Re: SSH probe attack afoot?

["Stephen J. Smoogen" <smooge () gmail com>]

On Fri, 11 Feb 2005 20:37:22 -0800, Jeffrey Goldberg
<jeffrey () goldmark org> wrote:
> On Feb 6, 2005, at 7:09 AM, Bernie Cosell wrote:
>
> > We're now getting hammered with the third round of ssh probes in the
> > last
> > four days [one from CA, one from Brazil and one from Virginia].  I was
> > wondering: is there some virus or the like floating around now that
> > leaves an ssh-hammering zombie in its wake?  Or is it just coincidental
> > that we have gotten three floods?
>
> I fear that some hosts I'm responsible for are (they almost certainly
> were) such zombies.  chkrootkit didn't turn up anything.  Is there
> something (in addition to anomolous ssh traffic) that I should be
> looking for.

You probably did this, but as a general reminder for someone who finds
this thread when searching...

The first thing is to make sure you have the latest chkrootkit and
that you do the checks from booting at cdrom. It is always a good idea
to make sure that you do forensics from a known good state.

The second issue is that none of the ssh scanning require root
priveledges. Any user on the machine could have been used for this. To
track this down, using a netstat -nap to see open ports for IRC
servers, look through at and cron jobs (and put a at.allow/cron.allow
with a limited set to figure out who is trying to run crons or at
without your knowledge.) Also look for the usual suspect directories
(... .<space>) and executables that arent in root only writable
directories. Clear out all the passwords and confirm that the setuid
executables and items with port access have proper checksums.

[On a RPM system (SuSE, Red Hat, Fedora, etc) you can use the
following script to track down items that have either bad RPM
checksums or are not in the RPM database. I did not write this script.
A mirror admin wrote it a while back.. and I lost the attribution.
Whoever it was thankyou.

#
# rogue.awk - Find files that are not accounted for
#
# awk -f rogue.awk
#
# Rogue is called from a cron job on an hourly basis.
# It parses files in the filesystem and checks to see
# that they belong to an rpm.  Then it prints the
# output of rpm -Va to verify those files that do
# belong to an rpm.
#
BEGIN {
  # Required commands
  cmd1="/bin/rpm -qal";
  cmd2="find / -path '/proc' -prune -o -path '/home' -prune -o -path '/var/log' 
-prune -o -print";
 
  # All rpms in rpm db
  while ( cmd1 | getline ) {
    rpmfiles[$0] = 1;
  }
  close(cmd1);
 
  # All files on system not in an rpm
  while ( cmd2 | getline ) {
    if (!($0 in rpmfiles)) {
      orphans[$0] = 1;
    }
  }
  close(cmd2);
  delete rpmfiles;
  exit 0; # hit 'END' right now
}
END {
  for (file in orphans) {
    print "R:orphaned",file | "sort"
  }
  while ("rpm -Va --noghost" | getline) {
    print "R:" $0 | "sort"
  }
}

----

The truly paranoid would use this against known packages burnt from
the master site with Vp or something so that they know exactly what
they have.

Hope this helps.


> You'll be glad to know that I've been trying to carefully monitor
> outgoing ssh traffic so as not to a (further) nuisance to the rest of
> the net.
>
> With apologies,
>
> -j
>
> --
> Jeffrey Goldberg                        http://www.goldmark.org/jeff/


-- 
Stephen J Smoogen.
CSIRT/Linux System Administrator