[mythtv-users] ssh attack
George Nassas
gnassas at mac.com
Fri Dec 30 00:08:41 EST 2005
On 29-Dec-05, at 8:19 PM, Darren Hart wrote:
> mythtv:mythtv
>
> Likle I said, I'm sure noone else but me thought that was a good idea
> :-) Once in they must ahve found some app to exploit and get root,
> then it starts scanning addresses - to propogate I guess. There are
> some indications that cupsys may have been the culprit there. Anyway,
> just a heads up, it manifests itself with several sshf processes
> running (78 in my case) and lots of failed login attempts in
> /var/log/auth.log*
My system got hit on the 24th also because of ssh forwarding with easy
to guess passwords. I know better and I even lecture clients about this
all the time. Sheesh.
Besides the things you listed the attacker prepends an executable to
various binaries in /bin and /sbin. It's easy to tell which because
they have the date of the first break in. The prepended code checks if
you've done anything to clean out the attack and if so it reinfects you
and then execs the regular command. One of my tainted executables was
ls so every time I'd fix up something I'd ls to check the dates and
thereby undo all my work. At that point I booted knoppix so I could
work in a clean environment and after copying bin and sbin binaries
from a safe system and changing passwords I was back in business.
The only other thing I noticed was the fellow was opening an irc
connection to an IP in Honduras. I assume that was to relay the results
of all the propagation scans he was running on my box.
At the time I was somewhat pissed to be virus cleaning on Christmas eve
but in retrospect it was something of a gift to have my eyes opened by
someone who didn't have the wherewithal to mount a stronger assault
once he got root access. Feliz Navidad wherever you are mr. ssh
attacker.
- George
More information about the mythtv-users
mailing list