[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: need help with openssh attack



I'm wondering based on this if there is anything in /etc/xinetd.d or if there is anything in /etc/ssh/sshd_config that would point you in the right direction. Sounds like something is spawning based on a connection to port 22. (if OpenSSH itself wasn't exploited)

Times like this: I've found that it helps to use the 'find' command and print a list of files modified within the last 'x' days. ('find / -mtime -5' will show last 5 days, obviously change the '5' for shorter windows) That may indicate anything that has been replaced system-wise and also point you in the right direction. I also find that if a system has been exploited, most automated scripts will chattr the files to make them slightly more difficult for someone that doesn't understand that - there may be a way to search for these directly, but I can't remember off hand. It's just another signature of automated rootkits, though.

Good luck!

On Dec 29, 2011, at 11:32 AM, Taz wrote:

Some of them yes, some of them no. Almost every server has the only
nginx installed without PHP or Perl backend with the simple location /
that just serves static files.perl script was launched from ssh. I am
sure. How could you describe then such environ file of the perl PID?
Where it is clearly mentioned that command was launched throgh ssh on
SSH port from a concrete IP that does not belong to me .  -j DROP rule
on 22 port prevented that script to appear again but i`s not a
solution.



Reply to: