Thread: Possible attack?
View Single Post
  #16 (permalink)  
Old 09-19-2008, 11:48 PM
Tim Greer
Guest
  
Posts: n/a
Default Re: Possible attack?
Anon E. Muss wrote:

> On Fri, 19 Sep 2008 17:17:13 +0000 (UTC), Sylvain Robitaille
> <syl@alcor.concordia.ca> wrote:
>
>>Anon E Muss wrote:
>>
>>> Below is most of output of netstat. Can someone let me know what is
>>> going on here?
>
> [...]
>
>>Your machine is port-scanning what appears to be 218.0.0.0/11 for ssh
>>servers. You need to make it stop that. If you blocked 201/8
>>yesterday, and 218/8 today, you might want to try to find what data it
>>gathered in the meantime for 202/8 to 217/8. More seriously, you need
>>to identify the process that is performing the scan, and stop it.
>>Then you need to figure out how it got there and deal with that.
>>
>>> ... any suggestions??
>>
>>Look for a probable compromise by similar means. Judging by the
>>client-side ports (on your system) used in the scan, I don't think
>>that a privileged account was compromised (and therefore your system
>>itself is probably not compromised, unless the compromised account was
>>able to
>>use local privilege escalation). Another frequent source of account
>>compromise seems to be some web-based services.
>
> One of my users had a stupid password and had his account compromised.
> Upon reviewing the logs, it looks like this was going on for about 4
> days:
>
> $ cat .bash_history
>

<snip>

You should block outgoing requests to port 22, and only allow trusted
destinations, so your server can't be the source of an attack again.
Do the same for other similar ports/services. Also, consider applying
some rate limit policies for the one's you do trust as destinations.
Additionally, you should report the sites in question the files were
downloaded from and add some mod_security rules (if you use Apache) for
POST/GET requests for those file names, and block outgoing access to
those servers as well. Finally, you should be sure you don't allow any
users to bind services to ports above 1024 without verifying they are
okay (if you allow that at all).
--
Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
Industry's most experienced staff! -- Web Hosting With Muscle!

Reply With Quote