On Fri, 11 Feb 2005 20:37:22 -0800, Jeffrey Goldberg
<jeffrey@goldmark.org> wrote:
On Feb 6, 2005, at 7:09 AM, Bernie Cosell wrote:
We're now getting hammered with the third round of ssh probes in the
last
four days [one from CA, one from Brazil and one from Virginia]. I was
wondering: is there some virus or the like floating around now that
leaves an ssh-hammering zombie in its wake? Or is it just coincidental
that we have gotten three floods?
I fear that some hosts I'm responsible for are (they almost certainly
were) such zombies. chkrootkit didn't turn up anything. Is there
something (in addition to anomolous ssh traffic) that I should be
looking for.
You probably did this, but as a general reminder for someone who finds
this thread when searching...
The first thing is to make sure you have the latest chkrootkit and
that you do the checks from booting at cdrom. It is always a good idea
to make sure that you do forensics from a known good state.
The second issue is that none of the ssh scanning require root
priveledges. Any user on the machine could have been used for this. To
track this down, using a netstat -nap to see open ports for IRC
servers, look through at and cron jobs (and put a at.allow/cron.allow
with a limited set to figure out who is trying to run crons or at
without your knowledge.) Also look for the usual suspect directories
(... .<space>) and executables that arent in root only writable
directories. Clear out all the passwords and confirm that the setuid
executables and items with port access have proper checksums.
[On a RPM system (SuSE, Red Hat, Fedora, etc) you can use the
following script to track down items that have either bad RPM
checksums or are not in the RPM database. I did not write this script.
A mirror admin wrote it a while back.. and I lost the attribution.
Whoever it was thankyou.
#
# rogue.awk - Find files that are not accounted for
#
# awk -f rogue.awk
#
# Rogue is called from a cron job on an hourly basis.
# It parses files in the filesystem and checks to see
# that they belong to an rpm. Then it prints the
# output of rpm -Va to verify those files that do
# belong to an rpm.
#
BEGIN {
# Required commands
cmd1="/bin/rpm -qal";
cmd2="find / -path '/proc' -prune -o -path '/home' -prune -o -path '/var/log'
-prune -o -print";
# All rpms in rpm db
while ( cmd1 | getline ) {
rpmfiles[$0] = 1;
}
close(cmd1);
# All files on system not in an rpm
while ( cmd2 | getline ) {
if (!($0 in rpmfiles)) {
orphans[$0] = 1;
}
}
close(cmd2);
delete rpmfiles;
exit 0; # hit 'END' right now
}
END {
for (file in orphans) {
print "R:orphaned",file | "sort"
}
while ("rpm -Va --noghost" | getline) {
print "R:" $0 | "sort"
}
}
----
The truly paranoid would use this against known packages burnt from
the master site with Vp or something so that they know exactly what
they have.
Hope this helps.
You'll be glad to know that I've been trying to carefully monitor
outgoing ssh traffic so as not to a (further) nuisance to the rest of
the net.
With apologies,
-j
--
Jeffrey Goldberg http://www.goldmark.org/jeff/
--
Stephen J Smoogen.
CSIRT/Linux System Administrator
