Results 1 to 4 of 4
  1. #1
    Join Date
    Jan 2006
    San Antonio, TX

    Remotely replaced sshd_config, CentOS 5.3/SSH 4.3p2-36el5_4.2

    Hello Everyone,

    Fighting a bit of a nasty morning... anyone seen this before?

    We have a number of servers that have password authentication disabled as well as shell access disabled for all users except those whom have keys. These servers run cPanel and have been updated to the following specs:

    2.6.18-164.el5PAE #1 SMP Thu Sep 3 04:10:44 EDT 2009 i686 i686 i386 GNU/Linux

    Early (around midnight-1am CST) this morning we had a widespread attack via an unknown vector. In the attack, the only thing that I can find is the following (IP blacked out, although it is the attackers' address):

    Nov 12 04:31:22 sharedserver/sharedserver sshd[16083]: Received disconnect from 11: No supported authentication methods available
    Nov 12 04:32:14 sharedserver/sharedserver sshd[11265]: Received signal 15; terminating.
    Nov 12 04:32:14 sharedserver/sharedserver sshd[16570]: Server listening on :: port 2.
    Nov 12 04:32:14 sharedserver/sharedserver sshd[16570]: error: Bind to port 2 on failed: Address already in use.
    Nov 12 04:32:27 sharedserver/sharedserver sshd[16611]: Accepted password for root from port 3630 ssh2
    Nov 12 04:32:27 sharedserver/sharedserver sshd[16611]: pam_unix(sshdession): session opened for user root by (uid=0)

    The concerning part is that it obviously appears that there is someone reloading SSHD, but there is no successful login (at all) via shell prior to this.

    This time corresponds with a modified sshd_config that then allows password authentication, whereby the user then logs in as root and has a good time, so to speak.

    I know that the following vulnerability is out in the wild:

    However, since the user never actually logged into the server from what I can see, I'm still searching for the real way that this occurred.

    I have logs from these servers, if you need other information to possibly help track this down that is possible. I'm having a hard time finding the vector for this attack though...

    Any assistance would be greatly appreciated.

  2. #2

  3. #3
    Join Date
    Feb 2006
    Buffalo NY
    You can easily modify these logs (secure, wtmp, utmp, etc) so I would take them with a grain of salt unless you setup a central syslog server somewhere.

    Unfortunately unless you setup an IDS awhile ago the only real way to be sure you're clean is to simply reinstall / replace all the common binaries and libraries (/bin, etc).

    Try running chkrootkit / rkhunter to see if it finds anything odd, check all listening ports, check for daemons running that you can't identify and see what they're doing. Check the crons, all authorized_keys, etc.

    Its a tedious process, in the future after you install a system / configure it setup a IDS like Tripwire to make some sort of database of the baseline core files - this makes it infinitely easier in finding if a system was compromised / where.
    Cody R.
    Hawk Host Inc. Proudly Serving websites since 2004.

  4. #4
    Join Date
    Nov 2003
    Marylebone, London, UK
    Regardless of what files are changed, you can limit
    ssh to a set of IP addresses.
    Using PF I allow:
    1) anything from the cluster of IP addresses
    I list in a file (just all my server IPs)
    2) anything from my ISP (no fixed IP at home
    so is allocated dynamically)
    At least then their ssh attempt would
    probably get no further than my firewall

Similar Threads

  1. Centos 5 partition HD via SSH
    By CymraegWalesHosting in forum Hosting Security and Technology
    Replies: 7
    Last Post: 01-01-2010, 07:32 PM
  2. CentOS 5.3 (64bit) SSH Port
    By JumptoMedia in forum Hosting Security and Technology
    Replies: 10
    Last Post: 05-04-2009, 11:28 PM
  3. Need help with SSH on Centos 5 x64
    By Coolraul in forum Systems Management Requests
    Replies: 4
    Last Post: 05-30-2008, 08:43 PM
  4. [Ask] Remotely Install Centos on a dedicated server
    By finly in forum Dedicated Server
    Replies: 5
    Last Post: 04-19-2008, 11:49 PM
  5. Installing CentOS locally, but using telnet/ssh
    By pergesu in forum Hosting Security and Technology
    Replies: 7
    Last Post: 01-10-2005, 09:44 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts