Eduardo Bach wrote:
> Hello Troy,
>
> Sorry, the last answer was a draft sent in error. Now is correct.
>
> Thank you for responding so promptly. Here are below the answers to your
> questions:
>
> Troy Dawson escreveu:
>
>> Eduardo Bach wrote:
>>
>>> Hello to all,
>>>
>>> One of our servers was invaded. We just started the investigations,
>>> but the main clue, plus some strange files copied and deleted, is
>>> that sshd binary has changed. Its original size was ~313KB and moved
>>> to 1.18Mb. His version was 3.9p1-11.e4_7. As we at the beginning of
>>> investigations, I wonder if anyone had similar problem, or have any
>>> clue on how the intruder may have entered?
>>> Thanks in advance.
>>>
>>> Eduardo Bach
>>>
>> Hi,
>> I'm not the best investigator of breakin's, so I am probubly not going
>> to have an answer, but with the information you gave us, it could be
>> anything. It could be someone got a password from somewhere, to
>> apache running as root.
>>
>> So here is a couple of questions that might help get started.
>>
>> What version of linux was it running? If not linux, what OS was it
>> running?
>>
>
> Scientific Linux 4.6.
>
>
>> What services did it have? Was it a web server, a database server, a
>> desktop?
>>
>> How many users had access to the machine? Was it a server with only
>> one user, or a general login machine?
>>
>> How could people login? ssh only? telnet? rsh?
>>
>> Did your average person have physical access to the machine?
>>
>
> This server had only one service: sshd, and had no firewall. This was a
> general machine machine login to just a few users (<20). When I wrote my
> first email, suspected of a bug in ssh, but looking on the internet I
> did not find any report to this version. Now I am thinking the
> possibility that the hacker found the password of one of the users with
> brute force, and explored some bug from there, inside of the system.
> Finding that bug was exploited after the acquisition of the password is
> not as important to me now, but make sure was this that he/she was able
> to enter.
>
>
>> Answers to those questions help track things down.
>> Another thing most people do is take a snapshot of the disk, so your
>> investigation doesn't mess up the evidence.
>> Troy
>>
> A backup server is stand up, so we have time we need to identify what
> happened.
> Thanks again for your help.
>
> Eduardo Bach
>
>
>
It's also a good idea to change the ssh port to something other than the
default; this will stop the "ssh-brute-force-crack" that has been
plaguing the internet for as long as I can remember.
See http://openssh.org/manual.html for specific instructions.
Regards,
Bruce Prewit
|