Possible system compromise (slackware linux 10.2, apache 1.3.33, OpenSSL 0.9.7g)
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Possible system compromise (slackware linux 10.2, apache 1.3.33, OpenSSL 0.9.7g)
I've recently been noticing lots of failed password attempts in my messages log, (/var/log/messages), I'm pretty sure it's a dictionary attack but I thought it hadn't worked, until now. I woke up this morning (may 10th) and my PC had rebooted during the night. The log tells me it was around 3:30 am:
Code:
May 9 22:55:55 chidori sshd[11286]: Invalid user desktop from 62.233.144.26
May 9 22:55:55 chidori sshd[11286]: Failed password for invalid user desktop from 62.233.144.26 port 2959 ssh2
May 9 22:55:56 chidori sshd[11289]: Invalid user workshop from 62.233.144.26
May 9 22:55:56 chidori sshd[11289]: Failed password for invalid user workshop from 62.233.144.26 port 2999 ssh2
May 9 22:55:56 chidori sshd[11292]: Invalid user mailnull from 62.233.144.26
May 9 22:55:56 chidori sshd[11292]: Failed password for invalid user mailnull from 62.233.144.26 port 3034 ssh2
May 9 22:55:57 chidori sshd[11295]: Invalid user nfsnobody from 62.233.144.26
May 9 22:55:57 chidori sshd[11295]: Failed password for invalid user nfsnobody from 62.233.144.26 port 3377 ssh2
May 9 22:55:58 chidori sshd[11298]: Invalid user rpcuser from 62.233.144.26
May 9 22:55:58 chidori sshd[11298]: Failed password for invalid user rpcuser from 62.233.144.26 port 3408 ssh2
May 9 22:55:58 chidori sshd[11301]: Failed password for rpc from 62.233.144.26 port 3472 ssh2
May 9 22:55:59 chidori sshd[11304]: Invalid user gopher from 62.233.144.26
May 9 22:55:59 chidori sshd[11304]: Failed password for invalid user gopher from 62.233.144.26 port 3511 ssh2
May 9 23:13:22 chidori -- MARK --
May 9 23:33:22 chidori -- MARK --
May 9 23:53:22 chidori -- MARK --
May 10 00:13:22 chidori -- MARK --
May 10 00:33:22 chidori -- MARK --
May 10 00:53:22 chidori -- MARK --
May 10 01:13:22 chidori -- MARK --
May 10 01:33:22 chidori -- MARK --
May 10 01:53:22 chidori -- MARK --
May 10 02:13:22 chidori -- MARK --
May 10 02:33:22 chidori -- MARK --
May 10 02:53:22 chidori -- MARK --
May 10 03:13:22 chidori -- MARK --
May 10 03:29:59 chidori syslogd 1.4.1: restart.
I've got more dictionary attacks today around 12:50, from different IP addresses, so I assume they're all zombie hosts.
I ran rkhunter and got the following warnings etc.:
I can't help you to find out if you have been compromised, but you may want to take a look at denyhosts. It might save you the trouble of this problem next time.
First off, in the future you must make sure that all passwords are completely random. Second, if you have to reinstall because you aren't sure, try installing tripwire before you hook your comp back up to the net. I am not very familiar with system compromises but I thought that you could see if they succeeded in logging in. If they did...I would suggest reinstalling.
My passwords _are_ random, and i'm pretty sure that the dictionary attack didn't do it, because it's still going. I'd still like to know where I can find logs which will tell me why it shut down...
Oh, and I've looked through /var/log/messages, it's all dictionary attacks (well, most of it) except for the part where it boots, I just posted a snippet earlier
I'll preface this with stating that I'm a security amateur, but as far as your ssh logs go, there is nothing there that indicates a successful attack. All of the login attempts failed. Anyone running an ssh server on port 22 is going to get a ton of those (see the sticky thread at the top of this forum for info on what you can/should do about these).
The restart entry isn't a system reboot, it is the syslog deamon restart. Given that it happened at 3:30AM, I would strongly suspect that it is logrotate running its daily cron job. Have a look at root's crontab file and see what time logrotate is running.
Now the http access strikes me as kind of funny because it is occurring on port 6667 and it seems to be entirely internal (the requesting IP and target IP are the same). Have you installed any software that would listen on that port? Something is definitely listenting there because the request was to that port and the 200 is a successful response.
Other suggestions:
Have a look at the output of netstat -pantu and see what is listening. You should be able to account for all of the ports listed. If not, post the output.
Look at the output of last and see if there are logins you can't account for.
The downside is that if you have been compromised, it is possible that these commands (and the system logs) have been altered to hide the compromise. The chkrootkit response may not indicate a compromise since I think it is sensitive to hidden directories and files in certain system locations. Try running it again and run rkhunter for a second opinion.
<EDIT>
Ooops, I see you did run rkhunter. Try running chkrootkit and see if it turns up anything.
</EDIT>
Do you have a firewall on this machine? If so, posting it may be helpful.
Finally, it won't help now, but in the future, it would be a good idea to run a file integrity checking system like Aide, Samhain or Tripwire. However, you need to run those on systems you are positive are clean.
I'm not sure what the apache CONNECT and POST things were about, but they aren't internal IPs (I tracerouted them)
chkrootkit didn't find anything at all, which suggests it's fine, but the rebooting still puzzles me, and I don't see what could have caused it to restart.
I guess that aside from the odd re-boot and the http connection, I'm not seeing anything that raises any red flags. You obviously have some services listening, but there don't appear to be any established connections and there isn't anything unusual about the listening programs (by the way, you did run that as root, didn't you?). Chkrootkit coming back clean is a good sign.
At this point the choice is really yours and depends on your personal level of paranoia. If you want to be absolutely sure your machine is clean, a complete re-install is in order. There just isn't any other way to be sure. As I said before, one of the problems with actually being cracked is that the crackers can be very good at hiding their tracks. If you do go this route, I would strongly suggest getting Aide, Samhain or Tripwire onto that box immediately as one of those programs could tell you if files have been changed.
However, if you don't want to re-install, I would keep a very close eye on the box and spend some serious time reading the thread unSpawn has stickied at the top of this forum. There is lots of good stuff there on how to monitor a box as well has what you can do to harden it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.