Re: My machine was hacked - possibly via sshd?

[Robert Brockway <rbrockway@opentrend.net>]

On Mon, 28 Mar 2005, Malcolm Ferguson wrote:

> My machine was cracked on Thursday evening.  I'm trying to understand how it
> happened so that it doesn't go down again.

I note below you rebuilt the box.  This is great.

If you are sure you knew this is the date of the crack you could have 
restored from a previous backup and used that as a base for restoring to 
the present state.  Only do this if you are _sure_ you know when the crack 
occured.  The date it becomes evident need not be the date it happened.  
Smart crackers will stay undetected for as long as they can.

> Machine was running Debian 3.0 and was behind a NAT box with ports forwarded
> for SMTP, HTTP and SSH.  It hadn't been rebooted for 430 days.  I was using a

So the box had several local root exploits in the kernel and possibly 
various library and other exploits hanging around (even though it was 
patched - see below).

> Early on the 25th, my logcheck emails indicated increasing messages in syslog
> concerning failed login attempts against ssh.   At some point though I see ssh
> authentication failures for valid user names - how?   Somehow they were being
> enumerated in the hack attempt, and I think that one person had a weak

Although it can be difficult to manage with a large number of users I 
strongly encourage moving towards blocking password access to ssh 
entirely.  One way to approach this is to announce it now and give users 
90 days to arrange for public keys to be present in their accounts.  You 
could also post some docs on how to go about generating a key pair.

> password.  Finally I see an attempt to load net-pf-14 and other modprobe
> errors.  At some point there are also messages about the ethernet card
> entering promiscuous mode. 

It was probably already over by this point.  They were probably out trying 
to learn more.

> When I logged on I discovered two outgoing connections to port ircd on the
> foreign hosts, and some thing listening on port 48744 TCP.  No PID associated

A kernel module to hide the processes may have been loaded.

> So what can I do to prevent it?  My best guess is that ssh failed, but 

Keep the system patched and bare in mind that once a system is patched you 
need to flush out all old copies of binaries and libraries.  This is more 
of a problem with library updates.

Update the kernel to avoid the various local root exploits seen over the 
last couple of years.  Yes this means a reboot ;)

> this is based on the log messages.  Exim or Apache could have been the 
> point of failure too though.  Seeing as it was so long since I rebooted, 
> perhaps the exploit was coupled with a kernel vulnerability.  Any 

Exactly - a local root exploit combined with a remote non-root exploit can 
hand the keys to the kingdom to an attacker.

> I no longer have a single partition, but about 10, including read-only ones
> for /usr and /boot.  I'm also running the Debian stock 2.4.18-1-586tsc

Not as useful as you might think...

mount -n -o remount,rw /usr

Have you considered running SELinux?  This is a non-trivial exercise of 
course.

Rob

-- 
Robert Brockway B.Sc.
Senior Technical Consultant, OpenTrend Solutions Ltd.
Phone: 416-669-3073 Email: rbrockway@opentrend.net http://www.opentrend.net
OpenTrend Solutions: Reliable, secure solutions to real world problems.
Contributing Member of Software in the Public Interest (http://www.spi-inc.org)