LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-22-2012, 08:21 PM   #31
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 737

Original Poster
Rep: Reputation: 78

unSpawn asked for a follow-up.

although my team did not do a RCA that led to the vector of attack, we do know a fw rule was put in place during the install of the fw which opened many systems to the public on SSH (about 1+ years ago). SSH scanning was well underway when a few months back the compromised system was added as a static NAT to the fw, which inherently allowed SSH to the public due to the rules of installation.

customer installed a Nagios component using default uid/passwd and that account was compromised via a SSH dictionary attack. the attacker downloaded a 100MB file which looked to contain the data needed to create the files the attacker used to launch a UDP flood, a egress SSH scanner, and a IRC bot which connected to a Undernet IRC server in Tampa FL using.

The UDP flooder was a perl script. The SSH scanner was an ELF "pscan2", and we also found a ELF "hide" which could hide processes as alternate names.

There was a cron entry which would check daily for the existence of the ELF PID and re-launch if not found.


the system was an Oracle RAC cluster node, but customer deinstalled the node before i was able to look deeper into the Oracle stuff. however, there was no evidence indicating that the attacker files tried to query Oracle, nor were there any files that contained data the was present in the db. attacker only had limited access of the "nagios" account and thus had no access to db files directly.

the cisco IDS in place (module in ASA) is able to detect SS#'s, but since it would use to much resources such rule cannot be used (per crisco tac), so we were blind to that type of PII detection.

Last edited by Linux_Kidd; 11-22-2012 at 08:27 PM.
 
1 members found this post helpful.
Old 11-23-2012, 06:25 AM   #32
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Thanks for the follow-up and for lending closure to this thread.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with sed and awk to change L-case letters to U-case for specific lines in a file rootaccess Linux - General 12 05-21-2012 02:50 PM
Copying files from case-sensitive Linux to case-insensitive Windows via CIFS? SlowCoder Linux - General 4 05-07-2008 07:03 PM
Stand-by machine in case real machine crashes jlinkels Linux - General 1 05-19-2005 08:28 AM
Why are all my upper case files being shown as lower case?? [Kernel 2.6.9-1.667 FC3] t3gah Fedora 4 03-11-2005 04:09 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:51 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration