[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: My machine was hacked - possibly via sshd?

On Mon, Mar 28, 2005 at 12:37:46PM -0800, Alvin Oga wrote:
> > When I logged on I discovered two outgoing connections to port ircd on 
> > the foreign hosts, and some thing listening on port 48744 TCP.  
> sorta harmless ... script kiddies having fun

No, it's _not_ harmless. Those are usually signs of IRC bots used to handle 
the system remotely. Ever heard of botnets?

In any case, this also shows that you should _really_ implement also 
outbound filtering. Even if people can get into that SSH box it doesn't 
mean that the SSH box should be allowed full access to the Internet itself. 
Rootkits are usually downloaded through FTP or WWW servers, if you had cut 
those outgoing accesses off (at the firewall), you could have reduced worm 

And, yes, if you need outgoing FTP/WWW access from that box then you should
have a filter for those servers you actually need (like
security.debian.org). Sorry, allowing remote access to an SSH server that
is not setup in a properly isolated DMZ with incoming and outgoing filters
is not a good idea.

My suggestion:

Internet ---> Firewall ---> Internal network
(a 'sacrifical lamb' so to speak)

Have the firewall filter incoming and outgoing connections from the SSH 
server and restrict with IPs it can connect to on both sides.

Please _don't_ expose your internal network like this:

Internet ---> Firewall ---> SSH
                        .-> Internal network

If anybody accesses the SSH server he has a complete bypass to your 
network. Furthermore, there is no way you can setup filters for the 
connections from your SSH server to your internal network.

> >  My best guess is that ssh failed,
> nah ... they probably got in thru exploiting apache or mta or dns
> vs lot harder to exploit ssh to getting in to modifying root-owned files

SSH is usually the easiest way, it implies users/passwords and there's no 
need to remote overflow it. Although many SSH probes are just sent to hash 
out a list of servers out there to seed the next worm when a new SSH 
vulnerability is found.

> > I've rebuilt the machine. 
> ahhh ... it would have been fun to see how they got in ..
> 	and when they got in
> 	and who got in
> 	and how long they been in
> 	and where else they broke into to
> 	and what files they changed
> 	and ...

That's actually easy to do. Just setup a honeypot in the Internet and 
you'll see that, it gets pretty boring after some time. For more 
information (and many attack samples) visit http://www.honeynet.org

> that won't stop them ... unless they exploited a race condition
> in /tmp and you didn't have a separate /tmp that was not chmod 1777

I have yet to see a worm exploiting a race condition in /tmp. Most of them 
just install a rootkit and go through the kernel.

> i know some people's machine that was coincidentally hacked within 
> 5 minutes of getting online to the outside ..

Actually when these statistics have been made, Windows XP (pre-SP2) systems
go down in about a minute (depending on the ISP they are connected to,
since some are overflown with worms). More info in the above URL.



Attachment: signature.asc
Description: Digital signature

Reply to: