootkit Hunter?
- find files changed (find, -mmin)?

* If unsure about anything reboot the box with a Live or Rescue CD for investigation. If you can't because critical business services are running you will need to plan for checking the box outside of business hours and/or failover the services to another box first, but don't wait like 24hrs before doing so. A compromise should be acted upon immediately.


userdel cyrus (I don't need it, was just testing stuff)
Disabling would have been "better": less changes means less things to verify until the situation is under control.


removed port forwarding rule, server in unreachable from the outside
Excellent.


can't block him on outgoing doh, he is a proxy server...
You can check processes for anomalies (log, save) and kill (restart) those.


---
@tito2502: Probably some script kiddy, I imagine he looked at some files then tried an rm -rf then left.
"Imagining" things is not part of what incident response should be.
Instead work with facts: that's the only solid basis to work on.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh brute force attempts coolb Linux - Security 4 06-04-2006 04:53 AM
Brute Force SSH Login Preventer... matsko Linux - Security 5 04-19-2006 09:02 AM
Protect server from brute force attack via ssh babysparrow Linux - Security 6 03-31-2006 09:00 PM
ssh brute force, how do they work? galle Linux - Security 3 03-10-2006 06:58 AM
SSH brute force.... compromised? heri0n Linux - Security 15 11-21-2004 05:51 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration