hacking attempt

Philip Hands phil at hands.com
Sat May 7 19:03:29 EST 2011


On Sat, 7 May 2011 08:18:49 +1000, Darren Tucker <dtucker at zip.com.au> wrote:
> On Sat, May 7, 2011 at 7:55 AM, Scott Neugroschl <scott_n at xypro.com> wrote:
> > Do you normally run your sshd on 55707?
> 
> That log message is of the source port of the connection not the listening port.
> 
> To the OP: I agree with the previous posters that there's probably
> another sshd running on your machine.  You can look for listening
> ports (eg "lsof | grep LISTEN") but it certainly looks like the
> machine is compromised so the only safe action is to determine how
> then reinstall the system from trusted media (fixing the problem,
> obviously).

If you want to get a decent idea of what happened, you could try booting
From a matching version of Debian Live CD, and then mounting the disk(s),
read-only, and doing recursive diffs to see what's different.

debsums can be helpful, as can cruft

You'll probably find that there's a /var/tmp/.foo directory, or
some such that has your rogue ssh in it.

The reason to boot from a known good CD is that if they've done a proper
job (which I doubt, given that they didn't persuade their sshd to not
log the fact that they were hacking in -- Doh!) then they'll have
installed new versions of all the utilities that you'd use to find that
directory or check the contents of the files.

As mentioned, lsof (if it's the real one and the kernel hasn't been
tampered with) will show you the extra ssh, including the file it was
loaded from, which may make things a bit clearer.

Have a look for anything odd in all .bash_history files (or similar for
whatever shells you use).  Script kiddies tend to forget about this.

find can be handy too:

  find / -mtime -10

will show you all the things touched in the last 10 days, for example,
assuming they've not put effort into hiding their tracks.

Cheers, Phil.
-- 
|)|  Philip Hands [+44 (0)20 8530 9560]    http://www.hands.com/
|-|  HANDS.COM Ltd.                    http://www.uk.debian.org/
|(|  10 Onslow Gardens, South Woodford, London  E18 1NE  ENGLAND
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20110507/1e3c13a0/attachment.bin>


More information about the openssh-unix-dev mailing list