[BlueOnyx:23012] Re: SSH outbound attacks

Don Teague blueonyx at donteague.com
Mon Jul 22 12:08:44 -05 2019 

I just went ahead and shut that machine down.

Even after shell was disabled for users (well, the one left on by 
mistake) something was still going on.



------ Original Message ------
From: "Michael Stauber" <mstauber at blueonyx.it>
To: blueonyx at mail.blueonyx.it
Sent: 7/20/2019 13:24:22
Subject: [BlueOnyx:23007] Re: SSH outbound attacks

>Hi Don,
>
>>  Somehow I've got outbound SSH attacks happening from one of my servers.
>>  No idea how it's happening, etc. Where does one even begin to
>>  troubleshoot this?
>>
>>  (Of course first I have to figure out why I can't log in via GUI, but
>>  can via console.)
>
>If you have SSH access, login, gain root access and use the following
>commands to change the passwords for "root" and "admin":
>
>passwd
>passwd admin
>
>Also check /root/.ssh/authorized_keys and ~admin/.ssh/authorized_keys
>for any SSH keys that you don't know where they're from and delete all
>unknown lines.
>
>Next check /etc/passwd to see which users have shell access. This set of
>commands will show you who has anything that approaches a regular shell:
>
>cat /etc/passwd|grep -v badsh|grep -v nologin|grep -v false
>
>This will also list these three, but they are fine as is:
>
>sync:x:5:0:sync:/sbin:/bin/sync
>shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
>halt:x:7:0:halt:/sbin:/sbin/halt
>
>If you see a Vsite user that has shell and should have shell, turn off
>their shell access via the GUI and confirm by looking into /etc/passwd
>to make sure it's turned off.
>
>Next step would be to find out how that attacker got in and what
>privileges he has gained. Did he get "root" access? Or just lesser
>privileged shell access of a regular user or siteAdmin?
>
>Once you've identified the processes and user who owns him you can
>suspend that account and can check whatever files he brought aboard.
>
>If you need any help with this, please create a support ticket or
>contact me offlist and I'll see what I can do. Although I'm a bit
>pressed for time today as we're expecting visitors.
>
>--
>With best regards
>
>Michael Stauber
>_______________________________________________
>Blueonyx mailing list
>Blueonyx at mail.blueonyx.it
>http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list