Rookit infections: AARRGH!
Bill Mullen
moon at lunarhub.com
Mon May 9 12:56:00 EDT 2005
On Mon, 2005-05-09 at 08:50, Fred wrote:
> What I'd like to know is how my systems are being cracked. What is the
> port of entry(!), how are my systems broken into. What's the latest news
> on this.
If you're running AWStats on the server, make sure that it's up to date;
there is a vulnerability in versions prior to 6.4, when used in CGI mode
(I've been bitten by this one recently).
http://awstats.sourceforge.net
Besides chkrootkit, I always run rkhunter - I like that it is easily
upgradeable by running "rkhunter --update", which downloads the latest
rootkit signatures, a la ClamAV and the like. It never hurts to get a
second opinion, after all ... ;-)
http://www.rootkit.nl/projects/rootkit_hunter.html
> I am suspicious that they are somehow breaking in through ssh -- my logs
> show lots of suspicious sshd authentication failures.
I get a ton of those as well; ISTR hearing this phenomenon attributed to
unpatched RH6 systems being vulnerable to some worm or other that is the
generator of these attacks, and that runs through a set list of username
and password combinations. I just add each IP address to /etc/hosts.deny
once it turns up in the syslog, and then I never hear from them again.
Many of the recent attempts of this type are originating from SE Asian
nations, it appears; if any list member knows of a good list of the IP
address blocks that are allocated to these regions, I'd love to see it
(or a link to it), as using that in hosts.deny would be a considerably
more efficient way to block these IPs, I'd expect.
--
Bill Mullen
RLU #270075
More information about the gnhlug-discuss
mailing list