1. How can something like this happen?
Brute force scripted attack against ssh.
2. How can I prevent it from happening again?
If you have to have ssh remote login enabled then set the admin passwords to
something very long and secure. Consider other remote support methods. Apple
Remote Desktop, Webmin with ssl.
3. Should I worry about the box being compromised in some other way?
The 'master' files in postfix have probably been modified and the spam bot
may still be working because it may be restarted by watchdog.
What could I have missed?
A phishing website installed in web sharing or elsewhere on the system?
Sshd replaced with a version that allows the attacker to get in again?
ssh connection logs showing the ip address and domains of the attackers.
Assume nothing is clean, backup the data and reformat, then check the data
before using it. You will be looking for files that are not yours, like
other perl, php, and java scripts and images from ebay or a bank etc.
Sorry Ted.
stevan
On 8/31/05 9:45 AM, "Ted Dively" <email@hidden> wrote:
> HI all. After a two-month absence, I'm back, and I've got a problem.
>
> I recently discovered a copy of PsyBNC, an IRC client, installed in /
> private/var/tmp/ on a client's Xserve running MOSXS v.10.3.9 on a
> public IP address. Simultaneously, I noticed that a file named "pula"
> had been created in /tmp, the beginning text of which is the following:
>
> #!/usr/bin/perl
> #
> # ShellBOT - FBI TEAM Corporation
> #
> # 0ldW0lf - email@hidden
> # - www.security.cnc.net
> #
> #
> #
> ################ CONFIGURACAO
> #################################################################
> my $processo = '/usr/local/apache/bin/httpd -DSSL';
> # Nome do processo que vai aparece no ps #
> #----------------------------------------------
> ################################################
> my $linas_max='8'; # Evita o flood :)
> depois de X linhas #
> #----------------------------------------------
> ################################################
> my $sleep='4'; # ele dorme X
> segundos #
> ##################### IRC
> #####################################################################
> my @adms=("bujuzip"); # Nick do
> administrador #
>
> I have the full text of the file to share with anyone who wants it.
>
> The end result was that this jackass was able to relay spam from the
> server for a couple of hours before I discovered him. I immediately
> took the machine off the network, removed all suspect files, and
> reset all passwords, including admins, non-admins, and root. Since
> reconnecting the box to the network and rebooting it, I've seen no
> more problems. As usual, the logs are filled with the harmless
> attempts of jerks trying to log in to the server by brute-forcing
> passwords and users, but that's it. My questions are:
>
> 1. How can something like this happen?
> 2. How can I prevent it from happening again?
> 3. Should I worry about the box being compromised in some other way?
> What could I have missed?
>
> I've been keeping up with all security patches, and the machine is
> running a bone stock Apple implementation, except for a customized
> Postfix main.cf/master.cf setup for spam and virus filtering with
> SpamAssassin v.3.0.2 (running on Perl v.5.8.1), and ClamAV v.0.83 (on
> my list of things to up-grade).
>
> TIA for your insights and suggestions.
>
> Ted Dively
> --
> Group D Communications
> Technology Consulting -- IT, Databases, Software, Websites, Hosting
> www.groupd.com
> PH 415.701.8331
> FX 415.701.8332
> P.O. Box 170697
> San Francisco, CA 94117-0697
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Macos-x-server mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
Stevan
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
