LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-12-2006, 06:04 PM   #1
xtremeclones
Member
 
Registered: Jan 2006
Posts: 70

Rep: Reputation: 15
Possible ssh breach


ok i had an unknown person ssh'ed onto my server, anyways he was logged on as root, most likely a pc somewhere in the office i didnt log off since im the only one witht the root passwd. I did a pkill root and it kicked me out also and i cant ssh back in, what can i do at this point, this is serious btw so no laughing. thanks a million.
 
Old 07-12-2006, 06:19 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
If you have access power off the thing now or ask someone to power it off. We'll handle the rest later.
 
Old 07-12-2006, 06:23 PM   #3
xtremeclones
Member
 
Registered: Jan 2006
Posts: 70

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by unSpawn
If you have access power off the thing now or ask someone to power it off. We'll handle the rest later.
K, so after the reset the processes will come back and i can ssh?
 
Old 07-12-2006, 06:37 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
No, I'd rather you POWER OFF the box and don't disturb it until you can boot a Live or rescue CD.
BTW, is the box local or remote? If it appears to be a box on the LAN is compromised you'll have to take care of that first by alerting someone to take care of it or denying inbound access on the router to that segment and killing that box.
 
Old 07-12-2006, 06:43 PM   #5
xtremeclones
Member
 
Registered: Jan 2006
Posts: 70

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by unSpawn
No, I'd rather you POWER OFF the box and don't disturb it until you can boot a Live or rescue CD.
BTW, is the box local or remote? If it appears to be a box on the LAN is compromised you'll have to take care of that first by alerting someone to take care of it or denying inbound access on the router to that segment and killing that box.
Ok, i found out it was a pc i thought it was off and it had the same file open, in other words there is no security breach. The box is at a nap, ill have to pass by tonight to reset it, i just scared that once i have phisically rebooted the machine,that it will let me back in and bring all the processes up again.
 
Old 07-12-2006, 06:48 PM   #6
KimVette
Senior Member
 
Registered: Dec 2004
Location: Lee, NH
Distribution: OpenSUSE, CentOS, RHEL
Posts: 1,794

Rep: Reputation: 46
First off, don't entitle a topic "Heeeeeeeeeeeelp!!!" - Instead, describe the problem with an intelligent phrase.

Can you log in locally? If not, then bashrc, bash_profile, .login, or another startup script is probably malconfigured. Boot to single user mode or from a live CD and check the files. Also, check /etc/passwd to make sure that the login shell for root is configured as bash or something else reasonable, and that the MD5 signture of that instance of bash matches what you actually installed.

Actually, the ideal solution? If you are not absolutely, positively 100% certain you can find the exploit, back up your data, key configuration files (e.g., /etc/httpd, /etc/X11, etc/), your data, and anything else that is important then wipe the system and either restore from a backup or reinstall and copy your data (and config files) back to the new installation. You may actually save yourself a LOT of time that way.

If you don't want to R&R, then do the following:

Now, for the first step, can you log in locally? If so, the first thing you should do is install and run clamav, chkrootkit(http://www.chkrootkit.org/), and rkhunter (http://www.rootkit.nl/) on the entire filesystem to help ID compromised executables, and also known-bad executables. Check the usual suspects (/etc/ssh/, etc/passwd, etc.) for back doors. Check your /etc/init.d/ (runlevel) configuration to make sure that nothing unusual is being launched. I'd say to check timestamps on the init files to see if anything has been touched, but a good cracker would have touched the files to backdate mtime, ctime, and atime to evade suspicion, so your only recourse will be to either:

- diff the files against a KNOWN-clean system

or

- Examine each and every startup script to ID any potential back doors s/he added to the system

Eh, you know what? It's SO much work that you're best off restoring your most recent backup. I've cleaned systems before but unless you have a good basis for comparing the current config to the past (MD5 signatures or other method) or unless you've run rkhunter and/or chkrootkit from the very beginning and kept a history of changes, don't trust the system, unless it's just a toy in which case what's the big deal?
 
Old 07-12-2006, 06:49 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Good to hear it's no breach of security.
One down, two to go.
(Still, what's someone doing logged in as root? Is that really necessary? But OK...)
 
Old 07-12-2006, 06:51 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
//Not that it's not appreciated, but using "preview post" before posting may save typing. Apparently a lot of people don't use the feature.
 
Old 07-12-2006, 07:06 PM   #9
xtremeclones
Member
 
Registered: Jan 2006
Posts: 70

Original Poster
Rep: Reputation: 15
Im 100% sure there is no security breach whatsoever, Ill be going phisically to reset the machine. We do have an APC that can be remote managed but no one has the passwd, so ill have to phisically reset the pass on that one while im in there.
 
Old 07-12-2006, 07:28 PM   #10
KimVette
Senior Member
 
Registered: Dec 2004
Location: Lee, NH
Distribution: OpenSUSE, CentOS, RHEL
Posts: 1,794

Rep: Reputation: 46
Quote:
Originally Posted by unSpawn
//Not that it's not appreciated, but using "preview post" before posting may save typing. Apparently a lot of people don't use the feature.
Not that it's not appreciated, but if I'd clicked "preview post" and saw that the original poster had posted an update in the meantime, it'd not have saved me a single keystroke. Thanks, though!
 
Old 07-13-2006, 04:14 PM   #11
xtremeclones
Member
 
Registered: Jan 2006
Posts: 70

Original Poster
Rep: Reputation: 15
The aftermath

Today i walked to the actual server on the POP and it was completely frozen.I turned it off and on again, and it booted up just fine, all the processes run just fine. And i didnt get fired for bringing it down, So whats to learn fromall of this, perhaps.. tontt input a command before thoroughlydoing your research, and second, this forum pwns!!
 
Old 07-13-2006, 05:32 PM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
i didnt get fired for bringing it down
Cool


So whats to learn fromall of this, perhaps.. tontt input a command before thoroughlydoing your research
And maybe use more than one means of access for critical servers, like adding an (out of band) console server, monitoring and making sure services stay up and run Xinetd's backupssh on a different port ACL'ed to your management IP (range)?

BTW I'll change the thread title to "Possible ssh breach".
"Heeeeeeeeeeeelp!!!" just isn't descriptive enough...

Last edited by unSpawn; 07-13-2006 at 05:37 PM.
 
Old 07-13-2006, 05:44 PM   #13
easuter
Member
 
Registered: Dec 2005
Location: Portugal
Distribution: Slackware64 13.0, Slackware64 13.1
Posts: 538

Rep: Reputation: 62
@ xtremeclones:

just by chance i'm reading a book all about this kind of stuff. it called "Hardening Linux" and has everything to help make your server (neraly)bullet-proof.

i cant scan it for you :P , but i will leave you with the deatils so you can get it. it only cost $40 (sounds like a lot for a book, but well worth it to keep hackers out):

title: Hardening Linux
publisher: McGraw-Hill / Osborne
ISBN: 0-07-225497-1


you wont regret it i promisse
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Breach in Sendmail Security? bper Linux - Security 2 08-02-2005 06:40 PM
Possible breach Mig21 Linux - Security 2 07-05-2005 09:43 PM
Network Security Breach nbjayme Linux - Security 0 03-17-2004 07:49 PM
HTTP access_log: security breach? lhoff Linux - Security 3 02-16-2002 12:10 PM
Security breach? lhoff Linux - Security 5 02-15-2002 02:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration