Security Incidents mailing list archives
Re: SSH probe attack afoot?
From: "Stephen J. Smoogen" <smooge () gmail com>
Date: Sat, 12 Feb 2005 10:06:19 -0700
On Fri, 11 Feb 2005 20:37:22 -0800, Jeffrey Goldberg <jeffrey () goldmark org> wrote:
On Feb 6, 2005, at 7:09 AM, Bernie Cosell wrote:We're now getting hammered with the third round of ssh probes in the last four days [one from CA, one from Brazil and one from Virginia]. I was wondering: is there some virus or the like floating around now that leaves an ssh-hammering zombie in its wake? Or is it just coincidental that we have gotten three floods?I fear that some hosts I'm responsible for are (they almost certainly were) such zombies. chkrootkit didn't turn up anything. Is there something (in addition to anomolous ssh traffic) that I should be looking for.
You probably did this, but as a general reminder for someone who finds this thread when searching... The first thing is to make sure you have the latest chkrootkit and that you do the checks from booting at cdrom. It is always a good idea to make sure that you do forensics from a known good state. The second issue is that none of the ssh scanning require root priveledges. Any user on the machine could have been used for this. To track this down, using a netstat -nap to see open ports for IRC servers, look through at and cron jobs (and put a at.allow/cron.allow with a limited set to figure out who is trying to run crons or at without your knowledge.) Also look for the usual suspect directories (... .<space>) and executables that arent in root only writable directories. Clear out all the passwords and confirm that the setuid executables and items with port access have proper checksums. [On a RPM system (SuSE, Red Hat, Fedora, etc) you can use the following script to track down items that have either bad RPM checksums or are not in the RPM database. I did not write this script. A mirror admin wrote it a while back.. and I lost the attribution. Whoever it was thankyou. # # rogue.awk - Find files that are not accounted for # # awk -f rogue.awk # # Rogue is called from a cron job on an hourly basis. # It parses files in the filesystem and checks to see # that they belong to an rpm. Then it prints the # output of rpm -Va to verify those files that do # belong to an rpm. # BEGIN { # Required commands cmd1="/bin/rpm -qal"; cmd2="find / -path '/proc' -prune -o -path '/home' -prune -o -path '/var/log' -prune -o -print"; # All rpms in rpm db while ( cmd1 | getline ) { rpmfiles[$0] = 1; } close(cmd1); # All files on system not in an rpm while ( cmd2 | getline ) { if (!($0 in rpmfiles)) { orphans[$0] = 1; } } close(cmd2); delete rpmfiles; exit 0; # hit 'END' right now } END { for (file in orphans) { print "R:orphaned",file | "sort" } while ("rpm -Va --noghost" | getline) { print "R:" $0 | "sort" } } ---- The truly paranoid would use this against known packages burnt from the master site with Vp or something so that they know exactly what they have. Hope this helps.
You'll be glad to know that I've been trying to carefully monitor outgoing ssh traffic so as not to a (further) nuisance to the rest of the net. With apologies, -j -- Jeffrey Goldberg http://www.goldmark.org/jeff/
-- Stephen J Smoogen. CSIRT/Linux System Administrator
Current thread:
- SSH probe attack afoot? Bernie Cosell (Feb 07)
- Re: SSH probe attack afoot? Martin Sarsale (Feb 07)
- Re: SSH probe attack afoot? Steve Bonds (Feb 07)
- Re: SSH probe attack afoot? Steven Harrison (Feb 07)
- Re: SSH probe attack afoot? xyberpix (Feb 07)
- Re: SSH probe attack afoot? Stephen Warren (Feb 08)
- Re: SSH probe attack afoot? j () 65535 com (Feb 08)
- Re: SSH probe attack afoot? Stephen Warren (Feb 08)
- Re: SSH probe attack afoot? Barrie Dempster (Feb 07)
- Re: SSH probe attack afoot? j lake (Feb 08)
- Re: SSH probe attack afoot? Jeffrey Goldberg (Feb 12)
- Re: SSH probe attack afoot? Stephen J. Smoogen (Feb 12)
- Re: SSH probe attack afoot? Jeffrey Goldberg (Feb 16)
- <Possible follow-ups>
- Re: SSH probe attack afoot? Joe Egloff (Feb 07)
- Re: SSH probe attack afoot? naverxp (Feb 08)
- Re: SSH probe attack afoot? Tim (Feb 08)
- Re: SSH probe attack afoot? Frank Knobbe (Feb 08)
- Re: SSH probe attack afoot? Matt Fisher (Feb 09)
- Re: SSH probe attack afoot? naverxp (Feb 08)
- Re: SSH probe attack afoot? Joe Egloff (Feb 08)
- Re: SSH probe attack afoot? Barrie Dempster (Feb 08)
- Re: SSH probe attack afoot? j () 65535 com (Feb 09)
- Chinese HTTP ACKs David Gillett (Feb 09)
- Re: SSH probe attack afoot? Barrie Dempster (Feb 08)
- Re: SSH probe attack afoot? Martin Sarsale (Feb 07)