Re: Remotely replaced sshd_config, CentOS 5.3/SSH 4.3p2-36el5_4.2



68.50.70.187 is the attackers' IP.

Leif Nixon wrote:
Adam Hubscher <offbeatadam@xxxxxxxxx> writes:

These servers run cPanel and have been updated to the following
specs:

2.6.18-164.el5PAE #1 SMP Thu Sep 3 04:10:44 EDT 2009 i686 i686 i386
GNU/Linux

This seems vulnerable to CVE-2009-3547 and CVE-2009-2695. If SELinux is
enabled, you can trivially get root on these machines if you can run
commands as a logged in user.

I would start by looking very hard at all successful ssh logins the
hours before the known intrusion. It is very possible that some of them
are performed using stolen ssh keys.

I have logs from these servers, if you need other information to
possibly help track this down that is possible. I'm having a hard time
finding the vector for this attack though...

If you could share the IP number of the attacking host, that could be
useful. Does /root/.bash_history contain anything interesting? Is there
anything suspicious in /dev/shm? (There won't be, if the machine has
been rebooted after the intrusion.)

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature



Relevant Pages

  • Ubuntu 8.04 kernel variation?
    ... network on a few machines right now that are running Ubuntu 8.04 Desktop ... and I'm trying to determine whether or not the kernel ... of probable malicious intrusion? ...
    (comp.os.linux.security)
  • Microsoft on the hunt for serious Windows flaw
    ... vulnerability in Windows operating systems that could allow attackers to ... take control of vast numbers of machines, ...
    (Fedora)
  • Re: brute force ssh attack
    ... >> I wouldn't be suprised if his entire local network got infected. ... the attackers seemed run of the mill. ... the effects of running UNKNOWN programs that obviously were put on his ... and in this case may easily have infected many other machines. ...
    (Fedora)