[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: need help with openssh attack



On 29.12.2011 18:08, Taz wrote:
md5sum`s of sshd files seems to be same comparing to non infected
system. I do not have any /etc/xinet.d .sshd_config are defaults
ones.I will try to run find / -mtime -5 but i guess nothing
interesting will come.


Any another ideas? I still can provide ssh access.

Still can't believe it's security hole in sshd. Especially since it's dozens of machines with different versions of distros.

You're able to give ssh access to machine where after allowing input on 22 port it's matter of seconds to have running this perl script?

regards
fEnIo

On Thu, Dec 29, 2011 at 8:42 PM, Todd Wheeler<todd@wedu.com>  wrote:
I'm wondering based on this if there is anything in /etc/xinetd.d or if
there is anything in /etc/ssh/sshd_config that would point you in the right
direction. Sounds like something is spawning based on a connection to port
22. (if OpenSSH itself wasn't exploited)

Times like this: I've found that it helps to use the 'find' command and
print a list of files modified within the last 'x' days. ('find / -mtime -5'
will show last 5 days, obviously change the '5' for shorter windows) That
may indicate anything that has been replaced system-wise and also point you
in the right direction. I also find that if a system has been exploited,
most automated scripts will chattr the files to make them slightly more
difficult for someone that doesn't understand that - there may be a way to
search for these directly, but I can't remember off hand. It's just another
signature of automated rootkits, though.

Good luck!

On Dec 29, 2011, at 11:32 AM, Taz wrote:

Some of them yes, some of them no. Almost every server has the only
nginx installed without PHP or Perl backend with the simple location /
that just serves static files.perl script was launched from ssh. I am
sure. How could you describe then such environ file of the perl PID?
Where it is clearly mentioned that command was launched throgh ssh on
SSH port from a concrete IP that does not belong to me .  -j DROP rule
on 22 port prevented that script to appear again but i`s not a
solution.






Reply to: