|
Security problemson my servers urgent!!!!!?
Hello it's me again, i have a problem that originated from several of our Servers a would like for you people to check out the following messages that i received in my email:
"Please note I'd like to file a report for investigation due to abnormal activity against one or several of our systems originated from one of your controlled IP addresses. the remote system of your company was found to have exceeded acceptable login failures on secure5.integrese.com. As such the attacking host has been banned from further accessing this system; for the integrity of your host you shoul investigate this event as soon as possible." the following are 68 login failures from your ip address:" end of message all the login attemps where trhough high ports(for example 51043, 51097) trying to use ssh all this was last week, and it happend 2 times in different ip addresses, today i've got another and again in a different ip address.. what can I do..2 machines have SuSE and one Mandrake.. what can i do.. i'm kind of desparate.... Thank you very much for your time!!!!!! |
Hrrm. Are you certain no local user could be doing this?
Have you run rkhunter and checkrootkit to see if there are any known rootkits in your system? If you do believe they are attacking other machines, they should be taken offline IMMEDIATELY. |
Can you please define what is a rootkit? and what are the rkhunter a checkrootkit?
thanks!!! |
rkhunter and checkrootkit are tools used to check for rootkits. Rootkits are, generally speaking, tools used by hackers to gain root and cover their tracks on systems.
|
Ok, and how do i run or install the rkhunter and checkrootkit?
|
Thanks, i figured out how to run chkrootkit, i'm going to run it on the other servers to see what happens..
Thanks for the info..any other suggestions will be appreciated!!!! |
No problem. Is your firewall configured to prohibit any unnecessary outbound connections?
|
I don't think so...how can i do that?
|
this is how my firewall is configured
FW_QUICKMODE="no" FW_DEV_EXT="eth-id-00:50:ba:56:b2:98" FW_DEV_INT="" FW_DEV_DMZ="" FW_ROUTE="no" FW_MASQUERADE="no" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_EXT_TCP="ssh http https www ftp" FW_SERVICES_EXT_UDP="21 22" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_INT_RPC="" FW_SERVICES_DROP_EXT="" FW_SERVICES_REJECT_EXT="0/0,tcp,113" # $FW_DEV_EXT # FW_SERVICES_QUICK_TCP="ssh,ftp" # FW_SERVICES_QUICK_UDP="isakmp" # FW_SERVICES_QUICK_IP="50" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_ALLOW_INCOMING_HIGHPORTS_UDP="" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG_LIMIT="" FW_LOG="" FW_KERNEL_SECURITY="yes" FW_ANTISPOOF="no" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" |
If your host has been reported to be attempting multiple failed ssh logins, then it's very likely to have been compromised and running brutessh. In fact it's very likely that your host was compromised with that same cracking tool if you were using weak passwords. Check for open ssh connections to random hosts (netstat -pantu). If your system was compromised that way, then it's very likely that a check for rootkits would be negative (it's still worth while to run the check though). There is a very long thread near the top of this forum that comtains info on this tool that may be informative.
|
ok. Capt_Caveman i'll check out the thread you are mentioning but what do i do because i ran netstat and here's a part of what i got, but no ssh connections
2-1120489964 unix 3 [ ] STREAM CONNECTED 82699 unix 3 [ ] STREAM CONNECTED 82682 /tmp/.ICE-unix/dcop17732-1120489964 unix 3 [ ] STREAM CONNECTED 82681 unix 3 [ ] STREAM CONNECTED 82679 unix 3 [ ] STREAM CONNECTED 82678 unix 2 [ ] DGRAM 82482 unix 3 [ ] STREAM CONNECTED 72336 /tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 72323 unix 2 [ ] DGRAM 10896 unix 2 [ ] DGRAM 9230 unix 2 [ ] DGRAM 8332 unix 2 [ ] DGRAM 8280 unix 2 [ ] DGRAM 8162 unix 2 [ ] DGRAM 8146 unix 3 [ ] STREAM CONNECTED 7180 /var/run/acpid.socket unix 3 [ ] STREAM CONNECTED 7179 unix 2 [ ] DGRAM 6106 unix 2 [ ] DGRAM 5833 unix 2 [ ] DGRAM 3315 can you be a little more specific of what you wan't me to look for? thank you very much!!!!! |
That's a list of the local unix sockets, do netstat -pantu instead (make sure to include all of the options to that command). Then look for any connections to port 22 on remote hosts. This would be an example:
Code:
tcp 0 0 192.168.4.101:45197 10.10.10.1:22 ESTABLISHED 9879/xyz |
ok, i'm checking that right now.
i have another question we think it's someone that has access to our network, we have access to this persons machine, how can i check to what machines he has logged in to. the operating system he uses is fedora? |
Offhand I can't think of anything that keeps a list of machines that you've logged into, however you can take a look at their users bash histories and try a find ssh logins. You can easily see what machines they are currently logged into with the netstat -pantu command.
Also, just to clarify my earlier post, you'll need to run that netstat command on the machine that the attacks were originating from (the machine that was reported by the other sysadmin). One thing to keep in mind is that the brutessh tool usually has a very limited password list and will only compromise hosts that use very poor passwords (like "root" as the root user password), so you may want to ask the user if that was the case (check their bash histories first though). |
Could it be possible to intall a program on the machine of the person who we think his hacking our servers so that we can monitor what this person is doing?
|
| All times are GMT -5. The time now is 06:15 PM. |