On Mon, Mar 28, 2005 at 12:37:46PM -0800, Alvin Oga wrote:
> > When I logged on I discovered two outgoing connections to port ircd on
> > the foreign hosts, and some thing listening on port 48744 TCP.
>
> sorta harmless ... script kiddies having fun
No, it's _not_ harmless. Those are usually signs of IRC bots used to handle
the system remotely. Ever heard of botnets?
In any case, this also shows that you should _really_ implement also
outbound filtering. Even if people can get into that SSH box it doesn't
mean that the SSH box should be allowed full access to the Internet itself.
Rootkits are usually downloaded through FTP or WWW servers, if you had cut
those outgoing accesses off (at the firewall), you could have reduced worm
propagation.
And, yes, if you need outgoing FTP/WWW access from that box then you should
have a filter for those servers you actually need (like
security.debian.org). Sorry, allowing remote access to an SSH server that
is not setup in a properly isolated DMZ with incoming and outgoing filters
is not a good idea.
My suggestion:
Internet ---> Firewall ---> Internal network
>
|
<
SSH
(a 'sacrifical lamb' so to speak)
Have the firewall filter incoming and outgoing connections from the SSH
server and restrict with IPs it can connect to on both sides.
Please _don't_ expose your internal network like this:
Internet ---> Firewall ---> SSH
|
.-> Internal network
If anybody accesses the SSH server he has a complete bypass to your
network. Furthermore, there is no way you can setup filters for the
connections from your SSH server to your internal network.
> > My best guess is that ssh failed,
>
> nah ... they probably got in thru exploiting apache or mta or dns
> vs lot harder to exploit ssh to getting in to modifying root-owned files
SSH is usually the easiest way, it implies users/passwords and there's no
need to remote overflow it. Although many SSH probes are just sent to hash
out a list of servers out there to seed the next worm when a new SSH
vulnerability is found.
> > I've rebuilt the machine.
>
> ahhh ... it would have been fun to see how they got in ..
> and when they got in
> and who got in
> and how long they been in
> and where else they broke into to
> and what files they changed
> and ...
That's actually easy to do. Just setup a honeypot in the Internet and
you'll see that, it gets pretty boring after some time. For more
information (and many attack samples) visit http://www.honeynet.org
> that won't stop them ... unless they exploited a race condition
> in /tmp and you didn't have a separate /tmp that was not chmod 1777
I have yet to see a worm exploiting a race condition in /tmp. Most of them
just install a rootkit and go through the kernel.
> i know some people's machine that was coincidentally hacked within
> 5 minutes of getting online to the outside ..
Actually when these statistics have been made, Windows XP (pre-SP2) systems
go down in about a minute (depending on the ISP they are connected to,
since some are overflown with worms). More info in the above URL.
Regards
Javier
Attachment:
signature.asc
Description: Digital signature