Rookit infections: AARRGH!
Neil Joseph Schelly
neil at jenandneil.com
Mon May 9 09:17:01 EDT 2005
I think you may be disappointed with some of my answer and that is that you'll
never know for sure how someone gets in. My experiences with this have been
that reinstalling is almost always the best fix in cases like this though,
and obviously, it takes away the opportunity for a deep investigation when
you require that server to be online again fast.
As for SSH being the point of entry, I doubt that. I get those same entries
for failed logins from my own boxes, but I get the impression that they are
actually trying out buffer overflow attacks on OpenSSL. I can't imagine a
worm that is trying 2 or 3 passwords each on non-privileged accounts that
usually don't even have passwords (or have a need for a password) is going to
spread much - that's a worm that is really intended to die off quickly. More
likely, it is trying to exploit one of the insecurities found in OpenSSL over
the last few years, looking for an unpatched box.
That said, I'm assuming FC3 is up to date on those sorts of things, or at
least that you're keeping up to date on them. The best way to find out what
the method of entry then is to try breaking in yourself. Run all the
SATAN/SAINT/Nessus/etc types of tools you can get your hands on and see if
any of the exploits really work. Even if the exploit only gets access to an
unprivileged account, local access with one of those may lead to a local
exploit that hasn't gotten as much attention as a remote exploit. If that
doesn't lead anywhere, start visiting IRC channels, newsgroups, etc where
discussion about hacking/cracking is happening. Try to find out the new
tricks and exploits in the wild or that people are working on or anything
helpful.
Again, you probably won't find it, especially not to be sure. While the
evidence of a rootkit is easy to identify, the evidence of a breakin is
usually non-existant.
HTH
-N
On Monday 09 May 2005 08:50 am, Fred wrote:
> I'm about ready to pull my hair out.
> This is the 2nd time I've had to deal with a rootkit infection, eating
> up my precious time and resources away from being productive.
>
> I've installed chkrootkit on the suspect server and found that a number
> of the executables have been infected. I got suspicious when the server
> mysteriously crashed. Sure enough, it's infected. And it's an FC3 system
> to boot. The last system to be infected was a RH9 box.
>
>
> What I'd like to know is how my systems are being cracked. What is the
> port of entry(!), how are my systems broken into. What's the latest news
> on this.
>
> I am suspicious that they are somehow breaking in through ssh -- my logs
> show lots of suspicious sshd authentication failures. But my root
> password is pretty sound, a near random mixture of numbers and alpha
> characters. They must be breaking in through another account with a
> weaker password. But I'm not sure of this.
>
> I have taken countermeasures. Firstly, I have changed the ssh port
> number. Not the most secure approach, granted, but at least their
> automated attacks will be foiled somewhat, since they'll have to do more
> work at hitting all of my ports -- and will probably not bother and move
> on to the next server.
>
> Secondly, on the infected machines, I use forced RPM installs to
> overwrite everything, then follow up with a run from chkrootkit. This
> seems to work, eliminating the need for me to burn down the box and
> restore everything cleanly. Again, not a perfect solution, but seems to
> work for now.
>
> Thirdly, I have set up chkrootkit to be run daily as a cron job, with
> the results emailed to me.
>
> Well, that's it. Any suggestions will be greatly appreciated.
>
> -Fred
>
>
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
More information about the gnhlug-discuss
mailing list