[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: severity of break-in?

Subject: Re: severity of break-in?
From: Dan Shoop <email@hidden>
Date: Wed, 31 Aug 2005 15:32:28 -0400
Delivered-to: email@hidden
Delivered-to: email@hidden

At 10:16 AM -0700 8/31/05, Reese, Stevan wrote:

1. How can something like this happen?
Brute force scripted attack against ssh.


More likely it's an user mode worm.

And an ssh compromise might show up in the logs if the worm didn't have root permissions (unlikely).

2. How can I prevent it from happening again?
If you have to have ssh remote login enabled then set the admin passwords to
something very long and secure. Consider other remote support methods. Apple
Remote Desktop, Webmin with ssl.

3. Should I worry about the box being compromised in some other way?
The 'master' files in postfix have probably been modified and the spam bot
may still be working because it may be restarted by watchdog.

It may have /used/ postfix as the relay, but unless the postfix users or root were compromised (unlikely) then the postfix files should be fine.

Of course you should be restoring from a known uncompromised backup.

But it's a wild guess that any postfix files are modified, and not likely. All a worm needs is a running MTA that accepts relays from localhost. Or it can just bring alone it's own MTA for outbound SMTP.

What could I have missed?
A phishing website installed in web sharing or elsewhere on the system?
Sshd replaced with a version that allows the attacker to get in again?
ssh connection logs showing the ip address and domains of the attackers.
Assume nothing is clean, backup the data and reformat, then check the data
before using it. You will be looking for files that are not yours, like
other perl, php, and java scripts and images from ebay or a bank etc.

Most likely the reboot will clear out user mode worms, since they don't actually compromise the system, just the user. The worm would have needed to compromise teh system itself to write any startup files. Though many bad applications wonk permissions on /Library/StartupItems. All user files should be scrutinized so that they don't have any login startup items that will restart it.

--

-dhan

------------------------------------------------------------------------
Dan Shoop                                                   AIM: iWiring
Systems & Networks Architect                     http://www.iwiring.net/
email@hidden                                 http://www.ustsvs.com/

pgp key fingerprint: FAC0 9434 B5A5 24A8 D0AF  12B1 7840 3BE7 3736 DE0B

iWiring provides systems and networks support for Mac OS X, unix, and
Open Source application technologies at affordable rates.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden

Follow-Ups:
- Re: severity of break-in?
  - From: Ted Dively <email@hidden>

References:
	>Re: severity of break-in? (From: "Reese, Stevan" <email@hidden>)

Prev by Date: Re: severity of break-in?
Next by Date: Re: Removing the ability to change passwords
Previous by thread: Re: severity of break-in?
Next by thread: Re: severity of break-in?
Index(es):
- Date
- Thread

Home