Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?

To: "Water NB" <netbsd78%126.com@localhost>
Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
From: "Andy Ruhl" <acruhl%gmail.com@localhost>
Date: Fri, 12 Jan 2007 06:47:41 -0700

On 1/12/07, Water NB <netbsd78%126.com@localhost> wrote:

In the recent days, a cracker always attack my host.
The cracker's IP is from Japan, Croatia and some coutries.
But I guess it is the same cracker and remote-conrolled those hosts.
Because he always did the same works:
1) try to ssh account one by one: root, postfix, ... cyrus.
2) at last, login successfully via account cyrus.
3) install a program psyBNC 2.3.1 under /tmp and run it.
4) sometimes he changes the password of cyrus.

Question 1) Is it a bug of sshd?


Probably not. I'm one of the ones who likes to believe that any bugs
in ssh will be quickly known and public. Maybe that's too optimistic.

Question 2) why /etc/passwd:cyrus has Shell: /bin/sh?
I think /sbin/nologin is enough.
In fact, when I change it to /sbin/nologin, the cracker stop cracking
because he has to logout once he login.


Seems like a good idea to mee.

I had the ssh phishers too, and this is a good way to keep them away
from you and working on someone else:

1. Change your ssh port to something else
2. Set pf to block with a drop policy, so the scanners and hackers
have to wait if they do try (which means they will likely go play
somewhere else in short order).
3. Figure out a way to log attempts to connect to port 22 and then
block those IPs (it's on my list of things to do, I just haven't
figured out how I'm going to do it yet. I think someone else posted a
link)

I'm surprised that a few people think you should start over. I would
seriously hope that a compromised user account wouldn't immediately
prompt paranoia that the box was rooted. I understand that this is a
thoght process that needs to take place, but I would hope that NetBSD
is more hardy than that.

I always keep my install sets somewhere else so I can do a checksum
against some important programs to see if it's been hacked.

I don't claim to be Mr. Security, so you'll probably want to look for
advice from others who have been around a while.

Andy

Follow-Ups:
- Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
  - From: Elad Efrat
- Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
  - From: Steven M. Bellovin

References:
- NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
  - From: Water NB

Prev by Date: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
Next by Date: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
Previous by Thread: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
Next by Thread: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
Indexes:

Home | Main Index | Thread Index | Old Index