RE: SSH Attempts: Link to RedHat?

From: Montz, James C. (James Tower) (JCMontzat_private)
Date: Tue Dec 18 2001 - 07:29:04 PST

  • Next message: Aaron Wolfe: "wanadoo.fr's ip blocks"

    Take a look at
    
    /var/log/messages
    /var/log/secure
    /root/.bash_history
    
    Keep an eye out for any gaps in log times, or statements that sylogd has
    been restart (other than at 4:00am)
    Check the /etc/passwd file for any other user accounts with UID/GID:0
    
    Good Luck,
    
    ________________________
    James C. Montz  RHCE
    Hosting Services Engineer
    James Tower
    http://www.jamestower.com
    
    
    -----Original Message-----
    From: Gregg Sperling [mailto:gs-listat_private]
    Sent: Monday, December 17, 2001 5:50 PM
    To: incidentsat_private
    Subject: SSH Attempts: Link to RedHat?
    
    
    Early yesterday, I received a single connection attempt on three of my 
    Linux-based direct connected Internet servers:
    
    Dec 16 01:56:08 srvr001 sshd2[42]: connection from "24.5.243.0"  (ip 
    address blocked to protect user)
    Dec 16 01:56:09 srvr001 sshd2[6969]: Local disconnected: Connection closed 
    by remote host.
    Dec 16 01:56:09 srvr001 sshd2[6969]: connection lost: 'Connection closed by 
    remote host.'
    Dec 16 01:56:40 srvr002 sshd2[41]: connection from "24.5.243.0" (ip address 
    blocked to protect user)
    Dec 16 01:56:41 srvr002 sshd2[10007]: Local disconnected: Connection closed 
    by remote host.
    Dec 16 01:56:41 srvr002 sshd2[10007]: connection lost: 'Connection closed 
    by remote host.'
    Dec 16 02:02:41 srvr003 sshd2[44]: connection from "24.5.243.0" (ip address 
    blocked to protect user)
    Dec 16 02:02:42 srvr003 sshd2[13440]: Local disconnected: Connection closed 
    by remote host.
    Dec 16 02:02:42 srvr003 sshd2[13440]: connection lost: 'Connection closed 
    by remote host.'
    
    I ran some diagnostic tests on the IP address listed, and found it to be a 
    RedHat based Linux system with several ports open,
    including HTTP, Telnet, FTP, X11, and "others."
    
    I connected to the website connected to this server, and found somebody's 
    personal webpage.  I found their email address, and sent the
    owner an email.
    
    Surprisingly, I have had several pleasant exchanges with the individual who 
    runs the server.  He has offered to allow me access
    into his server with root access.  I'd like to find out what breach, if 
    any, caused this connection attempt.
    
    Besides checking the standard /var/log/messages log, are there any 
    suggestions as to where I should check for possible breaches
    in this individual's system?
    
    Hints?  Suggestions?  Ideas?
    
    Thanks in advance for your time,
    Gregg Sperling
    gsperling -at- glsrms -dot- com
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Dec 18 2001 - 09:45:03 PST