Re: need help with openssh attack
Any chance you have a web server on these boxes? Anything that allows file upload? A very common attack is to upload a .pl file through a form, and if that form is sending to a path in your web root, that .pl file basically becomes executable via a URL. Once it's run, it can do just about anything your web server process can do, and from there local exploits are possible. This includes running standalone SSH daemons, etc.
I'm with everyone else - if you haven't cut them to the outside world already, you should.
On Dec 29, 2011, at 10:56 AM, Taz wrote:
> I use fail2ban but the fact is there absolutly no records of
> connections in auth.logI am sure ssh is used because after i blocked
> ssh port at all "perl" process does not start anymore.Besides on
> different machines i use different ports and in all environ files of
> the perl process in /proc there is a right port written. It shoud be
> also mentioned that SSLVL variable is always 1, while i think it
> should be 2.
> On Thu, Dec 29, 2011 at 7:47 PM, Taz <taz.inside@gmail.com> wrote:
>> of course, i've double changed all password and regenerated ssh keys.
>>
>> On Thu, Dec 29, 2011 at 7:44 PM, Taz <taz.inside@gmail.com> wrote:
>>> http://security.stackexchange.com/questions/10202/perl-script-rootkit
>>>
>>> here it is, all the details. please check out
>>>
>>> On Thu, Dec 29, 2011 at 7:31 PM, Kees de Jong <keesdejong@gmail.com> wrote:
>>>> If you are absolutely sure that they gained root access then there is no
>>>> other alternative then to kill the internet on those machines.
>>>> And then you should back up all the data you want to preserve so that you
>>>> can reinstall those machines safely. There is no telling if they installed
>>>> another SSH server or other nasty things like rootkits.
>>>> Most attackers install their own SSH server so that any changes your make to
>>>> patch your security holes aren't putting them out of business.
>>>> Unless you have aide installed and made regular checksums of all the files
>>>> and configs then you have no idea if anything is changed since the attack.
>>>> You can also try rkhunter and chkrootkit to find any rootkits on your
>>>> system, but they aren't conclusive.
>>>>
>>>> The only way to be sure that you are in the clear is a total new start on
>>>> all the affected machines.
>>>>
>>>>
>>>> PS: We all got it now, fail2ban is a great tool ;-)
>>>>
>>>>
>>>>
>>>>
>>>> On Thu, Dec 29, 2011 at 15:04, Taz <taz.inside@gmail.com> wrote:
>>>>>
>>>>> Hello, we've got various debian servers, about 15, with different
>>>>> versions. All of them have been attacked today and granted root
>>>>> access.
>>>>> Can anybody help? We can give ssh access to attacked machine, it seems
>>>>> to be serious ssh vulnerability.
>>>>>
>>>>> How can i contact openssh mnt?
>>>>>
>>>>> Thank you.
>>>>>
>>>>>
>>>>> --
>>>>> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
>>>>> with a subject of "unsubscribe". Trouble? Contact
>>>>> listmaster@lists.debian.org
>>>>> Archive:
>>>>> [🔎] CA+0W4N=At0EsJ+Y3d8DRZW8u+S6Tcr6BCUha+W+U5rL-80v8QA@mail.gmail.com">http://lists.debian.org/[🔎] CA+0W4N=At0EsJ+Y3d8DRZW8u+S6Tcr6BCUha+W+U5rL-80v8QA@mail.gmail.com
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Met vriendelijke groet,
>>>> Kees de Jong
>>>>
>>>>
>>>> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
>>>> uitsluitend bestemd voor de geadresseerde(n).
>>>> Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te
>>>> gebruiken en de afzender direct te informeren door het bericht te
>>>> retourneren.
>>>> --
>>>> The information contained in this message may be confidential and is
>>>> intended to be exclusively for the addressee(s).
>>>> Should you receive this message unintentionally, please do not use the
>>>> contents herein and notify the sender immediately by return e-mail.
>>>>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] CA+0W4Nmh1iUJ3u=2UxP0hHzqW5-J03FDsoCh1W1aDOSTy3CVFA@mail.gmail.com">http://lists.debian.org/[🔎] CA+0W4Nmh1iUJ3u=2UxP0hHzqW5-J03FDsoCh1W1aDOSTy3CVFA@mail.gmail.com
>
Reply to: