Eduardo Bach wrote: > Hello Troy, > > Sorry, the last answer was a draft sent in error. Now is correct. > > Thank you for responding so promptly. Here are below the answers to your > questions: > > Troy Dawson escreveu: > >> Eduardo Bach wrote: >> >>> Hello to all, >>> >>> One of our servers was invaded. We just started the investigations, >>> but the main clue, plus some strange files copied and deleted, is >>> that sshd binary has changed. Its original size was ~313KB and moved >>> to 1.18Mb. His version was 3.9p1-11.e4_7. As we at the beginning of >>> investigations, I wonder if anyone had similar problem, or have any >>> clue on how the intruder may have entered? >>> Thanks in advance. >>> >>> Eduardo Bach >>> >> Hi, >> I'm not the best investigator of breakin's, so I am probubly not going >> to have an answer, but with the information you gave us, it could be >> anything. It could be someone got a password from somewhere, to >> apache running as root. >> >> So here is a couple of questions that might help get started. >> >> What version of linux was it running? If not linux, what OS was it >> running? >> > > Scientific Linux 4.6. > > >> What services did it have? Was it a web server, a database server, a >> desktop? >> >> How many users had access to the machine? Was it a server with only >> one user, or a general login machine? >> >> How could people login? ssh only? telnet? rsh? >> >> Did your average person have physical access to the machine? >> > > This server had only one service: sshd, and had no firewall. This was a > general machine machine login to just a few users (<20). When I wrote my > first email, suspected of a bug in ssh, but looking on the internet I > did not find any report to this version. Now I am thinking the > possibility that the hacker found the password of one of the users with > brute force, and explored some bug from there, inside of the system. > Finding that bug was exploited after the acquisition of the password is > not as important to me now, but make sure was this that he/she was able > to enter. > > >> Answers to those questions help track things down. >> Another thing most people do is take a snapshot of the disk, so your >> investigation doesn't mess up the evidence. >> Troy >> > A backup server is stand up, so we have time we need to identify what > happened. > Thanks again for your help. > > Eduardo Bach > > > It's also a good idea to change the ssh port to something other than the default; this will stop the "ssh-brute-force-crack" that has been plaguing the internet for as long as I can remember. See http://openssh.org/manual.html for specific instructions. Regards, Bruce Prewit