Re: My machine was hacked - possibly via sshd? - bots

To: Javier Fernández-Sanguino Peña <jfs@computer.org>
Cc: debian-security@lists.debian.org
Subject: Re: My machine was hacked - possibly via sshd? - bots
From: Alvin Oga <aoga@mail.Linux-Consulting.com>
Date: Tue, 29 Mar 2005 03:53:38 -0800 (PST)
Message-id: <[🔎] Pine.LNX.3.96.1050329034610.26323A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 20050329014311.GB30811@dat.etsit.upm.es>

hi ya javier

On Tue, 29 Mar 2005, Javier [iso-8859-1] Fernández-Sanguino Peña wrote:

> On Mon, Mar 28, 2005 at 12:37:46PM -0800, Alvin Oga wrote:
> > > When I logged on I discovered two outgoing connections to port ircd on 
> > > the foreign hosts, and some thing listening on port 48744 TCP.  
> > 
> > sorta harmless ... script kiddies having fun
> 
> No, it's _not_ harmless. Those are usually signs of IRC bots used to handle 
> the system remotely. Ever heard of botnets?

it's harmless if its incoming ssh connection attempts
it's bad if its outgoing ssh attempts

- incoming ssh should be hardened  with port# changes, latest versions,
  specific ip# only, etc, etc...

> In any case, this also shows that you should _really_ implement also 
> outbound filtering. Even if people can get into that SSH box it doesn't 
> mean that the SSH box should be allowed full access to the Internet itself. 

i assume all boxes are hacked and one should not trust any other box

> Rootkits are usually downloaded through FTP or WWW servers,

if they (rootkit/exploits) can do that ... the fw and security layers is
clearly not working even if you do allow ftp and www downloads or uploads
for your users

> My suggestion:
> 
> Internet ---> Firewall ---> Internal network
>                   >
>                   |
>                   <
>                  SSH
> (a 'sacrifical lamb' so to speak)

and one needs to add more machines to clean up the actual network
suggestions ??
	- more machines for vpn, wireles, backups, 
	secure machines, user machines, home machines, ... etc

> SSH is usually the easiest way, it implies users/passwords and there's no 
> need to remote overflow it. Although many SSH probes are just sent to hash 
> out a list of servers out there to seed the next worm when a new SSH 
> vulnerability is found.

i'm hoping that brute force ssh or intelligent ssh attacks is not the
easiest way to get in .. 

> > 
> > ahhh ... it would have been fun to see how they got in ..
> > 	and when they got in
> > 	and who got in
> > 	and how long they been in
> > 	and where else they broke into to
> > 	and what files they changed
> > 	and ...
> 
> That's actually easy to do. Just setup a honeypot in the Internet and 
> you'll see that, it gets pretty boring after some time. For more 
> information (and many attack samples) visit http://www.honeynet.org

yupperz
 
> > that won't stop them ... unless they exploited a race condition
> > in /tmp and you didn't have a separate /tmp that was not chmod 1777
> 
> I have yet to see a worm exploiting a race condition in /tmp. Most of them 
> just install a rootkit and go through the kernel.
>
yup ...

c ya
alvin

Reply to:

References:
- Re: My machine was hacked - possibly via sshd?
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

Prev by Date: Re: My machine was hacked - possibly via sshd?
Next by Date: Re: My machine was hacked - possibly via sshd? - fw
Previous by thread: Re: My machine was hacked - possibly via sshd?
Next by thread: Re: My machine was hacked - possibly via sshd?
Index(es):
- Date
- Thread