My wife's office server was compromised today. It appears they ssh'ed in through account pcguest which was set up for Samba. (I don't remember setting up that account, but maybe I did.) At any rate, I found a bazillion "ftp_scanner" processes running. A killall finished them off quickly, I nuked the pcguest account, and switched ssh to a different port (which I normally do anyway). I used 'find' to locate ftp_scanner, which was running in a folder under /var/tmp. It seems that before I could nuke the directory, it nuked itself! Because it was running from /var/tmp, and because 'find' and 'ps' were not compromised (in that they did not hide the ftp_scanner processes or files), I'm thinking the attacker really didn't get any further than eating some bandwidth. I suppose I have no choice but to re-install, but I thought I'd run I'd get some feedback first. (Something other than, "Way to go, moron.") In the meantime, I'm pulling the plug. Miark
On Tue, 9 Sep 2008, Miark wrote:> My wife's office server was compromised today. It appears > they ssh'ed in throughehh? exposed to the public internet? oh my ;)> account pcguest which was set up for Samba. (I don't > remember setting up that account, but maybe I did.)ssh will of course honor 'wrappers'; samba can and should be set to respond only on local networks; iptables can block outbound packets just as well as inbound ones ;)_> I used 'find' to locate ftp_scanner, which was running in a > folder under /var/tmp. It seems that before I could nuke the > directory, it nuked itself!Some root kits take matters a bit further and wipe out the partition table, MBR, and more, so that even a reboot will fail> Because it was running from /var/tmp, and because 'find' and > 'ps' were not compromised (in that they did not hide the > ftp_scanner processes or files), I'm thinking the attacker > really didn't get any further than eating some bandwidth.or that they left a 'present' behind, in hopes you don't wipe and reinstall, and attempt to 'repair' a machine in an unknowable state. ;)> I suppose I have no choice but to re-install, but I thought I'd > run I'd get some feedback first. (Something other than, "Way to > go, moron.") In the meantime, I'm pulling the plug.A hard lesson to learn -- I bet you'll remember it. -- Russ herrold
Yeah pull the network plug first. Then boot up with a knoppix CD to backup your data and/or image the disk, then reload. I'm sure you could do a full audit of the system but reloading is likely much quicker. A word to the wise on the account pcguest, if it was one you created, set the shell to something like /sbin/nologin. That can help to prevent unauthorized ssh access if you happen to leave a password blank. I'll leave the additional suggestions and heckles to others on the lists. Miark wrote:> My wife's office server was compromised today. It appears > they ssh'ed in through account pcguest which was set up for > Samba. (I don't remember setting up that account, but maybe I > did.) At any rate, I found a bazillion "ftp_scanner" processes > running. A killall finished them off quickly, I nuked the > pcguest account, and switched ssh to a different port (which > I normally do anyway). > > I used 'find' to locate ftp_scanner, which was running in a > folder under /var/tmp. It seems that before I could nuke the > directory, it nuked itself! > > Because it was running from /var/tmp, and because 'find' and > 'ps' were not compromised (in that they did not hide the > ftp_scanner processes or files), I'm thinking the attacker > really didn't get any further than eating some bandwidth. > > I suppose I have no choice but to re-install, but I thought I'd > run I'd get some feedback first. (Something other than, "Way to > go, moron.") In the meantime, I'm pulling the plug. > > Miark > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
--- On Wed, 10/9/08, Miark <mlist2 at gardnerbusiness.com> wrote:> From: Miark <mlist2 at gardnerbusiness.com> > Subject: [CentOS] Compromised > To: centos at centos.org > Date: Wednesday, 10 September, 2008, 3:24 AM > My wife's office server was compromised today. It > appears > they ssh'ed in through account pcguest which was set up > for > Samba. (I don't remember setting up that account, but > maybe I > did.) At any rate, I found a bazillion > "ftp_scanner" processes > running. A killall finished them off quickly, I nuked the > pcguest account, and switched ssh to a different port > (which > I normally do anyway). > > I used 'find' to locate ftp_scanner, which was > running in a > folder under /var/tmp. It seems that before I could nuke > the > directory, it nuked itself! > > Because it was running from /var/tmp, and because > 'find' and > 'ps' were not compromised (in that they did not > hide the > ftp_scanner processes or files), I'm thinking the > attacker > really didn't get any further than eating some > bandwidth. > > I suppose I have no choice but to re-install, but I thought > I'd > run I'd get some feedback first. (Something other than, > "Way to > go, moron.") In the meantime, I'm pulling the > plug. > > Miark > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centosSee http://mirror.centos.org/centos-4/4.6/docs/html/rhel-sg-en-4/ch-exploits.html Hackers use scanners that use accounts like "test", pcquest etc A while back I set up a system on VMWare with a blank password for the "test" account. Unfortunately they did not fall for it. In the meantime, secure your server.