[wplug] detecting a break-in (was: Any tips against this kind
of ssh break-in?)
Bill Moran
wmoran at potentialtech.com
Fri Jul 15 12:18:44 EDT 2005
Dane Miller <dane at olneyfriends.org> wrote:
> This thread made me check my firewall logs. I also see many "illegal
> user" messages in auth.log showing all the usernames that these
> attackers are guessing (michaeljordan was the funniest). But I'm
> suspicious because "root" was never guessed, even though ssh was set to
> allow root login.
>
> Isn't that odd? Wouldn't you expect root to be the first account for
> attackers to hit?
Yes, it is a bit odd. I seldom see attacks against any account but root.
Occasionally, it really creeps me out because I see somone trying to guess
the password for the wmoran account, but not too often.
> ...Unless someone did hit root, broke the password (which is complex,
> but not terribly long), and erased all trace from the logs. Is this far
> fetched? How would I know?
Do you run Tripwire or any other integrity software? If not, you should
start. Tripwire will tell you (reliably) if your system has been altered.
Without a good Tripwire characterization, the best you can do is monitor
and log everything going on with that machine and react to things that
don't look normal. Do an nmap scan of the machine (do a full scan of ALL
ports, both UDP and TCP) and investigate any open ports that you didn't
enable. Increase logging levels of applications and monitor those logs
for oddities.
In general, gaining root on a box while leaving _no_ traces is very
difficult because there are so many places where evidence of the breakin
would be left. However, if you can verify that someone did break in,
it can very difficult to assess exactly how much they got access to.
--
Bill Moran
Potential Technologies
http://www.potentialtech.com
More information about the wplug
mailing list