Eduardo Bach wrote:
Hello Troy,
Sorry, the last answer was a draft sent in error. Now is correct.
Thank you for responding so promptly. Here are below the answers to your
questions:
Troy Dawson escreveu:
Eduardo Bach wrote:
Hello to all,
One of our servers was invaded. We just started the investigations,
but the main clue, plus some strange files copied and deleted, is
that sshd binary has changed. Its original size was ~313KB and moved
to 1.18Mb. His version was 3.9p1-11.e4_7. As we at the beginning of
investigations, I wonder if anyone had similar problem, or have any
clue on how the intruder may have entered?
Thanks in advance.
Eduardo Bach
Hi,
I'm not the best investigator of breakin's, so I am probubly not going
to have an answer, but with the information you gave us, it could be
anything. It could be someone got a password from somewhere, to
apache running as root.
So here is a couple of questions that might help get started.
What version of linux was it running? If not linux, what OS was it
running?
Scientific Linux 4.6.
What services did it have? Was it a web server, a database server, a
desktop?
How many users had access to the machine? Was it a server with only
one user, or a general login machine?
How could people login? ssh only? telnet? rsh?
Did your average person have physical access to the machine?
This server had only one service: sshd, and had no firewall. This was a
general machine machine login to just a few users (<20). When I wrote my
first email, suspected of a bug in ssh, but looking on the internet I
did not find any report to this version. Now I am thinking the
possibility that the hacker found the password of one of the users with
brute force, and explored some bug from there, inside of the system.
Finding that bug was exploited after the acquisition of the password is
not as important to me now, but make sure was this that he/she was able
to enter.
Answers to those questions help track things down.
Another thing most people do is take a snapshot of the disk, so your
investigation doesn't mess up the evidence.
Troy
A backup server is stand up, so we have time we need to identify what
happened.
Thanks again for your help.
Eduardo Bach
It's also a good idea to change the ssh port to something other than the
default; this will stop the "ssh-brute-force-crack" that has been
plaguing the internet for as long as I can remember.
See http://openssh.org/manual.html for specific instructions.
Regards,
Bruce Prewit
