Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Got blasted by the ssh bot
October 26, 2005, 2:24 pm
rate this thread
Looks like one of my neglected machines got nailed by that ssh bot. I'm
using it as a squid server for our remote offices, and I also have some
users who ssh into it for various reasons. I usually block all ssh
except for specific IP addresses and ranges, with iptables. I had an ssh
user at home w/a dynamic ip and, in a moment of laziness, I opened all
ssh "temporarily" and apparently left it that way( I have a script on my
mailserver to prevent my absent-minded professor syndrome by restoring
the default rules hourly).
I'm running tripwire, so I was able to tell what was added/replaced.
I copied known good files from the mailserver of the same version, and
copied most of them back to the compromised machine in single user mode.
However - I rec'd errors while copying some of them, and decided to boot
from floppy and try the same. I rec'd the same error even when booting
from floppy. Here is a list of the files in /bin that were
modified/replaced this is NOT the replaced files, but a list of the
replacement files :
-rwxr-xr-x 1 root root 541096 Oct 24 10:55 bash*
-rwxr-xr-x 1 root root 16424 Oct 24 10:43 chgrp*
-rwxr-xr-x 1 root root 16680 Oct 24 10:44 chmod*
-rwxr-xr-x 1 root root 18280 Oct 24 10:44 chown*
-rwxr-xr-x 1 root root 36360 Oct 24 10:44 cp*
-rwxr-xr-x 1 root root 64705 Oct 24 10:45 cpio*
-rwxr-xr-x 1 root root 28616 Oct 24 10:45 dd*
-rwxr-xr-x 1 root root 26376 Oct 24 10:45 df*
-rwxr-xr-x 1 root root 83064 Oct 24 10:45 ed*
-rwxr-xr-x 1 root root 248748 Oct 24 10:45 gawk*
-rwxr-xr-x 1 root root 248748 Oct 24 10:45 gawk-3.1.0*
-rwxr-xr-x 1 root root 12426 Oct 24 10:46 hostname*
-rwxr-xr-x 1 root root 20104 Oct 24 10:55 ln*
-rwxr-xr-x 1 root root 46888 Oct 24 10:55 ls*
-rwxr-xr-x 1 root root 66492 Oct 24 10:55 mail*
-rwxr-xr-x 1 root root 17992 Oct 24 10:45 mkdir*
-rwxr-xr-x 1 root root 12952 Oct 24 10:55 mt*
-rwxr-xr-x 1 root root 100173 Oct 24 10:55 netstat*
-rwsr-xr-x 1 root root 35192 Oct 24 10:45 ping*
-r-xr-xr-x 1 root root 63304 Oct 24 10:55 ps*
-rwxr-xr-x 1 root root 16700 Oct 24 10:45 setserial*
Also syslogd was modified/replaced.
The files that would not copy were ls, ps, setserial, and /sbin/syslogd
I rec'd Operation not permitted, Permission denied. I had them all (
except syslogd) in a tarball and just tarred them into that directory -
tar -xzvf tarball.tar.gz.
What do I need to do here? I'm clearly missing something critical...
Re: Got blasted by the ssh bot
Best way to go is :
- use the interactive boot method in RedHat and answer NO to everything
- do a 'chattr -i' on all the files
- replace 'kill' just to make sure
- kill ALL processes except the ones required to keep Linux running
- replace the other files
- Check using rootkit hunter
If that doesn't fix it, it's time to backup all the data and reinstall from
- » Shred option in the current Mandriva Linux OS a fake?
- — Next thread in » Linux Security
- » Cloud Ace Technologies is offering Implementation Services on Cloud Computing, Cloud Serv...
- — Newest thread in » Linux Security