CentOS 5 hacked

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
It looks like that there is a vulnerability in openssh. Version is
72.el5_6.3 which is the one for CentOS release 5.6 (Final).
I've found Perl process that was sending Spam (I've also got source
code from /proc/<pid>/fd/3). What was then is that I found strange
records in audit.log:

type=USER_LOGIN msg=audit(1314645691.505:290419): user pid=24699 uid=0
auid=0 msg='uid=0: exe="/usr/sbin/sshd" (hostname=,
addr=, terminal=/dev/pts/0 res=success)'
type=ANOM_ABEND msg=audit(1314645695.184:290420): auid=0 uid=0 gid=0
ses=1152 pid=24699 comm="sshd" sig=6

And few reccords with the same sig=6 and auid=0 later days. I use auid
500 and sudo to get root if needed and these are hack attempt indeed.
Also there are no PAM records along with these lines.
Server kernel is:
Linux vz 2.6.18-194.26.1.el5.028stab081.1 #1 SMP Thu Dec 23 20:17:23
EEST 2010 x86_64 x86_64 x86_64 GNU/Linux

I'll re-setup server anyway but I want to get some more info from this
hack. Any ideas?

Re: CentOS 5 hacked

On Wednesday 31 August 2011 16:06 in comp.os.linux.security,
dmitry.leonenko enlightened humanity with the following words...:

Quoted text here. Click to load it

Not necessarily.  But there are always ways to try and break into a
system that doesn't have any security holes.  You always have to have a
way to legitimately log into your system, and there are ways to exploit
those, e.g. via dictionary attacks or brute force attacks.  

These things can fire off login attempts multiple times per second until
they get the proper login name and password combination.  See below for
advice on that.

Quoted text here. Click to load it

If your machine is/was sending out spam, then you probably do have an
intrusion on your hands, and then most likely the perpetrator will have
installed a rootkit on your machine.  Remember, a rootkit is not there
to give someone unauthorized access to your machine; it is there to
_hide_ the fact that he already _has_ access, by replacing some
executables - e.g. "/bin/ls", "/bin/ps", "/sbin/lsmod" et al - by
executables that perform the same function but do not show you all there
is to see.

You will eventually indeed need to reformat your partitions and
reinstall the operating system, but I would advise you to first use
chkrootkit or rkhunter - they should be in the CentOS repos if you don't
have them installed - to give you a clearer view on what is going on.

Finally, when you're reinstalling your machine, do _not_ allow root
logins over ssh, and do _not_ use sudo in its default configuraton.  Set
up sudo so that it either requires the root password instead of the
user's own password, or to only allow certain tasks to be carried out
via the sudo command, but not all root commands.  Use "/bin/su" for root
jobs, and make sure that PAM is set up to only allow the use of
"/bin/su" to users in the wheel group.  It is harder for the blackhat to
guess two distinct passwords than to have to guess only one and then
with that one account and sudo, obtain root privileges.

You may also want to install an intrusion detection package like prelude
or snort - they should be in the CentOS repositories, but if you can't
find them, here's where you can get prelude.

I would also advise installing an automatic firewall via the combination
of Brute Force Defender and Advanced Policy Firewall.  As it just so
happens to be, someone inquired about APF only a few days ago in another
group.  Let me see whether I can dig up the URL to the source code...  
Ah, here it is...:

    http://www.rfxn.com/projects/advanced-policy-firewall /

Anyone trying to break in via ssh will get three attempts at a login,
and if the third attempt fails, the IP address will automatically be
added to the firewall (via iptables) and you will receive an e-mail from
root with the information of the break-in attempt.

Hope this was useful. ;-)

(registered GNU/Linux user #223157)

Re: CentOS 5 hacked

Quoted text here. Click to load it

AFAICT these are in repoforge (formerly rpmforge), not in base CentOS.

Quoted text here. Click to load it

Denyhosts can do this at the hosts.deny level as well (not at the
iptables level, AFAIK).


(try just my userid to email me)
see X- headers for PGP signature information

Re: CentOS 5 hacked

Quoted text here. Click to load it

This system was using fail2ban, so no, it wasn't bruteforce. Look
closely at audit message. It is quite different from usual login
attempt. Also chkrootkit showed nothing. Installing newer version of
openssh-server solved problem partially. New login attempts was
unsuccessful from the attacker ip. But I've reinstalled system anyway.
You can never be sure 100% that there is no backdoor somewhere on the
system. Now CentOS6 + SELinux. Quite happy with it.

Site Timeline