Rookit infections: AARRGH!

[Brian]

Couple of things come to mind, not as resolutions, but as best practices...

1, NEVER allow root access via SSH.  You should have to login as a user, and
then su - to root, or better yet setup a sudoers file.

2, ONLY allow ssh connections from trusted IPs, not the whole world.

Those 2 things alone will cut your headache factor down by about 80%  

If the box has a CDROM, I'd suggest mounting a CD with chkrootkit there, as
well as copies of ls, lsof, top, (etc).  That way you have a nice read-only
copy of things that can't be altered.  This makes it easier to remotely
recover from (and/or detect) such an attack.

> -----Original Message-----
> From: gnhlug-discuss-admin at mail.gnhlug.org 
> [mailto:gnhlug-discuss-admin at mail.gnhlug.org] On Behalf Of Fred
> Sent: Monday, May 09, 2005 8:51 AM
> To: NHLUG (gnhlug-discuss at mail.gnhlug.org)
> Subject: Rookit infections: AARRGH!
> 
> I'm about ready to pull my hair out.
> This is the 2nd time I've had to deal with a rootkit 
> infection, eating up my precious time and resources away from 
> being productive.
> 
> I've installed chkrootkit on the suspect server and found 
> that a number of the executables have been infected. I got 
> suspicious when the server mysteriously crashed. Sure enough, 
> it's infected. And it's an FC3 system to boot. The last 
> system to be infected was a RH9 box.
> 
> 
> What I'd like to know is how my systems are being cracked. 
> What is the port of entry(!), how are my systems broken into. 
> What's the latest news on this.
> 
> I am suspicious that they are somehow breaking in through ssh 
> -- my logs show lots of suspicious sshd authentication 
> failures. But my root password is pretty sound, a near random 
> mixture of numbers and alpha characters. They must be 
> breaking in through another account with a weaker password. 
> But I'm not sure of this.
> 
> I have taken countermeasures. Firstly, I have changed the ssh 
> port number. Not the most secure approach, granted, but at 
> least their automated attacks will be foiled somewhat, since 
> they'll have to do more work at hitting all of my ports -- 
> and will probably not bother and move on to the next server.
> 
> Secondly, on the infected machines, I use forced RPM installs 
> to overwrite everything, then follow up with a run from 
> chkrootkit. This seems to work, eliminating the need for me 
> to burn down the box and restore everything cleanly. Again, 
> not a perfect solution, but seems to work for now.
> 
> Thirdly, I have set up chkrootkit to be run daily as a cron 
> job, with the results emailed to me.
> 
> Well, that's it. Any suggestions will be greatly appreciated.
> 
> -Fred
> 
> 
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
>