[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: need help with openssh attack



On Thu, Dec 29, 2011 at 11:30:27PM +0400, Taz wrote:
> Anybody want's to check it out?
> I can provide ssh access, if u will give me ssh key.

From the sound of things, we're not going to find much.  It's clear that
the attackers have already cleaned up their tracks by editing auth.log,
etc.  The detailed forensics needed here would likely take a fair bit of
time.  Also, because we'd be working on a compromised host, we likely
couldn't even trust our own tools to give us accurate information.
File-system level forensics would be best performed on a block-level
image of the disk itself (e.g. made using something like dd).

One recommendation I've got for future deployments, if you can allocate
the resources for it, is to have a dedicated syslog host.  This host
should not run any services other than syslogd, including ssh.  Any
access would need to be via the console.  You should be careful to give
it a unique root password, and probably don't even bother to create any
non-root accounts on it.  Configure the rest of your hosts to send their
logs to this host.  Having a copy of things like auth.log whose
integrity can be trusted would be most helpful here.

noah

Attachment: signature.asc
Description: Digital signature


Reply to: