On 12/11/05, Craig White <craigwhite@xxxxxxxxxxx> wrote: > > Whats the general removal procedure for this, and better yet, how did > > they get in? > ---- > it would seem that ssh, root allowed to login via password would be the > magic combination of bad judgement...it's been so thoroughly discussed > on this list as of late. About three months ago I reported a box I admin'ed was accessed thru DDoS on the ssh access port -- the sshd was hit 90,000 times a hour and the attacker gained access. They didn't get to do much as the box had no compiler, no Perl, and was locked up by SELinux. I made the report to both openssh and to the RedHat ssh developers. I was running FC4 with the then current patches up-to-date. Anyhow... After they (the attacker, who arrived via S.America) spent a few minutes trying to install a eBay spammer and a sendmail backdoor -- both attempts failed -- they deleted some files and gave up. This attack, access, and discovery all happened in less than a 5 hour period. The attacker either was a novice or didn't care to cover their tracks. Now, before you say that ssh allowed root access - I can assure you that root was not allowed to access the system -- not via ssh; only via the local console. Since that attack I have reformatted the drives and tossed out all the data and installed clean backups. I have also limited - via cron -- when ssh is available for remote use; hopefully that will reduce the window of opportunity. I would say there is a ssh brute force hack floating around that has not been documented yet; as such it is all Server admins best interests to remain vigilant. -- WC -Sx- Jones | http://ccsh.us/ | Open Source Consulting
