LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Server making LOTS of outbound connections to different IP addresses on port 22
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-28-2009, 05:22 PM   #1
SyntheticRed
LQ Newbie
 
Registered: Sep 2009
Posts: 2

Rep: Reputation: 0
Exclamation Server making LOTS of outbound connections to different IP addresses on port 22

Hi all, im trying to fix a server, which is basically making thousands of multiple connections to random IP's all starting with 193.*.*.*, I found this out by looking at the IPCop firewall, example:

Code:
tcp (6)  	116  	SYN_SENT  	192.168.0.2 :56168  	193.145.17.217 :22  	193.145.17.217 :22  	217.*.*.* :56168  	[UNREPLIED]  	1
tcp (6) 	117 	SYN_SENT 	192.168.0.2 :56603 	193.145.19.126 :22 	193.145.19.126 :22 	217.*.*.* :56603 	[UNREPLIED] 	1
tcp (6) 	112 	SYN_SENT 	192.168.0.2 :54972 	193.145.13.41 :22 	193.145.13.41 :22 	217.*.*.* :54972 	[UNREPLIED] 	1
tcp (6) 	116 	SYN_SENT 	192.168.0.2 :55818 	193.145.16.122 :22 	193.145.16.122 :22 	217.*.*.* :55818 	[UNREPLIED] 	1
tcp (6) 	116 	SYN_SENT 	192.168.0.2 :55699 	193.145.16.3 :22 	193.145.16.3 :22 	217.*.*.* :55699 	[UNREPLIED] 	1
so I gave it a quick google, and found something saying try "tcpdump -vv" so I did and I got this output...

Code:
23:13:32.008086 IP (tos 0x0, ttl  64, id 54746, offset 0, flags [DF], proto 6, length: 60) 192.168.0.2.58799 > 193.183.97.93.ssh: S [tcp sum ok] 2745422825:2745422825(0) win 5840 <mss 1460,sackOK,timestamp 3150710323 0,nop,wscale 2>
23:13:32.008105 IP (tos 0x0, ttl  64, id 13560, offset 0, flags [DF], proto 6, length: 60) 192.168.0.2.58800 > 193.183.97.94.ssh: S [tcp sum ok] 2744595147:2744595147(0) win 5840 <mss 1460,sackOK,timestamp 3150710323 0,nop,wscale 2>
23:13:32.008124 IP (tos 0x0, ttl  64, id 64196, offset 0, flags [DF], proto 6, length: 60) 192.168.0.2.58801 > 193.183.97.95.ssh: S [tcp sum ok] 2745761015:2745761015(0) win 5840 <mss 1460,sackOK,timestamp 3150710323 0,nop,wscale 2>
23:13:32.008143 IP (tos 0x0, ttl  64, id 10970, offset 0, flags [DF], proto 6, length: 60) 192.168.0.2.58802 > 193.183.97.96.ssh: S [tcp sum ok] 2732272873:2732272873(0) win 5840 <mss 1460,sackOK,timestamp 3150710323 0,nop,wscale 2>
23:13:32.008163 IP (tos 0x0, ttl  64, id 42413, offset 0, flags [DF], proto 6, length: 60) 192.168.0.2.58803 > 193.183.97.97.ssh: S [tcp sum ok] 2729616286:2729616286(0) win 5840 <mss 1460,sackOK,timestamp 3150710323 0,nop,wscale 2>
So then I trying grep the ps for "IP" and I got this

Code:
-bash-3.00# ps -aux | grep IP
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.3/FAQ
root     18062  0.0  0.0  6656  592 pts/1    R+   23:18   0:00 grep IP
-bash-3.00# ps -aux | grep IP
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.3/FAQ
root     18064  0.0  0.0  4984  624 pts/1    R+   23:18   0:00 grep IP
-bash-3.00# ps -aux | grep IP
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.3/FAQ
root     18066  0.0  0.0  6464  624 pts/1    S+   23:18   0:00 grep IP
-bash-3.00# ps -aux | grep IP
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.3/FAQ
root     18068  0.0  0.0  6472  620 pts/1    R+   23:18   0:00 grep IP
-bash-3.00# ps -aux | grep IP
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.3/FAQ
root     18070  0.0  0.0  5896  624 pts/1    R+   23:18   0:00 grep IP
-bash-3.00# ps -aux | grep IP
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.3/FAQ
root     18072  0.0  0.0  6632  628 pts/1    S+   23:18   0:00 grep IP
and now im pretty stumped as the process id keeps changing, any advice on what I could do next would be much appreciated thanks in advanced
 
Old 09-28-2009, 05:28 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
I think you want: $ ps auxw (or $ ps -ef)

Also: $ w

Well, it's not looking good. The host is perhaps acting as a ssh scanner / brute force bot, and ps(1) has been altered..? (Actually, where are you running ps from?)

There are a couple good (recent) threads on cracked hosts and how to respond. Please search the Linux - Security forum.
 
Old 09-28-2009, 05:43 PM   #3
SyntheticRed
LQ Newbie
 
Registered: Sep 2009
Posts: 2

Original Poster
Rep: Reputation: 0
Exclamation
$ ps -ef gives me
Code:
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 Aug23 ?        00:00:34 init [3]
root         2     1  0 Aug23 ?        00:00:00 [migration/0]
root         3     1  0 Aug23 ?        00:02:49 [ksoftirqd/0]
root         4     1  0 Aug23 ?        00:00:00 [migration/1]
root         5     1  0 Aug23 ?        00:00:00 [ksoftirqd/1]
root         6     1  0 Aug23 ?        00:00:00 [events/0]
root         7     1  0 Aug23 ?        00:00:00 [events/1]
root         8     6  0 Aug23 ?        00:00:00 [khelper]
root         9     6  0 Aug23 ?        00:00:00 [kacpid]
root        28     6  0 Aug23 ?        00:00:00 [kblockd/0]
root        29     6  0 Aug23 ?        00:00:00 [kblockd/1]
root        30     1  0 Aug23 ?        00:00:00 [khubd]
root        49     1  0 Aug23 ?        00:00:11 [kswapd0]
root        50     6  0 Aug23 ?        00:00:00 [aio/0]
root        51     6  0 Aug23 ?        00:00:00 [aio/1]
root       197     1  0 Aug23 ?        00:00:00 [kseriod]
root       426     6  0 Aug23 ?        00:00:00 [ata/0]
root       427     6  0 Aug23 ?        00:00:00 [ata/1]
root       428     6  0 Aug23 ?        00:00:00 [ata_aux]
root       432     1  0 Aug23 ?        00:00:00 [scsi_eh_0]
root       433     1  0 Aug23 ?        00:00:00 [scsi_eh_1]
root       466     1  0 Aug23 ?        00:01:11 [kjournald]
root      1687     1  0 Aug23 ?        00:00:00 udevd
root      1888     6  0 Aug23 ?        00:00:00 [kauditd]
root      1947     1  0 Aug23 ?        00:00:00 [kjournald]
admin     2509     1  0 Sep04 ?        00:00:56 [pdflush]
root      2536     1  0 Aug23 ?        00:00:23 syslogd -m 0
root      2540     1  0 Aug23 ?        00:00:00 klogd -x
root      2553     1  0 Aug23 ?        00:00:00 irqbalance
rpc       2571     1  0 Aug23 ?        00:00:00 portmap
rpcuser   2590     1  0 Aug23 ?        00:00:00 rpc.statd
root      2622     1  0 Aug23 ?        00:00:00 rpc.idmapd
root      2696     1  0 Aug23 ?        00:00:00 /usr/sbin/acpid
root      2720     1  0 Aug23 ?        00:00:43 /usr/sbin/dovecot
root      2806     1  0 Aug23 ?        00:00:17 /usr/sbin/sshd
root      2817  2720  0 Aug23 ?        00:00:14 dovecot-auth
dovecot   2818  2720  0 Aug23 ?        00:00:38 imap-login
dovecot   2819  2720  0 Aug23 ?        00:00:38 imap-login
dovecot   2820  2720  0 Aug23 ?        00:00:38 imap-login
root      2826     1  0 Aug23 ?        00:00:00 xinetd -stayalive -pidfile /var/
ntp       2838     1  0 Aug23 ?        00:00:00 ntpd -u ntp:ntp -p /var/run/ntpd
root      2848     1  0 Aug23 ?        00:00:01 /usr/sbin/dhcpd
root      2858     1  0 Aug23 ?        00:00:00 gpm -m /dev/input/mice -t imps2
root      2867     1  0 Aug23 ?        00:00:08 crond
root      2876     1  0 Aug23 ?        00:00:00 smbd -D
root      2880  2876  0 Aug23 ?        00:00:00 smbd -D
root      2881     1  0 Aug23 ?        00:00:07 nmbd -D
root      2898     1  0 Aug23 ?        00:00:00 /usr/sbin/atd
dbus      2907     1  0 Aug23 ?        00:00:00 dbus-daemon-1 --system
root      2916     1  0 Aug23 ?        00:00:00 hald
root      2923     1  0 Aug23 ?        00:00:56 /usr/bin/fetchmail -f /etc/.fetc
root      2926     1  0 Aug23 tty1     00:00:00 /sbin/mingetty tty1
root      2927     1  0 Aug23 tty2     00:00:00 /sbin/mingetty tty2
root      2928     1  0 Aug23 tty3     00:00:00 /sbin/mingetty tty3
root      2929     1  0 Aug23 tty4     00:00:00 /sbin/mingetty tty4
root      2930     1  0 Aug23 tty5     00:00:00 /sbin/mingetty tty5
root      2931     1  0 Aug23 tty6     00:00:00 /sbin/mingetty tty6
root     12576     1  0 18:37 ?        00:00:00 /usr/libexec/postfix/master
postfix  12580 12576  0 18:37 ?        00:00:00 qmgr -l -t fifo -u
postfix  12598 12576  0 18:38 ?        00:00:00 tlsmgr -l -t unix -u
root     13270     6  0 Sep16 ?        00:00:07 [pdflush]
root     13271     6  0 Sep16 ?        00:00:05 [pdflush]
richard  13310     1  0 Sep16 ?        00:00:00 ./SCREEN
richard  13311 13310  0 Sep16 pts/2    00:00:00 /bin/bash
root     14187     1  0 Sep27 ?        00:00:00 cupsd
postfix  16462 12576  0 21:57 ?        00:00:00 pickup -l -t fifo -u
admin    16723     1  0 Sep25 ?        00:00:13 [pdflush] 1
dovecot  18178  2720  0 23:27 ?        00:00:00 pop3-login
postfix  18211 12576  0 23:28 ?        00:00:00 proxymap -t unix -u
postfix  18212 12576  0 23:28 ?        00:00:00 anvil -l -t unix -u
postfix  18213 12576  0 23:28 ?        00:00:00 trivial-rewrite -n rewrite -t un
dovecot  18235  2720  0 23:30 ?        00:00:00 pop3-login
postfix  18273 12576  0 23:31 ?        00:00:00 smtpd -n smtp -t inet -u
root     18320  2806  0 23:33 ?        00:00:00 sshd: root@pts/1
root     18322 18320  0 23:33 pts/1    00:00:00 -bash
dovecot  18349  2720  0 23:33 ?        00:00:00 pop3-login
tim      18351     1  0 23:33 ?        00:00:00 /usr/sbin/sshd
postfix  18353 12576  0 23:33 ?        00:00:00 cleanup -z -t unix -u
postfix  18354 12576  0 23:33 ?        00:00:00 local -t unix
postfix  18356 12576  0 23:33 ?        00:00:00 bounce -z -t unix -u
tim      18366 30604  0 23:34 ?        00:00:00 /bin/bash ./a 193.187
tim      18369 18366 98 23:34 ?        00:00:36 /bin/bash  193.187 22
root     18371 18322  0 23:34 pts/1    00:00:00 ps -ef
tim      30604     1  0 05:52 ?        00:00:00 /bin/sh ./mass 193
richard  30619     1  0 Aug29 ?        00:33:18 bash
and $ w gives me
Code:
 23:36:00 up 36 days, 11:15,  1 user,  load average: 1.10, 1.01, 0.95
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/1    cpc2-nfds13-2-0- 23:33    0.00s  0.02s  0.00s w
is it likely that this server has been gained access to and theyve done this to it? the IPCop shows thats its been doing this like crazy for a few weeks now, very strange stuff on network graphs, ive attached the traffic graphs, as the server shouldnt really be uploading like that.
i'll have a little search for theese threads also...
Attached Thumbnails
Click image for larger version Name: RED-day.png Views: 13 Size: 7.1 KB ID: 1616   Click image for larger version Name: RED-month.png Views: 15 Size: 8.9 KB ID: 1617   Click image for larger version Name: RED-week.png Views: 17 Size: 7.4 KB ID: 1618  
 
Old 09-28-2009, 06:19 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by anomie View Post
Well, it's not looking good. The host is perhaps acting as a ssh scanner / brute force bot
Well, for once we don't need to follow proper incident response procedures to see that this one's frelled.


Quote:
Originally Posted by SyntheticRed
Code:
root     18322 18320  0 23:33 pts/1    00:00:00 -bash
dovecot  18349  2720  0 23:33 ?        00:00:00 pop3-login
tim      18351     1  0 23:33 ?        00:00:00 /usr/sbin/sshd
postfix  18353 12576  0 23:33 ?        00:00:00 cleanup -z -t unix -u
postfix  18354 12576  0 23:33 ?        00:00:00 local -t unix
postfix  18356 12576  0 23:33 ?        00:00:00 bounce -z -t unix -u
tim      18366 30604  0 23:34 ?        00:00:00 /bin/bash ./a 193.187
tim      18369 18366 98 23:34 ?        00:00:36 /bin/bash  193.187 22
root     18371 18322  0 23:34 pts/1    00:00:00 ps -ef
tim      30604     1  0 05:52 ?        00:00:00 /bin/sh ./mass 193
richard  30619     1  0 Aug29 ?        00:33:18 bash
(..)is it likely that this server has been gained access to and theyve done this to it?
Yes.


Quote:
Originally Posted by SyntheticRed
the IPCop shows thats its been doing this like crazy for a few weeks now, very strange stuff on network graphs
Your have served them well allowing them to scan networks for weeks then. Any reason why you didn't respond to anomalies way earlier? Do you allow SSH root login? Do you use (weak) passwords instead of pubkey auth?

Also tell us the OS and version you run. Then raise the firewall to only accept traffic to and from your management IP. After that stop/kill all public services and rogue processes (verify!) except SSH. Verify your OpenSSH server and client package. If integrity can not be verified reinstall the packages and restart the server. Then look through the logs for clues how they came in. Read the (CERT) Intruder Detection Checklist: http://web.archive.org/web/200801092...checklist.html if you need some steps.
 
Old 09-29-2009, 11:16 AM   #5
fpmurphy
Member
 
Registered: Jan 2009
Location: /dev/ph
Distribution: Fedora, Ubuntu, Redhat, Centos
Posts: 299

Rep: Reputation: 62
It goes without saying that you should also lock out the tim account
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Having lots of issue with making a mail server. Iron_Blood Linux - Server 6 08-19-2008 01:55 PM
Only allow outbound connections CrEsPo Linux - Security 4 01-01-2007 11:54 AM
lots of outbound SYN_SENT from apache mercyop Linux - Networking 10 01-17-2006 08:30 AM
programs making outbound connections six6 Debian 2 11-03-2004 11:04 PM
Non-existing IP addresses making connections? J_Szucs Linux - Networking 9 11-05-2003 09:44 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:29 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration