Eduardo Bach wrote:
> Hello to all,
> 
> One of our servers was invaded. We just started the investigations, but the
> main clue, plus some strange files copied and deleted, is that sshd binary
> has changed. Its original size was ~313KB and moved to 1.18Mb. His version
> was 3.9p1-11.e4_7. As we at the beginning of investigations, I wonder if
> anyone had similar problem, or have any clue on how the intruder may have
> entered?
> Thanks in advance.

Almost certainly a password. Since the sshd binary was changed, it's 
clear someone (not very expert!) obtained root access.

Best practice is to shut the system down immediately, to allow forensic 
examination. Anything you do to repair the system, or even just to use 
it, obscures the evidence of what was done and by whom. It's like 
trampling the footprints outside the window!

Note that a clone of the disk isn't sufficient for forensic examination; 
properly equipped, one can find contents of deleted files and even 
overwritten sectors, and that information is lost when a disk is cloned.

Best practice is also to discard this server image, and to build a 
replacement. Use care in copying any files, especially compiled programs 
and scripts.

This is general advice, not particular to your circumstances.
Google for best practice on securing the system, but these are good to 
start with:
1. Disallow root login through ssh. Preferably, disable root logins 
entirely, use sudo and/or su to do root things.
2. Use passwords that are hard to guess. "john" is bad, especially if 
it's your son's name, "john#claudius" is better (takes a good dictionary 
and a lot of guessing), some prefer completely arcane passwords such as 
K2~Ouu3sk.

I prefer something I can recall and that's far down any dictionary 
account, say "redcucumber." It's less likely to be written down than 
something like "K2~Ouu3sk."

3. Make it hard to enumerate accounts with login access: if you use 
/etc/passwd to store accounts for email, ftp etc than give them a bogus 
home directory (maybe /var/empty) and a shell of one of these: 
/bin/{true,false,nologin}.

4. Require use of keys, not passwords, with ssh. If my sshd 
configuration does not allow the use of passwords, you can't use my 
account even if you know my password. Keys can be protected with 
passphrases.

A key is something you possess (it might be on your computer, or on your 
USB drive), a passphrase is something you know: a bit like a POS card 
and PIN.

5. Limit the rate at which remote users can connect to ssh. I only allow 
one ssh user (me), and there aren't that many places I might need to 
login from, so rules like these are useful:
[root@sysadmin ~]# cat /etc/sysconfig/iptables | grep -w 22
-A INPUT -s 58.6.0.0/255.254.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
<snip>
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m limit 
--limit 5/hour -j LOG --log-prefix "SSH connexion "
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m limit 
--limit 5/hour -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j LOG --log-prefix "SSH 
connexion attack dropped "
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j DROP

The basic idea is there are no restrictions on some areas connecting, 
but just in case, I allow a small number of connexions from other 
places. In practice, this has worked well for me, but wouldn't protect 
me from a geographically-disperse attack. But, if someone's that 
determined, selecting another port wouldn't help either. I find I block 
90% or so of connexions from outside my preferred zone: anyone making 
more attempts from a single IP addres just increases the number of 
attempts I block.

It's also possible (and prudent) to block some areas entirely: China, 
Korea and USA come to mind

_I_ also restrict outgoing ports, if you visit me you might find your 
use of port 2323 (a random example) blocked.


I have seen a couple of crackers' tools; one sent the IP address of eth0 
to an email address at one of the free email sites, another installed an 
IRC bot and proceeded to try to crack other sites.

The IRC bot was licenced under the GPL and the criminal was fully 
compliant, he gave me the source.

The first had root access, and promptly installed replacement binaries 
for common programs (typical behaviour), Fortunately, they didn't work, 
and so it was pretty trivial to spot that the server was broken (it 
didn't boot).
this command helped me see what was done.
chattr +a .bash_history

The second criminal used ftp to enumerate accounts, I suspect many 
sysadmins don't read their ftp logs.

6. Configure syslog to log to another computer. Ideally, the other 
computer doesn't run any other services, and is inaccessible from 
everywhere dangerous.

7. Some people recommend port tapping. This is a bit like knocking 
(perhaps tapping out the first bar of a favourite melody) at the front 
door, where the arrangement is that the back door is then opened. There 
are various schemes and programs, including one that involves capturing 
incoming IP traffic (like tcpdump) and looking for a magic code, and 
then opening a port. See google.com and freshmeat.net for more ideas.

8. As I noted elsewhere, I don't recommend simply using a different 
port. A portscan will find it quite easily, and you won't be as secured 
as you might think.



-- 

Cheers
John

-- spambait
[log in to unmask]  [log in to unmask]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)