|
Author: fischb22
Date: 21-09-08 05:08
recently i got a call from the datacenter where my server is located
aparently i am spamming the hell out of everyone, i've since then closed the box down via firewall rules, for investigation
i have found that whenever i log in via SSH an email is created with the username and password of what i logged in with.
i think i have found some discrepancies with sshd
-rwxr-xr-x 1 root wheel 679755 Jan 9 2008 sshd
-r-xr-xr-x 1 root wheel 168488 Jan 9 2008 sshd0
this seems odd to me, all the other files in this directory are dated may 2006
i deleted the source tree, and am doing a csvup right now, going to reinstall sshd when that is done.
was not sure if anyone else found this, or has come accross it.
excpert from /var/log/maillog:
Sep 21 00:43:19 wacko sendmail[6831]: m8L4hIsj006831: to=mosul.cracila@gmail.com, ctladdr=adm
in (1001/0), delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30094, relay=[127.0.0.1] [127
.0.0.1], dsn=2.0.0, stat=Sent (m8L4hIcA006834 Message accepted for delivery)
|
|
Reply To This Message
|
|
Author: Dan
Date: 22-09-08 04:15
What version of FreeBSD where you using?
Be sure to install portaudit.
Do you know how they got in?
--
Webmaster
|
|
Reply To This Message
|
|
Author: fischb22
Date: 22-09-08 15:48
FreeBSD v6.1
i have a suspicion(that i cannot prove) that someone at the DataCenter did it.
I say that because i use 16 char alpha/numeric passwords, and am VERY careful about logging in.
i'll give portaudit a shot
|
|
Reply To This Message
|
|
Author: Dan
Date: 22-09-08 15:50
Umm, attacks are usually remote. Not from the datacenter staff. I would see what vulnerable ports you have installed. I suspect you have not kept up with security releases and someone has exploited one.
--
Webmaster
|
|
Reply To This Message
|
|
Author: olyander
Date: 22-09-08 20:39
I would have loved to see what was in sshd0, among other files on your system. did you "rm" that directory completely? if your running inetd, shut that off and if you do need it, comment out # all the 9000 plus lines that are open on there.
research various ssh attacks on various hack sites, and see what you can find regarding dan's comment, what ports are installed, and to really get things done, work with nessus to see what exploits are known on your server from here on out, otherwise, you just might "owned" again.
There are lots of monitor progs out there; monit, fam, so forth in /usr/ports that will email you quickly when something is touched, chown'd, etc... on critical files and entire directories.
Unfortunately, there are ways to stop email from "getting out" to you, as these types of services are halted before the crack gets to work.
Let us know what you find out?
Sorry to hear bout that...
... And Dan, how about a Security Forum? :) Justa thought...
Oly Ander
|
|
Reply To This Message
|
|
Author: Dan
Date: 22-09-08 20:53
olyander wrote:
> ... And Dan, how about a Security Forum? :) Justa thought...
When the number of security posts warrant it, sure...
--
Webmaster
|
|
Reply To This Message
|
|
Author: fischb22
Date: 23-09-08 02:37
i dont have the code for the sshd, but i did keep copies of the binaries
if anyone wants them, i can host them.
i'm no good at reverse engineering software, but help yourself, id be interested to see what comes of it
and yes, i deleted the ENTIRE source tree, and did a build/install world, after a CSVUP
i've been watching my maillog & security logs like a hawk since the installworld.
|
|
Reply To This Message
|
|
