Re: SSH Attempts: Link to RedHat?

[John Oliver <john.oliver () hosting com>]

Gregg Sperling wrote:
> Early yesterday, I received a single connection attempt on three of my
> Linux-based direct connected Internet servers:
>
> Dec 16 01:56:08 srvr001 sshd2[42]: connection from "24.5.243.0"  (ip
> address blocked to protect user)
> Dec 16 01:56:09 srvr001 sshd2[6969]: Local disconnected: Connection closed
> by remote host.
> Dec 16 01:56:09 srvr001 sshd2[6969]: connection lost: 'Connection closed by
> remote host.'
> Dec 16 01:56:40 srvr002 sshd2[41]: connection from "24.5.243.0" (ip address
> blocked to protect user)
> Dec 16 01:56:41 srvr002 sshd2[10007]: Local disconnected: Connection closed
> by remote host.
> Dec 16 01:56:41 srvr002 sshd2[10007]: connection lost: 'Connection closed
> by remote host.'
> Dec 16 02:02:41 srvr003 sshd2[44]: connection from "24.5.243.0" (ip address
> blocked to protect user)
> Dec 16 02:02:42 srvr003 sshd2[13440]: Local disconnected: Connection closed
> by remote host.
> Dec 16 02:02:42 srvr003 sshd2[13440]: connection lost: 'Connection closed
> by remote host.'
>
> I ran some diagnostic tests on the IP address listed, and found it to be a
> RedHat based Linux system with several ports open,
> including HTTP, Telnet, FTP, X11, and "others."
>
> I connected to the website connected to this server, and found somebody's
> personal webpage.  I found their email address, and sent the
> owner an email.
>
> Surprisingly, I have had several pleasant exchanges with the individual who
> runs the server.  He has offered to allow me access
> into his server with root access.  I'd like to find out what breach, if
> any, caused this connection attempt.

This sounds like someone who ought to be using a free website and POP
account.  If they have, indded, been r00ted, you'll never be able to
tell by logging in... any useful tools will be Trojaned to hide the
intruders' stuff.  His only option would be to a) take the machine
off-line, mount the disk read-only under a known-good OS (like a freshly
installed box), and start poring through logs and directories looking
for evidence.  But if he's offering a complete stranger root access to
his box, he probably knows how to turn it on and that's about it.  So b)
reinstall the box from scratch, apply all patches, disable all unneeded
services, secure everything else, *then* connect it to a public
network.  But then, he'll just fall victim to the next root exploit that
comes along unless he learns an awful lot more about computer security,
keeps up on his patches, etc.

I would tell him to pull the Ethernet out Right Now, and then start to
worry about what to do and how to do it.  That'll prevent the inevitable
future abuse.  It's totally irresponsible to leave a machine that's
almost certainly been compromised connected to a public network.

-- 
John Oliver
System Administrator
hosting.com, an Allegiance Telecom company
mailto:john.oliver () hosting com
(858) 637-3600
http://www.hosting.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com