SSH gone mad
Dan Bolser
13283 root 25 0 64688 1328 1316 R 100.0 0.0 35536:14
sshd
12475 root 25 0 64688 1332 1316 R 99.7 0.0 35129:12
sshd
1285 root 25 0 64688 1332 1316 R 93.1 0.0 38299:34
sshd
6036 root 25 0 64688 1328 1316 R 89.1 0.0 35508:37
sshd
22388 root 25 0 64688 1332 1316 R 87.4 0.0 35109:21
sshd
22311 root 25 0 64688 1328 1316 R 61.9 0.0 35156:21
sshd
22306 root 25 0 64688 1332 1316 R 58.6 0.0 35087:46
sshd
13293 root 25 0 64688 1328 1316 R 50.3 0.0 38792:04
sshd
22310 root 25 0 65580 1332 1316 R 50.3 0.0 35057:31
sshd
22188 root 25 0 64688 1332 1316 R 50.0 0.0 35020:33
sshd
I can't kill them because I'm no longer a sudoer.
Dan Bolser
attack?
Seems the maillog is bulging ...
Dan Bolser
> The 'rogue' SSH processes are hurting bio.cc again:
> I can't kill them because I'm no longer a sudoer.
Sungsam just put me in the sudoers file. Thank you!
Dan Bolser
Here are some recent things from ##linux on irc://irc.freenode.net...
19:35 < dbolser> well.... its sending out spam by the 10k
19:35 < repz> dbolser: /var/spool/mqueue and
/var/spool/clientmqueue are the dirs you should
have a look at.
19:36 < repz> dbolser: Oh, then do stop it.
19:36 < dbolser> repz: sendmail procs have been killed
19:36 < koollman> dbolser: the http server is probably not the
part sending the spam. more likely some php
script handling (badly) a form, or something
similar
19:36 < the_file> do they keep spawining?.
19:36 < dbolser> no, we killed a bunch of 100% sshd procs
19:37 < the_file> dbolser: I don't wana, but I suggest you read
over a lot of logs
19:37 < the_file> dbolser: especially the ftp, ssh logs
19:37 < the_file> I think somebody uploaded a php shell to ur
system
19:38 < dbolser> ll /var/spool/mqueue/q1 | wc -l # 484483
19:39 < dbolser> ll /var/spool/mqueue/q2 | wc -l # 487252
19:39 < dbolser> and so on
19:39 < dbolser> repz: should I trash them all? q 1 to 10?
19:40 < dbolser> koollman: right
19:40 < repz> dbolser: Well, I would move them to some safe
directory for later analysis. And, please, do not
forget the client queue.
19:40 < dbolser> repz: just two files in there
19:41 < koollman> dbolser: put up some simple firewall rules.
first thing I would suggest is to allow your
ip, drop anything else. then insert rules for
useful services
19:41 < the_file> dbolser: I think you got a rootkit, I would
check the access control lists and how they
were changed
19:42 < repz> dbolser: Yes, this means, that the sendmail server
has accepted all that spam. For the future, I
would recomment, you set up clamav and
spamassassin, directly hooked to sendmail. Via
milter api or so. And set up obligatory smtp-auth.
19:42 < repz> recommend
For some reason, I moved the /var/spool/mqueue/q* to /tmp/
Also,
[dmb@mail ~]$ du -ch /var/log/maillog*
667M /var/log/maillog
1.3G /var/log/maillog.1
1.1G /var/log/maillog.2
1.3G /var/log/maillog.3
1.5G /var/log/maillog.4
5.8G total
> --
> You received this message because you are subscribed to the Google
> Groups "BiO.CC server interface" group.
>
> BiOcentre proposes progressive concepts in using biological data, new types of databases, and new ways of looking at old problems. We encourage members to propose and realize radical and revolutionary methods in science and engineering.
Jong Bhak
From: Dan Bolser <dan.b...@gmail.com>
To: BiO.CC server interface <biocc-serve...@googlegroups.com>
Sent: Thursday, June 30, 2011 7:30 AM
Subject: [bio.cc] Re: SSH gone mad
Pierre-Yves Chibon
> 19:41 < koollman> dbolser: put up some simple firewall rules.
> first thing I would suggest is to allow your
> ip, drop anything else. then insert rules for
> useful services
This is a nice document helping to secure ssh.
http://fedoraunity.org/solved/post-install-solutions/securing-ssh
Having denyhosts/fail2ban running will also help.
Finally, if the machine is corrupted, re-installation would for sure be
the best thing to do (saving the data but not the file in case there is
a backdoor/rk/something in the files).
My 2cts,
Pierre