On Mon, Mar 28, 2005 at 12:37:46PM -0800, Alvin Oga wrote: > > When I logged on I discovered two outgoing connections to port ircd on > > the foreign hosts, and some thing listening on port 48744 TCP. > > sorta harmless ... script kiddies having fun No, it's _not_ harmless. Those are usually signs of IRC bots used to handle the system remotely. Ever heard of botnets? In any case, this also shows that you should _really_ implement also outbound filtering. Even if people can get into that SSH box it doesn't mean that the SSH box should be allowed full access to the Internet itself. Rootkits are usually downloaded through FTP or WWW servers, if you had cut those outgoing accesses off (at the firewall), you could have reduced worm propagation. And, yes, if you need outgoing FTP/WWW access from that box then you should have a filter for those servers you actually need (like security.debian.org). Sorry, allowing remote access to an SSH server that is not setup in a properly isolated DMZ with incoming and outgoing filters is not a good idea. My suggestion: Internet ---> Firewall ---> Internal network > | < SSH (a 'sacrifical lamb' so to speak) Have the firewall filter incoming and outgoing connections from the SSH server and restrict with IPs it can connect to on both sides. Please _don't_ expose your internal network like this: Internet ---> Firewall ---> SSH | .-> Internal network If anybody accesses the SSH server he has a complete bypass to your network. Furthermore, there is no way you can setup filters for the connections from your SSH server to your internal network. > > My best guess is that ssh failed, > > nah ... they probably got in thru exploiting apache or mta or dns > vs lot harder to exploit ssh to getting in to modifying root-owned files SSH is usually the easiest way, it implies users/passwords and there's no need to remote overflow it. Although many SSH probes are just sent to hash out a list of servers out there to seed the next worm when a new SSH vulnerability is found. > > I've rebuilt the machine. > > ahhh ... it would have been fun to see how they got in .. > and when they got in > and who got in > and how long they been in > and where else they broke into to > and what files they changed > and ... That's actually easy to do. Just setup a honeypot in the Internet and you'll see that, it gets pretty boring after some time. For more information (and many attack samples) visit http://www.honeynet.org > that won't stop them ... unless they exploited a race condition > in /tmp and you didn't have a separate /tmp that was not chmod 1777 I have yet to see a worm exploiting a race condition in /tmp. Most of them just install a rootkit and go through the kernel. > i know some people's machine that was coincidentally hacked within > 5 minutes of getting online to the outside .. Actually when these statistics have been made, Windows XP (pre-SP2) systems go down in about a minute (depending on the ISP they are connected to, since some are overflown with worms). More info in the above URL. Regards Javier
Attachment:
signature.asc
Description: Digital signature