[ltp] Help with reading logs - Fedora Core 5, possible break-in attempts

David A. Desrosiers linux-thinkpad@linux-thinkpad.org
Wed, 23 Aug 2006 14:43:55 -0400


> > It looks like someone was actually successful in logging in as root! Am 
> > I right?

> Yes, unfortunately it does look like it.

I prefer this, combined with public key authentication: 

sshhosts="127.0.0.1 10.0.1.0/24 1.2.3.4 x.x.x.x";
for sshhost in $sshhosts; do
        iptables -A INPUT -j ACCEPT -p tcp -s $sshhost --dport 22
        done
iptables -A INPUT -j DROP -p tcp --dport 22

> > Also, sshd was stopped and started. Would the system have done this for 
> > any reason?

Yes, to replace your distribution's sshd binary with a trojaned version
which sniffs login password attempts and sends them to an external
server somewhere in another country. I've seen this elegant root attack
at least once before, and its ugly. 

In the case I've seen, it actually scanned $USER/.ssh/known_hosts and
tried the password you entered to log in over ssh against the servers it
found in your known_hosts file, thus growing the attack to other
machines. 


-- 
David A. Desrosiers
desrod gnu-designs com
http://gnu-designs.com

"Erosion of civil liberties... is a threat to national security."