Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 11-22-2012, 08:21 PM   #31
Registered: Jan 2006
Location: USA
Posts: 579

Original Poster
Rep: Reputation: 62

unSpawn asked for a follow-up.

although my team did not do a RCA that led to the vector of attack, we do know a fw rule was put in place during the install of the fw which opened many systems to the public on SSH (about 1+ years ago). SSH scanning was well underway when a few months back the compromised system was added as a static NAT to the fw, which inherently allowed SSH to the public due to the rules of installation.

customer installed a Nagios component using default uid/passwd and that account was compromised via a SSH dictionary attack. the attacker downloaded a 100MB file which looked to contain the data needed to create the files the attacker used to launch a UDP flood, a egress SSH scanner, and a IRC bot which connected to a Undernet IRC server in Tampa FL using.

The UDP flooder was a perl script. The SSH scanner was an ELF "pscan2", and we also found a ELF "hide" which could hide processes as alternate names.

There was a cron entry which would check daily for the existence of the ELF PID and re-launch if not found.

the system was an Oracle RAC cluster node, but customer deinstalled the node before i was able to look deeper into the Oracle stuff. however, there was no evidence indicating that the attacker files tried to query Oracle, nor were there any files that contained data the was present in the db. attacker only had limited access of the "nagios" account and thus had no access to db files directly.

the cisco IDS in place (module in ASA) is able to detect SS#'s, but since it would use to much resources such rule cannot be used (per crisco tac), so we were blind to that type of PII detection.

Last edited by Linux_Kidd; 11-22-2012 at 08:27 PM.
1 members found this post helpful.
Old 11-23-2012, 06:25 AM   #32
Registered: May 2001
Posts: 29,383
Blog Entries: 55

Rep: Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558
Thanks for the follow-up and for lending closure to this thread.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with sed and awk to change L-case letters to U-case for specific lines in a file rootaccess Linux - General 12 05-21-2012 02:50 PM
Copying files from case-sensitive Linux to case-insensitive Windows via CIFS? SlowCoder Linux - General 4 05-07-2008 07:03 PM
Stand-by machine in case real machine crashes jlinkels Linux - General 1 05-19-2005 08:28 AM
Why are all my upper case files being shown as lower case?? [Kernel 2.6.9-1.667 FC3] t3gah Fedora 4 03-11-2005 04:09 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:57 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration