Author: Andy Random Date: To: Hampshire LUG Discussion List Subject: Re: [Hampshire] ssh permission denied?
Thanks guys,
It does indeed look like the server has be compromised :(
I agree with Adam that it seems pretty odd that they would mess with the
permissions on ssh so only root can use it, without that it would have
taken me longer to notice the problem...
The "immutable" flag is set on ssh and I certainly didn't do that.
Picking through auth.log I find a number of suspect activities
Jan 10 14:04:46 weylandyutani sshd[15443]: Server listening on :: port 443.
Jan 10 14:04:46 weylandyutani sshd[15443]: error: Bind to port 443 on 0.0.0.0 failed: Address already in use.
Then shortly after that I see the first of these
Jan 10 14:20:10 weylandyutani sshd[5310]: error: Bad prime description in line 185
Jan 10 14:20:10 weylandyutani sshd[5310]: error: Bad prime description in line 186
Jan 10 14:20:10 weylandyutani sshd[5310]: error: Bad prime description in line 187
Jan 10 14:20:10 weylandyutani sshd[5310]: error: Bad prime description in line 188
Jan 10 14:20:10 weylandyutani sshd[5310]: error: Bad prime description in line 189
Jan 10 14:20:10 weylandyutani sshd[5310]: error: Bad prime description in line 190
That sequence the re-occurs occasionally through the rest of the log.
Then on the 15th we have this:
Jan 15 16:09:20 weylandyutani useradd[16214]: new user: name=sysconf, UID=0, GID=0, home=/home/sysconf, shell=/bin/sh
Jan 15 16:09:29 weylandyutani passwd[16238]: pam_unix(passwd:chauthtok): password changed for sysconf
Jan 15 16:09:58 weylandyutani sshd[16341]: error: Bad prime description in line 185
Jan 15 16:09:58 weylandyutani sshd[16341]: error: Bad prime description in line 186
Jan 15 16:09:58 weylandyutani sshd[16341]: error: Bad prime description in line 187
Jan 15 16:09:58 weylandyutani sshd[16341]: error: Bad prime description in line 188
Jan 15 16:09:58 weylandyutani sshd[16341]: error: Bad prime description in line 189
Jan 15 16:09:58 weylandyutani sshd[16341]: error: Bad prime description in line 190
Jan 15 16:10:03 weylandyutani sshd[16341]: Accepted password for sysconf from ::ffff:87.219.62.79 port 49985 ssh2
There are no further logins by "sysconf" reported, but obviously once they
were in all bets are off.
So what now, last I heard there really wasn't a good way to "fix" a system
once it was compromised.
I can re-install and re-configure the server, but I'd really like to know
what was exploited to get in originally so I can make sure it doesn't
happen again.
