I just went ahead and shut that machine down.
Even after shell was disabled for users (well, the one left on by
mistake) something was still going on.
------ Original Message ------
From: "Michael Stauber" <mstau...@blueonyx.it>
To: blueonyx@mail.blueonyx.it
Sent: 7/20/2019 13:24:22
Subject: [BlueOnyx:23007] Re: SSH outbound attacks
Hi Don,
Somehow I've got outbound SSH attacks happening from one of my servers.
No idea how it's happening, etc. Where does one even begin to
troubleshoot this?
(Of course first I have to figure out why I can't log in via GUI, but
can via console.)
If you have SSH access, login, gain root access and use the following
commands to change the passwords for "root" and "admin":
passwd
passwd admin
Also check /root/.ssh/authorized_keys and ~admin/.ssh/authorized_keys
for any SSH keys that you don't know where they're from and delete all
unknown lines.
Next check /etc/passwd to see which users have shell access. This set of
commands will show you who has anything that approaches a regular shell:
cat /etc/passwd|grep -v badsh|grep -v nologin|grep -v false
This will also list these three, but they are fine as is:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
If you see a Vsite user that has shell and should have shell, turn off
their shell access via the GUI and confirm by looking into /etc/passwd
to make sure it's turned off.
Next step would be to find out how that attacker got in and what
privileges he has gained. Did he get "root" access? Or just lesser
privileged shell access of a regular user or siteAdmin?
Once you've identified the processes and user who owns him you can
suspend that account and can check whatever files he brought aboard.
If you need any help with this, please create a support ticket or
contact me offlist and I'll see what I can do. Although I'm a bit
pressed for time today as we're expecting visitors.
--
With best regards
Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
_______________________________________________
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx