On Mon, Mar 28, 2005 at 02:41:06PM -0500, Malcolm Ferguson wrote: > Machine was running Debian 3.0 and was behind a NAT box with ports > forwarded for SMTP, HTTP and SSH. It hadn't been rebooted for 430 > days. I was using a 2.4 kernel with MPPE builtin. If it had an uptime of 430 days, there were well known exploitable security problems in the kernel. They were all local exploits, however... > Early on the 25th, my logcheck emails indicated increasing messages in > syslog concerning failed login attempts against ssh. At some point > though I see ssh authentication failures for valid user names - how? > Somehow they were being enumerated in the hack attempt, and I think that > one person had a weak password. Finally I see an attempt to load > net-pf-14 and other modprobe errors. At some point there are also > messages about the ethernet card entering promiscuous mode. There are a number of ssh brute-force login worms going around. It's entirely possible you were hit by one of these, and not by an actual human attacker. Once the worm got local access via a weak password, the kernel you were running probably gave them easy access. > I've rebuilt the machine. The biggest changes so far have been > partitioning. I no longer have a single partition, but about 10, > including read-only ones for /usr and /boot. I'm also running the > Debian stock 2.4.18-1-586tsc 2.4.18-1-586tsc (I don't need to create > PPTP tunnels anymore). I have Exim up and running and exposed to the > internet. I need to open up ssh to external connections too soon, and > of course I will be reinstalling Apache within a week. Unfortunately, I do believe there are known security problems with Debian's 2.4.18 packages. The kernel source situation in woody makes it rather unpleasant and time consuming for the security team to create updates, and since there's really only one person creating security updates these days, it hasn't gotten done. If I were you, I'd build my own kernel binaries from kernel.org sources, applying whatever patches are needed via either a Debian kernel-patch-foo package (assuming it applies to the newer kernel) or by manually tracking down the patch and applying it by hand. > Sample logcheck messages: > Mar 25 01:24:19 erin-and-malc sshd[23707]: Did not receive > identification string from 193.170.65.132 > Mar 25 01:31:02 erin-and-malc sshd[23661]: Did not receive > identification string from 203.228.120.102 > > Mar 25 02:23:12 erin-and-malc PAM_unix[24756]: authentication failure; > (uid=0) -> backup for ssh service > Mar 25 02:23:14 erin-and-malc sshd[24756]: Failed password for backup > from 193.170.65.132 port 4128 ssh2 > Mar 25 02:24:24 erin-and-malc PAM_unix[24884]: authentication failure; > (uid=0) -> erin for ssh service > Mar 25 02:24:26 erin-and-malc sshd[24884]: Failed password for erin from > 193.170.65.132 port 5776 ssh2 This is very common. I see this same stuff all the time. The first couple of messages are the probes of your network (by "your" I really mean "your ISP's") to determine which hosts are actually running sshd. The next are the brute force login attempts. People are undoubtedly going to suggest all kinds of firewall type solutions to this problem. However, I don't think a firewall is going to help you here. In effect, the NAT box you were running was already providing some firewall services, and look what good it did. TCP port 22 and 80 are almost certainly going to be exposed to the internet, whether you're running a firewall or not, so you've really got to take care to make sure those services are secure. In the case of sshd, make sure you've got strong passwords, or better yet make sure that only e.g. ssh public-key authentication can be used. noah > Mar 25 04:05:14 erin-and-malc modprobe: modprobe: Can't locate module ppp0 > Mar 25 04:05:18 erin-and-malc kernel: request_module[ppp0]: fork failed, > errno 1 This looks like the worm may have been trying to establish a ppp connection (probably tunneled over something else, maybe ssh) to somewhere. I'd be interested in knowing where. > Mar 25 05:02:04 erin-and-malc kernel: eth0: Promiscuous mode enabled. > Mar 25 05:05:13 erin-and-malc kernel: eth0: Promiscuous mode enabled. Typical packet sniffer. HTH, noah
Attachment:
pgpHDd38_Fpff.pgp
Description: PGP signature