AW: need help with openssh attack

To: "taz.inside@gmail.com" <taz.inside@gmail.com>
Cc: "debian-security@lists.debian.org" <debian-security@lists.debian.org>
Subject: AW: need help with openssh attack
From: Patrick Geschke <patrick.geschke@kikxxl.de>
Date: Fri, 30 Dec 2011 08:17:53 +0100
Message-id: <[🔎] 8D42310D957CFB46AA11921A711D4D16057DB6BCBF@X2007.kikxxl.local>
In-reply-to: <[🔎] 20111229194549.GQ4012@morgul.net>
References: <[🔎] CA+0W4N=At0EsJ+Y3d8DRZW8u+S6Tcr6BCUha+W+U5rL-80v8QA@mail.gmail.com> <[🔎] 4EFC845D.7000608@openevents.fr> <[🔎] COL111-W46606CE982AEC3500DE459CBAD0@phx.gbl> <[🔎] CAAH150Z9u75z9b9a5KCrQdDj5NOXFSKvzHmj_yfX6k5wZhjCRA@mail.gmail.com> <[🔎] 20111229190618.GO4012@morgul.net> <[🔎] CA+0W4NnTeJ-i-=heF78+0-b1PtvQw3Dnx+xKieUSnQuaJXtsig@mail.gmail.com> <[🔎] 20111229194549.GQ4012@morgul.net>

Has this issue been resolved?
Can we be sure this doesn't lead back to a
potentially vulnerable component of openssh?

Can you provide any further information?
Did you find the point of entry? (compromise)

Greetings,
Patrick

--
Patrick Geschke
Systemadministration

Top Arbeitgeber 2011!
KiKxxl wurde von TOP JOB als zweitbester Arbeitgeber in Deutschland ausgezeichnet.

KiKxxl GmbH
Mindener Strasse 127
49084 Osnabrück

Tel.: 0541 / 3305 0
Fax : 0541 / 3305 100
Mail: pgeschke@kikxxl.de
WWW : http://www.kikxxl.de

Niederlassung Bremen
Hermann-Köhl-Straße 1a
28199 Bremen

Sitz der Gesellschaft Osnabrück,
HRB 18841, Amtsgericht Osnabrück
Geschäftsführer Andreas Kremer

-----Ursprüngliche Nachricht-----
Von: Noah Meyerhans [mailto:noahm@debian.org]
Gesendet: Donnerstag, 29. Dezember 2011 20:46
An: debian-security@lists.debian.org
Betreff: Re: need help with openssh attack

On Thu, Dec 29, 2011 at 11:30:27PM +0400, Taz wrote:
> Anybody want's to check it out?
> I can provide ssh access, if u will give me ssh key.

>From the sound of things, we're not going to find much. It's clear that the attackers have already cleaned up their tracks by editing auth.log, etc. The detailed forensics needed here would likely take a fair bit of time. Also, because we'd be working on a compromised host, we likely couldn't even trust our own tools to give us accurate information.
File-system level forensics would be best performed on a block-level image of the disk itself (e.g. made using something like dd).

One recommendation I've got for future deployments, if you can allocate the resources for it, is to have a dedicated syslog host. This host should not run any services other than syslogd, including ssh. Any access would need to be via the console. You should be careful to give it a unique root password, and probably don't even bother to create any non-root accounts on it. Configure the rest of your hosts to send their logs to this host. Having a copy of things like auth.log whose integrity can be trusted would be most helpful here.

noah

Reply to:

References:
- need help with openssh attack
  - From: Taz <taz.inside@gmail.com>
- Re: need help with openssh attack
  - From: Serge Dewailly <serge.dewailly@openevents.fr>
- RE: need help with openssh attack
  - From: Nicolas Carusso <ncarusso@hotmail.com>
- Re: need help with openssh attack
  - From: Kees de Jong <keesdejong@gmail.com>
- Re: need help with openssh attack
  - From: Noah Meyerhans <frodo@morgul.net>
- Re: need help with openssh attack
  - From: Taz <taz.inside@gmail.com>
- Re: need help with openssh attack
  - From: Noah Meyerhans <noahm@debian.org>

Prev by Date: Re: need help with openssh attack
Next by Date: Informations
Previous by thread: Re: need help with openssh attack
Next by thread: RE: need help with openssh attack
Index(es):
- Date
- Thread