• CentOS 5 hacked

    From dmitry.leonenko@110:300/1.98 to All on Wed Aug 31 16:06:39 2011
    Hello
    It looks like that there is a vulnerability in openssh. Version is
    72.el5_6.3 which is the one for CentOS release 5.6 (Final).
    I've found Perl process that was sending Spam (I've also got source
    code from /proc/<pid>/fd/3). What was then is that I found strange
    records in audit.log:

    type=USER_LOGIN msg=audit(1314645691.505:290419): user pid=24699 uid=0
    auid=0 msg='uid=0: exe="/usr/sbin/sshd" (hostname=64.71.139.62, addr=64.71.139.62, terminal=/dev/pts/0 res=success)'
    type=ANOM_ABEND msg=audit(1314645695.184:290420): auid=0 uid=0 gid=0
    ses=1152 pid=24699 comm="sshd" sig=6

    And few reccords with the same sig=6 and auid=0 later days. I use auid
    500 and sudo to get root if needed and these are hack attempt indeed.
    Also there are no PAM records along with these lines.
    Server kernel is:
    Linux vz 2.6.18-194.26.1.el5.028stab081.1 #1 SMP Thu Dec 23 20:17:23
    EEST 2010 x86_64 x86_64 x86_64 GNU/Linux

    I'll re-setup server anyway but I want to get some more info from this
    hack. Any ideas?

    --- FIDOGATE 4.4.10
    * Origin: FTN Gate on kofobbs.net (110:300/1.98)
  • From dmitry.leonenko@110:300/1.98 to On Sep 1, 12:09=A0am, Aragorn on Fri Sep 2 09:24:49 2011
    On Sep 1, 12:09 am, Aragorn <stry...@telenet.be.invalid> wrote:
    On Wednesday 31 August 2011 16:06 in comp.os.linux.security,
    dmitry.leonenko enlightened humanity with the following words...:

    Hello
    It looks like that there is a vulnerability in openssh.

    Not necessarily.  But there are always ways to try and break into a
    system that doesn't have any security holes.  You always have to have a
    way to legitimately log into your system, and there are ways to exploit those, e.g. via dictionary attacks or brute force attacks.  

    These things can fire off login attempts multiple times per second until
    they get the proper login name and password combination.  See below for advice on that.









    Version is 72.el5_6.3 which is the one for CentOS release 5.6 (Final).
    I've found Perl process that was sending Spam (I've also got source
    code from /proc/<pid>/fd/3). What was then is that I found strange
    records in audit.log:

    type=USER_LOGIN msg=audit(1314645691.505:290419): user pid=24699 uid=0 auid=0 msg='uid=0: exe="/usr/sbin/sshd" (hostname=64.71.139.62, addr=64.71.139.62, terminal=/dev/pts/0 res=success)'
    type=ANOM_ABEND msg=audit(1314645695.184:290420): auid=0 uid=0 gid=0 ses=1152 pid=24699 comm="sshd" sig=6

    And few reccords with the same sig=6 and auid=0 later days. I use auid
    500 and sudo to get root if needed and these are hack attempt indeed.
    Also there are no PAM records along with these lines.
    Server kernel is:
    Linux vz 2.6.18-194.26.1.el5.028stab081.1 #1 SMP Thu Dec 23 20:17:23
    EEST 2010 x86_64 x86_64 x86_64 GNU/Linux

    I'll re-setup server anyway but I want to get some more info from this hack. Any ideas?

    If your machine is/was sending out spam, then you probably do have an intrusion on your hands, and then most likely the perpetrator will have installed a rootkit on your machine.  Remember, a rootkit is not there
    to give someone unauthorized access to your machine; it is there to
    _hide_ the fact that he already _has_ access, by replacing some
    executables - e.g. "/bin/ls", "/bin/ps", "/sbin/lsmod" et al - by
    executables that perform the same function but do not show you all there
    is to see.

    You will eventually indeed need to reformat your partitions and
    reinstall the operating system, but I would advise you to first use chkrootkit or rkhunter - they should be in the CentOS repos if you don't
    have them installed - to give you a clearer view on what is going on.

    Finally, when you're reinstalling your machine, do _not_ allow root
    logins over ssh, and do _not_ use sudo in its default configuraton.  Set
    up sudo so that it either requires the root password instead of the
    user's own password, or to only allow certain tasks to be carried out
    via the sudo command, but not all root commands.  Use "/bin/su" for root jobs, and make sure that PAM is set up to only allow the use of
    "/bin/su" to users in the wheel group.  It is harder for the blackhat to guess two distinct passwords than to have to guess only one and then
    with that one account and sudo, obtain root privileges.

    You may also want to install an intrusion detection package like prelude
    or snort - they should be in the CentOS repositories, but if you can't
    find them, here's where you can get prelude.

           http://tinyurl.com/3boj64g

    I would also advise installing an automatic firewall via the combination
    of Brute Force Defender and Advanced Policy Firewall.  As it just so
    happens to be, someone inquired about APF only a few days ago in another group.  Let me see whether I can dig up the URL to the source code...  
    Ah, here it is...:

           http://www.rfxn.com/projects/advanced-policy-firewall/

    Anyone trying to break in via ssh will get three attempts at a login,
    and if the third attempt fails, the IP address will automatically be
    added to the firewall (via iptables) and you will receive an e-mail from
    root with the information of the break-in attempt.

    Hope this was useful. ;-)

    --
    Aragorn
    (registered GNU/Linux user #223157)

    This system was using fail2ban, so no, it wasn't bruteforce. Look
    closely at audit message. It is quite different from usual login
    attempt. Also chkrootkit showed nothing. Installing newer version of openssh-server solved problem partially. New login attempts was
    unsuccessful from the attacker ip. But I've reinstalled system anyway.
    You can never be sure 100% that there is no backdoor somewhere on the
    system. Now CentOS6 + SELinux. Quite happy with it.

    --- FIDOGATE 4.4.10
    * Origin: FTN Gate on kofobbs.net (110:300/1.98)
  • From Aragorn@110:300/1.98 to All on Wed Aug 31 23:09:06 2011
    On Wednesday 31 August 2011 16:06 in comp.os.linux.security,
    dmitry.leonenko enlightened humanity with the following words...:

    Hello
    It looks like that there is a vulnerability in openssh.

    Not necessarily. But there are always ways to try and break into a
    system that doesn't have any security holes. You always have to have a
    way to legitimately log into your system, and there are ways to exploit
    those, e.g. via dictionary attacks or brute force attacks.

    These things can fire off login attempts multiple times per second until
    they get the proper login name and password combination. See below for
    advice on that.

    Version is 72.el5_6.3 which is the one for CentOS release 5.6 (Final).
    I've found Perl process that was sending Spam (I've also got source
    code from /proc/<pid>/fd/3). What was then is that I found strange
    records in audit.log:

    type=USER_LOGIN msg=audit(1314645691.505:290419): user pid=24699 uid=0
    auid=0 msg='uid=0: exe="/usr/sbin/sshd" (hostname=64.71.139.62, addr=64.71.139.62, terminal=/dev/pts/0 res=success)'
    type=ANOM_ABEND msg=audit(1314645695.184:290420): auid=0 uid=0 gid=0
    ses=1152 pid=24699 comm="sshd" sig=6

    And few reccords with the same sig=6 and auid=0 later days. I use auid
    500 and sudo to get root if needed and these are hack attempt indeed.
    Also there are no PAM records along with these lines.
    Server kernel is:
    Linux vz 2.6.18-194.26.1.el5.028stab081.1 #1 SMP Thu Dec 23 20:17:23
    EEST 2010 x86_64 x86_64 x86_64 GNU/Linux

    I'll re-setup server anyway but I want to get some more info from this
    hack. Any ideas?

    If your machine is/was sending out spam, then you probably do have an intrusion on your hands, and then most likely the perpetrator will have installed a rootkit on your machine. Remember, a rootkit is not there
    to give someone unauthorized access to your machine; it is there to
    _hide_ the fact that he already _has_ access, by replacing some
    executables - e.g. "/bin/ls", "/bin/ps", "/sbin/lsmod" et al - by
    executables that perform the same function but do not show you all there
    is to see.

    You will eventually indeed need to reformat your partitions and
    reinstall the operating system, but I would advise you to first use
    chkrootkit or rkhunter - they should be in the CentOS repos if you don't
    have them installed - to give you a clearer view on what is going on.

    Finally, when you're reinstalling your machine, do _not_ allow root
    logins over ssh, and do _not_ use sudo in its default configuraton. Set
    up sudo so that it either requires the root password instead of the
    user's own password, or to only allow certain tasks to be carried out
    via the sudo command, but not all root commands. Use "/bin/su" for root
    jobs, and make sure that PAM is set up to only allow the use of
    "/bin/su" to users in the wheel group. It is harder for the blackhat to
    guess two distinct passwords than to have to guess only one and then
    with that one account and sudo, obtain root privileges.

    You may also want to install an intrusion detection package like prelude
    or snort - they should be in the CentOS repositories, but if you can't
    find them, here's where you can get prelude.

    http://tinyurl.com/3boj64g

    I would also advise installing an automatic firewall via the combination
    of Brute Force Defender and Advanced Policy Firewall. As it just so
    happens to be, someone inquired about APF only a few days ago in another group. Let me see whether I can dig up the URL to the source code...
    Ah, here it is...:

    http://www.rfxn.com/projects/advanced-policy-firewall/

    Anyone trying to break in via ssh will get three attempts at a login,
    and if the third attempt fails, the IP address will automatically be
    added to the firewall (via iptables) and you will receive an e-mail from
    root with the information of the break-in attempt.

    Hope this was useful. ;-)

    --
    Aragorn
    (registered GNU/Linux user #223157)

    --- FIDOGATE 4.4.10
    * Origin: FTN Gate on kofobbs.net (110:300/1.98)
  • From Keith Keller@110:300/1.98 to On 2011-08-31, Aragorn on Thu Sep 1 00:52:52 2011
    On 2011-08-31, Aragorn <stryder@telenet.be.invalid> wrote:

    You will eventually indeed need to reformat your partitions and
    reinstall the operating system, but I would advise you to first use chkrootkit or rkhunter - they should be in the CentOS repos if you don't have them installed - to give you a clearer view on what is going on.

    AFAICT these are in repoforge (formerly rpmforge), not in base CentOS.

    Anyone trying to break in via ssh will get three attempts at a login,
    and if the third attempt fails, the IP address will automatically be
    added to the firewall (via iptables) and you will receive an e-mail from root with the information of the break-in attempt.

    Denyhosts can do this at the hosts.deny level as well (not at the
    iptables level, AFAIK).

    --keith

    --
    kkeller-usenet@wombat.san-francisco.ca.us
    (try just my userid to email me) AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
    see X- headers for PGP signature information


    --- FIDOGATE 4.4.10
    * Origin: FTN Gate on kofobbs.net (110:300/1.98)