[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Hundreds of sshd processes spawned by Postgresql

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Am 27.06.10 11:12, schrieb Stan Hoeppner:
> Marc Shapiro put forth on 6/27/2010 12:57 AM:
>> From: Stan Hoeppner <stan@hardwarefreak.com>
>>
>>> If you were unable to find any inbound connections whilst these ~300
>>> outbound connections were present, 
>>
>> Has anyone come up with a viable theory as to why outbound connections would be initiated by sshd (or something calling itself sshd) as opposed to ssh?
> 
> To be frank, you're focusing on the least significant aspect of this break in
> here.  This is pretty much irrelevant given the scope of the problem, a minor
> detail, a blip on the radar so to speak.
I agree paritaly,

However, knowing HOW they broke in, would allow to take specific
countermeasures. If it was a software bug in a required Application, one
has to get in touch with devs to fix it to be able to continue use it.
If it was a misconfiguration issue, the OP learns something and can
avoid it next time.
I think the fact a sshd called application (real sshd or not) was used
could allow to identify the trojan/rootkit (asking on postgresql list or
on a trojan/rootkit security list maybe helps?)
> 
>>> and given that restarting the box caused
>>> the ~300 ssh processes to instantly start up again and connect to Taiwan
>>> and God knows where else, it's pretty clear that code of one kind or
>>> another, either a script or a binary, has been uploaded to your system by
>>> the cracker. 
>>
>> Actually, the connections were restarted after I KILLED them.  AFTER that I shut the system and the router down.  When I restarted the system (with the router still down) the connections did NOT return.  Nor did they return when the system was restarted after the router was rebooted.  It looks like someone gained entrance to the system and started up a script, or binary, or simply a command, that made these connections (distributed DOS attack, possibly), but made no effort, or was unsuccessful at insuring that it would survive a reboot.  I DO need to harden the system, possibly after a clean install of Squeeze, since that was probably in my near future, anyway.  I also have no need for Apache to be running, so, default or not, it is being removed from /etc/init.d.  I will also insure that the firewall does not have any ports open that I don't need, which should mean just about everything closed down tight.
> 
> This is where you should focus your effort, and it sounds like you have a good
> game plan for moving forward.  After you get all this worked out, _then_ worry
> about the sshd vs ssh issue above, if you even care to take the time at that
> point.  You probably won't.
> 
The main question actualy is about important Data on that Host he wants
go use again. If there is no such Data, trashing everything and start
clean is a good way to go. Not really needed to know how they did it as
he most likely will use new software, new host settings, etc.

IF he has important non-recreatable Data on the host, he must find out
if that data has been compromised. This can be done by manualy check all
the data or find out how they broke in.

Even a Backup doesnt realy help here, as the OP would need to be able to
tell WHEN the compromise happened. Wihtout that he may replay already
compromised data....and the fresh installed host would again be
compromised...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAkwnHUYACgkQpjmLjrU66/4OOgD/cmXpZGjaQv/2YLLcvLAmfO3I
Vz8KcmswIbV73rxexPsBAKJIDbM33uByh6iPM7QO5/k1F4ukTCI3yTmC5arK85x1
=UymY
-----END PGP SIGNATURE-----
Reply to: