Author: James Courtier-Dutton Date: To: Hampshire LUG Discussion List Subject: Re: [Hampshire] ssh permission denied?
On 26 January 2011 00:44, Andy Random <andy.random@???> wrote: >
> Thanks guys,
>
> It does indeed look like the server has be compromised :(
>
> I agree with Adam that it seems pretty odd that they would mess with the
> permissions on ssh so only root can use it, without that it would have taken
> me longer to notice the problem...
>
> The "immutable" flag is set on ssh and I certainly didn't do that.
>
> Picking through auth.log I find a number of suspect activities
>
> Jan 10 14:04:46 weylandyutani sshd[15443]: Server listening on :: port 443.
> Jan 10 14:04:46 weylandyutani sshd[15443]: error: Bind to port 443 on
> 0.0.0.0 failed: Address already in use.
>
> Then shortly after that I see the first of these
>
> Jan 10 14:20:10 weylandyutani sshd[5310]: error: Bad prime description in
> line 185
> Jan 10 14:20:10 weylandyutani sshd[5310]: error: Bad prime description in
> line 186
> Jan 10 14:20:10 weylandyutani sshd[5310]: error: Bad prime description in
> line 187
> Jan 10 14:20:10 weylandyutani sshd[5310]: error: Bad prime description in
> line 188
> Jan 10 14:20:10 weylandyutani sshd[5310]: error: Bad prime description in
> line 189
> Jan 10 14:20:10 weylandyutani sshd[5310]: error: Bad prime description in
> line 190
>
> That sequence the re-occurs occasionally through the rest of the log.
>
> Then on the 15th we have this:
>
> Jan 15 16:09:20 weylandyutani useradd[16214]: new user: name=sysconf, UID=0,
> GID=0, home=/home/sysconf, shell=/bin/sh
> Jan 15 16:09:29 weylandyutani passwd[16238]: pam_unix(passwd:chauthtok):
> password changed for sysconf
> Jan 15 16:09:58 weylandyutani sshd[16341]: error: Bad prime description in
> line 185
> Jan 15 16:09:58 weylandyutani sshd[16341]: error: Bad prime description in
> line 186
> Jan 15 16:09:58 weylandyutani sshd[16341]: error: Bad prime description in
> line 187
> Jan 15 16:09:58 weylandyutani sshd[16341]: error: Bad prime description in
> line 188
> Jan 15 16:09:58 weylandyutani sshd[16341]: error: Bad prime description in
> line 189
> Jan 15 16:09:58 weylandyutani sshd[16341]: error: Bad prime description in
> line 190
> Jan 15 16:10:03 weylandyutani sshd[16341]: Accepted password for sysconf
> from ::ffff:87.219.62.79 port 49985 ssh2
>
> There are no further logins by "sysconf" reported, but obviously once they
> were in all bets are off.
>
> So what now, last I heard there really wasn't a good way to "fix" a system
> once it was compromised.
>
> I can re-install and re-configure the server, but I'd really like to know
> what was exploited to get in originally so I can make sure it doesn't happen
> again.
>
> Any suggestions on where to look for that?
>
> Andy
>
It depends what your priorities are.
I would suspend to disk if possible. This will get it to save the RAM
and CPU state. If not possible, power off.
Then, reboot with a LiveCD and take a full HD image, sha256sum it and
save it for later analysis.
Then you can wipe the system and start from scratch.
I would first write zeros to all sectors on the HD including the
partition sector.
I would update the BIOS to a known good version.
Reinstall from CD etc.
You can then make another copy of the exploited HD image, and do
forensics on the copy.
