The FreeBSD Diary

The FreeBSD Diary (TM) Remember
I remember
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]

FreeBSD Support
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Newer Topic  |  Older Topic 
 sshd hacked?
Author: fischb22 
Date:   21-09-08 05:08

recently i got a call from the datacenter where my server is located

aparently i am spamming the hell out of everyone, i've since then closed the box down via firewall rules, for investigation

i have found that whenever i log in via SSH an email is created with the username and password of what i logged in with.

i think i have found some discrepancies with sshd

-rwxr-xr-x 1 root wheel 679755 Jan 9 2008 sshd
-r-xr-xr-x 1 root wheel 168488 Jan 9 2008 sshd0


this seems odd to me, all the other files in this directory are dated may 2006

i deleted the source tree, and am doing a csvup right now, going to reinstall sshd when that is done.

was not sure if anyone else found this, or has come accross it.


excpert from /var/log/maillog:

Sep 21 00:43:19 wacko sendmail[6831]: m8L4hIsj006831: to=mosul.cracila@gmail.com, ctladdr=adm
in (1001/0), delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30094, relay=[127.0.0.1] [127
.0.0.1], dsn=2.0.0, stat=Sent (m8L4hIcA006834 Message accepted for delivery)

Reply To This Message
 
 Re: sshd hacked?
Author: Dan 
Date:   22-09-08 04:15

What version of FreeBSD where you using?

Be sure to install portaudit.

Do you know how they got in?

--
Webmaster

Reply To This Message
 
 Re: sshd hacked?
Author: fischb22 
Date:   22-09-08 15:48

FreeBSD v6.1

i have a suspicion(that i cannot prove) that someone at the DataCenter did it.

I say that because i use 16 char alpha/numeric passwords, and am VERY careful about logging in.

i'll give portaudit a shot

Reply To This Message
 
 Re: sshd hacked?
Author: Dan 
Date:   22-09-08 15:50

Umm, attacks are usually remote. Not from the datacenter staff. I would see what vulnerable ports you have installed. I suspect you have not kept up with security releases and someone has exploited one.

--
Webmaster

Reply To This Message
 
 Re: sshd hacked?
Author: olyander 
Date:   22-09-08 20:39

I would have loved to see what was in sshd0, among other files on your system. did you "rm" that directory completely? if your running inetd, shut that off and if you do need it, comment out # all the 9000 plus lines that are open on there.

research various ssh attacks on various hack sites, and see what you can find regarding dan's comment, what ports are installed, and to really get things done, work with nessus to see what exploits are known on your server from here on out, otherwise, you just might "owned" again.

There are lots of monitor progs out there; monit, fam, so forth in /usr/ports that will email you quickly when something is touched, chown'd, etc... on critical files and entire directories.

Unfortunately, there are ways to stop email from "getting out" to you, as these types of services are halted before the crack gets to work.

Let us know what you find out?

Sorry to hear bout that...

... And Dan, how about a Security Forum? :) Justa thought...


Oly Ander



Reply To This Message
 
 Re: sshd hacked?
Author: Dan 
Date:   22-09-08 20:53

olyander wrote:


> ... And Dan, how about a Security Forum? :) Justa thought...

When the number of security posts warrant it, sure...

--
Webmaster

Reply To This Message
 
 Re: sshd hacked?
Author: fischb22 
Date:   23-09-08 02:37

i dont have the code for the sshd, but i did keep copies of the binaries

if anyone wants them, i can host them.

i'm no good at reverse engineering software, but help yourself, id be interested to see what comes of it


and yes, i deleted the ENTIRE source tree, and did a build/install world, after a CSVUP

i've been watching my maillog & security logs like a hawk since the installworld.

Reply To This Message
 Forum List  |  Threaded View   Newer Topic  |  Older Topic 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org