[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: My machine was hacked - possibly via sshd?



On Mon, Mar 28, 2005 at 02:41:06PM -0500, Malcolm Ferguson wrote:
> Machine was running Debian 3.0 and was behind a NAT box with ports 
> forwarded for SMTP, HTTP and SSH.  It hadn't been rebooted for 430 
> days.  I was using a 2.4  kernel with MPPE builtin.

If it had an uptime of 430 days, there were well known exploitable
security problems in the kernel.  They were all local exploits,
however...

> Early on the 25th, my logcheck emails indicated increasing messages in 
> syslog concerning failed login attempts against ssh.   At some point 
> though I see ssh authentication failures for valid user names - how?   
> Somehow they were being enumerated in the hack attempt, and I think that 
> one person had a weak password.  Finally I see an attempt to load 
> net-pf-14 and other modprobe errors.  At some point there are also 
> messages about the ethernet card entering promiscuous mode. 

There are a number of ssh brute-force login worms going around.  It's
entirely possible you were hit by one of these, and not by an actual
human attacker.  Once the worm got local access via a weak password, the
kernel you were running probably gave them easy access.

> I've rebuilt the machine.  The biggest changes so far have been 
> partitioning.  I no longer have a single partition, but about 10, 
> including read-only ones for /usr and /boot.  I'm also running the 
> Debian stock 2.4.18-1-586tsc 2.4.18-1-586tsc (I don't need to create 
> PPTP tunnels anymore).  I have Exim up and running and exposed to the 
> internet.  I need to open up ssh to external connections too soon, and 
> of course I will be reinstalling Apache within a week.

Unfortunately, I do believe there are known security problems with
Debian's 2.4.18 packages.  The kernel source situation in woody makes it
rather unpleasant and time consuming for the security team to create
updates, and since there's really only one person creating security
updates these days, it hasn't gotten done.  If I were you, I'd build my
own kernel binaries from kernel.org sources, applying whatever patches
are needed via either a Debian kernel-patch-foo package (assuming it
applies to the newer kernel) or by manually tracking down the patch and
applying it by hand.

> Sample logcheck messages:
> Mar 25 01:24:19 erin-and-malc sshd[23707]: Did not receive 
> identification string from 193.170.65.132
> Mar 25 01:31:02 erin-and-malc sshd[23661]: Did not receive 
> identification string from 203.228.120.102
> 
> Mar 25 02:23:12 erin-and-malc PAM_unix[24756]: authentication failure; 
> (uid=0) -> backup for ssh service
> Mar 25 02:23:14 erin-and-malc sshd[24756]: Failed password for backup 
> from 193.170.65.132 port 4128 ssh2
> Mar 25 02:24:24 erin-and-malc PAM_unix[24884]: authentication failure; 
> (uid=0) -> erin for ssh service
> Mar 25 02:24:26 erin-and-malc sshd[24884]: Failed password for erin from 
> 193.170.65.132 port 5776 ssh2

This is very common.  I see this same stuff all the time.  The first
couple of messages are the probes of your network (by "your" I really
mean "your ISP's") to determine which hosts are actually running sshd.
The next are the brute force login attempts.

People are undoubtedly going to suggest all kinds of firewall type
solutions to this problem.  However, I don't think a firewall is going
to help you here.  In effect, the NAT box you were running was already
providing some firewall services, and look what good it did.  TCP port
22 and 80 are almost certainly going to be exposed to the internet,
whether you're running a firewall or not, so you've really got to take
care to make sure those services are secure.  In the case of sshd, make
sure you've got strong passwords, or better yet make sure that only e.g.
ssh public-key authentication can be used.

noah


> Mar 25 04:05:14 erin-and-malc modprobe: modprobe: Can't locate module ppp0
> Mar 25 04:05:18 erin-and-malc kernel: request_module[ppp0]: fork failed, 
> errno 1

This looks like the worm may have been trying to establish a ppp
connection (probably tunneled over something else, maybe ssh) to
somewhere.  I'd be interested in knowing where.

> Mar 25 05:02:04 erin-and-malc kernel: eth0: Promiscuous mode enabled.
> Mar 25 05:05:13 erin-and-malc kernel: eth0: Promiscuous mode enabled.

Typical packet sniffer.

HTH,
noah

Attachment: pgp2QbojSrXjX.pgp
Description: PGP signature


Reply to: