[mythtv-users] ssh attack

[George Nassas]

On 29-Dec-05, at 8:19 PM, Darren Hart wrote:

> mythtv:mythtv
>
> Likle I said, I'm sure noone else but me thought that was a good idea 
> :-)  Once in they must ahve found some app to exploit and get root, 
> then it starts scanning addresses - to propogate I guess.  There are 
> some indications that cupsys may have been the culprit there.  Anyway, 
> just a heads up, it manifests itself with several sshf processes 
> running (78 in my case) and lots of failed login attempts in 
> /var/log/auth.log*

My system got hit on the 24th also because of ssh forwarding with easy 
to guess passwords. I know better and I even lecture clients about this 
all the time. Sheesh.

Besides the things you listed the attacker prepends an executable to 
various binaries in /bin and /sbin. It's easy to tell which because 
they have the date of the first break in. The prepended code checks if 
you've done anything to clean out the attack and if so it reinfects you 
and then execs the regular command. One of my tainted executables was 
ls so every time I'd fix up something I'd ls to check the dates and 
thereby undo all my work. At that point I booted knoppix so I could 
work in a clean environment and after copying bin and sbin binaries 
from a safe system and changing passwords I was back in business.

The only other thing I noticed was the fellow was opening an irc 
connection to an IP in Honduras. I assume that was to relay the results 
of all the propagation scans he was running on my box.

At the time I was somewhat pissed to be virus cleaning on Christmas eve 
but in retrospect it was something of a gift to have my eyes opened by 
someone who didn't have the wherewithal to mount a stronger assault 
once he got root access. Feliz Navidad wherever you are mr. ssh 
attacker.

- George