Hi guys, My apologies for replying a little late ...
It was an absolute struggle getting things to work just so that I can give more information about the intrusion. I narrowed it down to cron ... What would happen is this ... After a boot the network would work fine but would start degrading at different times ... sometimes after 5 minutes, sometime after a longer period of time ... So what I did was do disable all startup scripts/servers/services and then enable only one at a time ... then I would reboot and wait and keep an eye on "/boot" (I deleted all randomly generated files, so I could see if a file was added or not, and it was also the only way I knew for certain that the culprit was active or not, hence that is how I could time it) ... All went well untill I enabled cron ... I checked all cron jobs and they all "look" normal ... here is an "ls" of my cron directories ... ################################################################################################### /etc/cron.d/ anacron atop mrtg php5 /etc/cron.daily/ anacron atop mrtg php5 /etc/cron.hourly/ cron.sh sarg /etc/cron.monthly 0anacron sarg /etc/cron.weekly 0anacron apt-xapian-index man-db sarg ################################################################################################### For those of you who asked ... here is ################################################################################################### file -k bxerzoalfk: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped ################################################################################################### and ################################################################################################### grep -ir Binary file kvvcqvddix matches Binary file aknaykocbs matches Binary file bxerzoalfk matches Binary file isrgzlchmx matches Binary file ryrfvxjggh matches Binary file wevzubbsgn matches grub/grub.cfg:# from /etc/grub.d and settings from /etc/default/grub grub/grub.cfg:### BEGIN /etc/grub.d/00_header ### grub/grub.cfg:### END /etc/grub.d/00_header ### grub/grub.cfg:### BEGIN /etc/grub.d/05_debian_theme ### grub/grub.cfg:### END /etc/grub.d/05_debian_theme ### grub/grub.cfg:### BEGIN /etc/grub.d/10_linux ### grub/grub.cfg:### END /etc/grub.d/10_linux ### grub/grub.cfg:### BEGIN /etc/grub.d/20_linux_xen ### grub/grub.cfg:### END /etc/grub.d/20_linux_xen ### grub/grub.cfg:### BEGIN /etc/grub.d/30_os-prober ### grub/grub.cfg:### END /etc/grub.d/30_os-prober ### grub/grub.cfg:### BEGIN /etc/grub.d/40_custom ### grub/grub.cfg:### END /etc/grub.d/40_custom ### grub/grub.cfg:### BEGIN /etc/grub.d/41_custom ### grub/grub.cfg:### END /etc/grub.d/41_custom ### Binary file esijfkmwnd matches Binary file cwpgfmvkrk matches Binary file gyimenpwnt matches Binary file fndswijgdk matches Binary file rfjmdtlsoj matches Binary file zfmpizunja matches Binary file zkdjlvhuui matches Binary file hutaslspbf matches Binary file dkseypedtx matches Binary file hjmmvaxfzq matches Binary file izytxsbskq matches Binary file czhlgmsgzh matches Binary file ttqssdikcn matches Binary file xjeemjyuly matches ################################################################################################### Since I killed cron at bootup everything seems fine ... network is back to normal ... However, as soon as my network was up and running I got attacked ... here is an excerpt of one of the fail2ban mails ... ################################################################################################### The IP 204.12.241.227 has just been banned by Fail2Ban after 3 attempts against ssh. Jan 8 04:23:15 fever sshd[17406]: Connection from 204.12.241.227 port 38090 on 10.0.0.5 port 22 Jan 8 04:23:17 fever sshd[17406]: Invalid user zhangyan from 204.12.241.227 Jan 8 04:23:17 fever sshd[17406]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=204.12.241.227 Jan 8 04:23:20 fever sshd[17406]: Failed password for invalid user zhangyan from 204.12.241.227 port 38090 ssh2 Jan 8 04:23:20 fever sshd[17406]: Received disconnect from 204.12.241.227: 11: Bye Bye [preauth] Jan 8 04:23:20 fever sshd[17408]: Connection from 204.12.241.227 port 39800 on 10.0.0.5 port 22 Jan 8 04:23:22 fever sshd[17408]: Invalid user dff from 204.12.241.227 Jan 8 04:23:23 fever sshd[17408]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=204.12.241.227 Jan 8 04:23:24 fever sshd[17408]: Failed password for invalid user dff from 204.12.241.227 port 39800 ssh2 ################################################################################################### What is interesting to me is the user in the above excerpt "zhangyan" ... By using a username that is unfamiliar to the western world tells me that whatever is on my system had to respond to this username otherwise why would this guy use a username that only he is familiar with ... Other usernames that were used: 3D, ssht and ftfl ... Also, attempts were made from China, Hong Kong, Belgium and Canada ... Anyway, I have decided to get new hardware and do a clean install of everything ... as many of you have suggested ... However, as I fly a lot internationally, is there a way I can temporarily block these country's IP's for a few days at most untill I have enough time on hand to do a fresh install ... Currently my iptables looks like this ... ################################################################################################### *nat :PREROUTING ACCEPT [73562:7321518] :INPUT ACCEPT [26916:2177387] :OUTPUT ACCEPT [80090:6554227] :POSTROUTING ACCEPT [0:0] #For squid to reroute HTTP trafic to port 80 -A PREROUTING -s 10.0.0.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 -A PREROUTING -i wlan0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.5:3128 -A POSTROUTING -j MASQUERADE COMMIT *filter :INPUT ACCEPT [5927:1484640] :FORWARD ACCEPT [1571:107578] :OUTPUT ACCEPT [4983:1212852] -A INPUT -i eth1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A FORWARD -s 10.0.0.0/24 -i eth1 -o wlan0 -m conntrack --ctstate NEW -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -s 122.0.0.0/8 -j DROP -A INPUT -p tcp -s 61.0.0.0/8 -j DROP -A INPUT -p tcp -s 117.0.0.0/8 -j DROP -A INPUT -p tcp -s 103.0.0.0/8 -j DROP -A INPUT -p tcp -s 82.0.0.0/8 -j DROP -A INPUT -p tcp -s 204.0.0.0/8 -j DROP -A INPUT -p tcp -s 218.0.0.0/8 -j DROP COMMIT ################################################################################################### As you can see ... I am already DROPping some of these IP's ... I just need something to block an ENTIRE country ... Thank you ... and thanks to everyone replying ... I apreciate it ... Danny -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150108205345.GA4732@fever.havannah.local