[BlueOnyx:23007] Re: SSH outbound attacks

[Michael Stauber]

Hi Don,

> Somehow I've got outbound SSH attacks happening from one of my servers.
> No idea how it's happening, etc. Where does one even begin to
> troubleshoot this?
> 
> (Of course first I have to figure out why I can't log in via GUI, but
> can via console.)

If you have SSH access, login, gain root access and use the following
commands to change the passwords for "root" and "admin":

passwd
passwd admin

Also check /root/.ssh/authorized_keys and ~admin/.ssh/authorized_keys
for any SSH keys that you don't know where they're from and delete all
unknown lines.

Next check /etc/passwd to see which users have shell access. This set of
commands will show you who has anything that approaches a regular shell:

cat /etc/passwd|grep -v badsh|grep -v nologin|grep -v false

This will also list these three, but they are fine as is:

sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt

If you see a Vsite user that has shell and should have shell, turn off
their shell access via the GUI and confirm by looking into /etc/passwd
to make sure it's turned off.

Next step would be to find out how that attacker got in and what
privileges he has gained. Did he get "root" access? Or just lesser
privileged shell access of a regular user or siteAdmin?

Once you've identified the processes and user who owns him you can
suspend that account and can check whatever files he brought aboard.

If you need any help with this, please create a support ticket or
contact me offlist and I'll see what I can do. Although I'm a bit
pressed for time today as we're expecting visitors.

-- 
With best regards

Michael Stauber