[NTLUG:Discuss] OpenSSH - Newbie Question #2

brian@pongonova.net brian at pongonova.net
Wed Jul 5 23:25:34 CDT 2006 

On Wed, Jul 05, 2006 at 11:18:55PM -0500, Terry Henderson wrote:
> Give us a couple details about your two breakin events if you don't mind.
> Did they ssh in as root?

No, access was initially gained via an old dormant test account I
forgot to remove after installing qmail called "mailtest."

Nothing happened for about a month, then access was gained again
through the mailtest user account.  Root access was gained by
executing a file called "brk" from ~mailtest, and a port scanner was
installed (pscan2), but it looked like they had trouble getting it to
run behind the firewall (a good reason to have outbound firewall rules
as well!).  This is the point at which I discovered a newly-installed
rootkit (t0rn or shv4, don't remember which) in the /tmp directory.
They were actually connected to the machine at the time:

tcp        0      0 192.168.0.3:22          82.77.199.54:1128 ESTABLISHED

BTW, I discovered this crack while trying to figure out why imapd
wasn't working (the morons installing the rootkit killed imapd for
some reason).  A quick check of messages told me all I needed to know:

May  7 16:11:28 turquoise sshd[12249]: 
Accepted password for mailtest from 82.77.199.54 port 1134

Looking back through the logs, I discovered the initial access:

Apr 12 08:31:31 turquoise sshd[13755]: Failed password for postgres
from 69.38.0.10 port 48530 ssh2
Apr 12 08:31:33 turquoise sshd[13757]: Accepted password for mailtest
from 69.38.0.10 port 48629 ssh2
...

I still remember how pissed off I was when I sat there staring at
those lines of text.  I immediately knew I'd been cracked, and the
first thing I did was pull the network cable.  At the time, I had no
idea who "mailtest" was, and it took quite a while for me to figure
out what had happened:  I set up "mailtest" with the same password to
facilitate testing of qmail, and then simply forgot to remove the
account.

Lesson learned...I kept all the logs as a reminder to me of how easy it is
to become complacent. 

  --Brian

More information about the Discuss mailing list