LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

September 2008

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS September 2008

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Security Breach
From:	Bruce Prewit <[log in to unmask]>
Reply To:	Bruce Prewit <[log in to unmask]>
Date:	Tue, 30 Sep 2008 19:05:57 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (84 lines)

Eduardo Bach wrote:
> Hello Troy,
>
> Sorry, the last answer was a draft sent in error. Now is correct.
>
> Thank you for responding so promptly. Here are below the answers to your
> questions:
>
> Troy Dawson escreveu:
>   
>> Eduardo Bach wrote:
>>     
>>> Hello to all,
>>>
>>> One of our servers was invaded. We just started the investigations,
>>> but the main clue, plus some strange files copied and deleted, is
>>> that sshd binary has changed. Its original size was ~313KB and moved
>>> to 1.18Mb. His version was 3.9p1-11.e4_7. As we at the beginning of
>>> investigations, I wonder if anyone had similar problem, or have any
>>> clue on how the intruder may have entered?
>>> Thanks in advance.
>>>
>>> Eduardo Bach
>>>       
>> Hi,
>> I'm not the best investigator of breakin's, so I am probubly not going
>> to have an answer, but with the information you gave us, it could be
>> anything.  It could be someone got a password from somewhere, to
>> apache running as root.
>>
>> So here is a couple of questions that might help get started.
>>
>> What version of linux was it running? If not linux, what OS was it
>> running?
>>     
>
> Scientific Linux 4.6.
>
>   
>> What services did it have?  Was it a web server, a database server, a
>> desktop?
>>
>> How many users had access to the machine?  Was it a server with only
>> one user, or a general login machine?
>>
>> How could people login?  ssh only?  telnet? rsh?
>>
>> Did your average person have physical access to the machine?
>>     
>
> This server had only one service: sshd, and had no firewall. This was a
> general machine machine login to just a few users (<20). When I wrote my
> first email, suspected of a bug in ssh, but looking on the internet I
> did not find any report to this version. Now I am thinking the
> possibility that the hacker found the password of one of the users with
> brute force, and explored some bug from there, inside of the system.
> Finding that bug was exploited after the acquisition of the password is
> not as important to me now, but make sure was this that he/she was able
> to enter.
>
>   
>> Answers to those questions help track things down.
>> Another thing most people do is take a snapshot of the disk, so your
>> investigation doesn't mess up the evidence.
>> Troy
>>     
> A backup server is stand up, so we have time we need to identify what
> happened.
> Thanks again for your help.
>
> Eduardo Bach
>
>
>   

It's also a good idea to change the ssh port to something other than the 
default; this will stop the "ssh-brute-force-crack" that has been 
plaguing the internet for as long as I can remember.
See http://openssh.org/manual.html for specific instructions.

Regards,

Bruce Prewit

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV