Re: CentOS 5 hacked

On Wednesday 31 August 2011 16:06 in,
dmitry.leonenko enlightened humanity with the following words...:

It looks like that there is a vulnerability in openssh.

Not necessarily. But there are always ways to try and break into a
system that doesn't have any security holes. You always have to have a
way to legitimately log into your system, and there are ways to exploit
those, e.g. via dictionary attacks or brute force attacks.

These things can fire off login attempts multiple times per second until
they get the proper login name and password combination. See below for
advice on that.

Version is 72.el5_6.3 which is the one for CentOS release 5.6 (Final).
I've found Perl process that was sending Spam (I've also got source
code from /proc/<pid>/fd/3). What was then is that I found strange
records in audit.log:

type=USER_LOGIN msg=audit(1314645691.505:290419): user pid=24699 uid=0
auid=0 msg='uid=0: exe="/usr/sbin/sshd" (hostname=,
addr=, terminal=/dev/pts/0 res=success)'
type=ANOM_ABEND msg=audit(1314645695.184:290420): auid=0 uid=0 gid=0
ses=1152 pid=24699 comm="sshd" sig=6

And few reccords with the same sig=6 and auid=0 later days. I use auid
500 and sudo to get root if needed and these are hack attempt indeed.
Also there are no PAM records along with these lines.
Server kernel is:
Linux vz 2.6.18-194.26.1.el5.028stab081.1 #1 SMP Thu Dec 23 20:17:23
EEST 2010 x86_64 x86_64 x86_64 GNU/Linux

I'll re-setup server anyway but I want to get some more info from this
hack. Any ideas?

If your machine is/was sending out spam, then you probably do have an
intrusion on your hands, and then most likely the perpetrator will have
installed a rootkit on your machine. Remember, a rootkit is not there
to give someone unauthorized access to your machine; it is there to
_hide_ the fact that he already _has_ access, by replacing some
executables - e.g. "/bin/ls", "/bin/ps", "/sbin/lsmod" et al - by
executables that perform the same function but do not show you all there
is to see.

You will eventually indeed need to reformat your partitions and
reinstall the operating system, but I would advise you to first use
chkrootkit or rkhunter - they should be in the CentOS repos if you don't
have them installed - to give you a clearer view on what is going on.

Finally, when you're reinstalling your machine, do _not_ allow root
logins over ssh, and do _not_ use sudo in its default configuraton. Set
up sudo so that it either requires the root password instead of the
user's own password, or to only allow certain tasks to be carried out
via the sudo command, but not all root commands. Use "/bin/su" for root
jobs, and make sure that PAM is set up to only allow the use of
"/bin/su" to users in the wheel group. It is harder for the blackhat to
guess two distinct passwords than to have to guess only one and then
with that one account and sudo, obtain root privileges.

You may also want to install an intrusion detection package like prelude
or snort - they should be in the CentOS repositories, but if you can't
find them, here's where you can get prelude.

I would also advise installing an automatic firewall via the combination
of Brute Force Defender and Advanced Policy Firewall. As it just so
happens to be, someone inquired about APF only a few days ago in another
group. Let me see whether I can dig up the URL to the source code...
Ah, here it is...:

Anyone trying to break in via ssh will get three attempts at a login,
and if the third attempt fails, the IP address will automatically be
added to the firewall (via iptables) and you will receive an e-mail from
root with the information of the break-in attempt.

Hope this was useful. ;-)

(registered GNU/Linux user #223157)

Relevant Pages

  • Re: hi all..
    ... And with sudo, I certainly wouldn't because they already have root. ... If you somehow had access to my account right now, ... install an effective key logger without root. ...
  • Re: Using Perl to connect a Linux box to Linux/Windows boxes
    ... If you are to write something to copy files to remote machines and install software, and the installation of said software requires root access, yet you are not allowed to become root then you cannot complete the task. ... if you are to use sudo to do the root install command then often the network admin will set up sudo such that you need to enter a password. ...
  • Re: Cannot Telnet to Solaris 5.7 server
    ... In order to install this oftware the user had to clear some ... I was attempting to login as root on the grpahical screen, ... below the screen went black then flashed back to the login screen. ... This is on a Solaris 5.7 server and I noticed that there is no Bin ...
  • Re: Easy way/script to add another user like me?
    ... of cracking the root password because they already know the ... Hence the valid need for sudo to limit what other users can ... would have to have been a special sudoer account password. ... install I can 'sudo /bin/bash' and effectively be fully root, ...
  • Re: CentOS 5 hacked
    ... These things can fire off login attempts multiple times per second until ... 500 and sudo to get root if needed and these are hack attempt indeed. ... I would also advise installing an automatic firewall via the combination ...