Re: need help with openssh attack
I use fail2ban but the fact is there absolutly no records of
connections in auth.logI am sure ssh is used because after i blocked
ssh port at all "perl" process does not start anymore.Besides on
different machines i use different ports and in all environ files of
the perl process in /proc there is a right port written. It shoud be
also mentioned that SSLVL variable is always 1, while i think it
should be 2.
On Thu, Dec 29, 2011 at 7:47 PM, Taz <taz.inside@gmail.com> wrote:
> of course, i've double changed all password and regenerated ssh keys.
>
> On Thu, Dec 29, 2011 at 7:44 PM, Taz <taz.inside@gmail.com> wrote:
>> http://security.stackexchange.com/questions/10202/perl-script-rootkit
>>
>> here it is, all the details. please check out
>>
>> On Thu, Dec 29, 2011 at 7:31 PM, Kees de Jong <keesdejong@gmail.com> wrote:
>>> If you are absolutely sure that they gained root access then there is no
>>> other alternative then to kill the internet on those machines.
>>> And then you should back up all the data you want to preserve so that you
>>> can reinstall those machines safely. There is no telling if they installed
>>> another SSH server or other nasty things like rootkits.
>>> Most attackers install their own SSH server so that any changes your make to
>>> patch your security holes aren't putting them out of business.
>>> Unless you have aide installed and made regular checksums of all the files
>>> and configs then you have no idea if anything is changed since the attack.
>>> You can also try rkhunter and chkrootkit to find any rootkits on your
>>> system, but they aren't conclusive.
>>>
>>> The only way to be sure that you are in the clear is a total new start on
>>> all the affected machines.
>>>
>>>
>>> PS: We all got it now, fail2ban is a great tool ;-)
>>>
>>>
>>>
>>>
>>> On Thu, Dec 29, 2011 at 15:04, Taz <taz.inside@gmail.com> wrote:
>>>>
>>>> Hello, we've got various debian servers, about 15, with different
>>>> versions. All of them have been attacked today and granted root
>>>> access.
>>>> Can anybody help? We can give ssh access to attacked machine, it seems
>>>> to be serious ssh vulnerability.
>>>>
>>>> How can i contact openssh mnt?
>>>>
>>>> Thank you.
>>>>
>>>>
>>>> --
>>>> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
>>>> with a subject of "unsubscribe". Trouble? Contact
>>>> listmaster@lists.debian.org
>>>> Archive:
>>>> [🔎] CA+0W4N=At0EsJ+Y3d8DRZW8u+S6Tcr6BCUha+W+U5rL-80v8QA@mail.gmail.com">http://lists.debian.org/[🔎] CA+0W4N=At0EsJ+Y3d8DRZW8u+S6Tcr6BCUha+W+U5rL-80v8QA@mail.gmail.com
>>>>
>>>
>>>
>>>
>>> --
>>> Met vriendelijke groet,
>>> Kees de Jong
>>>
>>>
>>> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
>>> uitsluitend bestemd voor de geadresseerde(n).
>>> Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te
>>> gebruiken en de afzender direct te informeren door het bericht te
>>> retourneren.
>>> --
>>> The information contained in this message may be confidential and is
>>> intended to be exclusively for the addressee(s).
>>> Should you receive this message unintentionally, please do not use the
>>> contents herein and notify the sender immediately by return e-mail.
>>>
Reply to: