[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: need help with openssh attack

Some of them yes, some of them no. Almost every server has the only
nginx installed without PHP or Perl backend with the simple location /
that just serves static files.perl script was launched from ssh. I am
sure. How could you describe then such environ file of the perl PID?
Where it is clearly mentioned that command was launched throgh ssh on
SSH port from a concrete IP that does not belong to me .  -j DROP rule
on 22 port prevented that script to appear again but i`s not a
solution.
On Thu, Dec 29, 2011 at 8:19 PM, Todd Wheeler <todd@wedu.com> wrote:
> Any chance you have a web server on these boxes? Anything that allows file upload? A very common attack is to upload a .pl file through a form, and if that form is sending to a path in your web root, that .pl file basically becomes executable via a URL. Once it's run, it can do just about anything your web server process can do, and from there local exploits are possible. This includes running standalone SSH daemons, etc.
>
> I'm with everyone else - if you haven't cut them to the outside world already, you should.
>
>
> On Dec 29, 2011, at 10:56 AM, Taz wrote:
>
>>  I use fail2ban but the fact is there absolutly no records of
>> connections in auth.logI am sure ssh is used because after i blocked
>> ssh port at all "perl" process does not start anymore.Besides on
>> different machines i use different ports and in all environ files of
>> the perl process in /proc there is a right port written. It shoud be
>> also mentioned that SSLVL variable is always 1, while i think it
>> should be 2.
>> On Thu, Dec 29, 2011 at 7:47 PM, Taz <taz.inside@gmail.com> wrote:
>>> of course, i've double changed all password and regenerated ssh keys.
>>>
>>> On Thu, Dec 29, 2011 at 7:44 PM, Taz <taz.inside@gmail.com> wrote:
>>>> http://security.stackexchange.com/questions/10202/perl-script-rootkit
>>>>
>>>> here it is, all the details. please check out
>>>>
>>>> On Thu, Dec 29, 2011 at 7:31 PM, Kees de Jong <keesdejong@gmail.com> wrote:
>>>>> If you are absolutely sure that they gained root access then there is no
>>>>> other alternative then to kill the internet on those machines.
>>>>> And then you should back up all the data you want to preserve so that you
>>>>> can reinstall those machines safely. There is no telling if they installed
>>>>> another SSH server or other nasty things like rootkits.
>>>>> Most attackers install their own SSH server so that any changes your make to
>>>>> patch your security holes aren't putting them out of business.
>>>>> Unless you have aide installed and made regular checksums of all the files
>>>>> and configs then you have no idea if anything is changed since the attack.
>>>>> You can also try rkhunter and chkrootkit to find any rootkits on your
>>>>> system, but they aren't conclusive.
>>>>>
>>>>> The only way to be sure that you are in the clear is a total new start on
>>>>> all the affected machines.
>>>>>
>>>>>
>>>>> PS: We all got it now, fail2ban is a great tool ;-)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Dec 29, 2011 at 15:04, Taz <taz.inside@gmail.com> wrote:
>>>>>>
>>>>>> Hello, we've got various debian servers, about 15, with different
>>>>>> versions. All of them have been attacked today and granted root
>>>>>> access.
>>>>>> Can anybody help? We can give ssh access to attacked machine, it seems
>>>>>> to be serious ssh vulnerability.
>>>>>>
>>>>>> How can i contact openssh mnt?
>>>>>>
>>>>>> Thank you.
>>>>>>
>>>>>>
>>>>>> --
>>>>>> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
>>>>>> with a subject of "unsubscribe". Trouble? Contact
>>>>>> listmaster@lists.debian.org
>>>>>> Archive:
>>>>>> [🔎] CA+0W4N=At0EsJ+Y3d8DRZW8u+S6Tcr6BCUha+W+U5rL-80v8QA@mail.gmail.com">http://lists.debian.org/[🔎] CA+0W4N=At0EsJ+Y3d8DRZW8u+S6Tcr6BCUha+W+U5rL-80v8QA@mail.gmail.com
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Met vriendelijke groet,
>>>>> Kees de Jong
>>>>>
>>>>>
>>>>> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
>>>>> uitsluitend bestemd voor de geadresseerde(n).
>>>>> Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te
>>>>> gebruiken en de afzender direct te informeren door het bericht te
>>>>> retourneren.
>>>>> --
>>>>> The information contained in this message may be confidential and is
>>>>> intended to be exclusively for the addressee(s).
>>>>> Should you receive this message unintentionally, please do not use the
>>>>> contents herein and notify the sender immediately by return e-mail.
>>>>>
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>> Archive: [🔎] CA+0W4Nmh1iUJ3u=2UxP0hHzqW5-J03FDsoCh1W1aDOSTy3CVFA@mail.gmail.com">http://lists.debian.org/[🔎] CA+0W4Nmh1iUJ3u=2UxP0hHzqW5-J03FDsoCh1W1aDOSTy3CVFA@mail.gmail.com
>>
>
>
Reply to: