LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

September 2008

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS September 2008

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Security Breach
From:	Eduardo Bach <[log in to unmask]>
Reply To:	Eduardo Bach <[log in to unmask]>
Date:	Tue, 30 Sep 2008 22:03:37 -0300
Content-Type:	text/plain
Parts/Attachments:	text/plain (65 lines)

Hello Troy,

Sorry, the last answer was a draft sent in error. Now is correct.

Thank you for responding so promptly. Here are below the answers to your
questions:

Troy Dawson escreveu:
> Eduardo Bach wrote:
>> Hello to all,
>>
>> One of our servers was invaded. We just started the investigations,
>> but the main clue, plus some strange files copied and deleted, is
>> that sshd binary has changed. Its original size was ~313KB and moved
>> to 1.18Mb. His version was 3.9p1-11.e4_7. As we at the beginning of
>> investigations, I wonder if anyone had similar problem, or have any
>> clue on how the intruder may have entered?
>> Thanks in advance.
>>
>> Eduardo Bach
>
> Hi,
> I'm not the best investigator of breakin's, so I am probubly not going
> to have an answer, but with the information you gave us, it could be
> anything.  It could be someone got a password from somewhere, to
> apache running as root.
>
> So here is a couple of questions that might help get started.
>
> What version of linux was it running? If not linux, what OS was it
> running?

Scientific Linux 4.6.

>
> What services did it have?  Was it a web server, a database server, a
> desktop?
>
> How many users had access to the machine?  Was it a server with only
> one user, or a general login machine?
>
> How could people login?  ssh only?  telnet? rsh?
>
> Did your average person have physical access to the machine?

This server had only one service: sshd, and had no firewall. This was a
general machine machine login to just a few users (<20). When I wrote my
first email, suspected of a bug in ssh, but looking on the internet I
did not find any report to this version. Now I am thinking the
possibility that the hacker found the password of one of the users with
brute force, and explored some bug from there, inside of the system.
Finding that bug was exploited after the acquisition of the password is
not as important to me now, but make sure was this that he/she was able
to enter.

> Answers to those questions help track things down.
> Another thing most people do is take a snapshot of the disk, so your
> investigation doesn't mess up the evidence.
> Troy
A backup server is stand up, so we have time we need to identify what
happened.
Thanks again for your help.

Eduardo Bach

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV