Some of them yes, some of them no. Almost every server has the only nginx installed without PHP or Perl backend with the simple location / that just serves static files.perl script was launched from ssh. I am sure. How could you describe then such environ file of the perl PID? Where it is clearly mentioned that command was launched throgh ssh on SSH port from a concrete IP that does not belong to me . -j DROP rule on 22 port prevented that script to appear again but i`s not a solution. On Thu, Dec 29, 2011 at 8:19 PM, Todd Wheeler <[email protected]> wrote: > Any chance you have a web server on these boxes? Anything that allows file > upload? A very common attack is to upload a .pl file through a form, and if > that form is sending to a path in your web root, that .pl file basically > becomes executable via a URL. Once it's run, it can do just about anything > your web server process can do, and from there local exploits are possible. > This includes running standalone SSH daemons, etc. > > I'm with everyone else - if you haven't cut them to the outside world > already, you should. > > > On Dec 29, 2011, at 10:56 AM, Taz wrote: > >> I use fail2ban but the fact is there absolutly no records of >> connections in auth.logI am sure ssh is used because after i blocked >> ssh port at all "perl" process does not start anymore.Besides on >> different machines i use different ports and in all environ files of >> the perl process in /proc there is a right port written. It shoud be >> also mentioned that SSLVL variable is always 1, while i think it >> should be 2. >> On Thu, Dec 29, 2011 at 7:47 PM, Taz <[email protected]> wrote: >>> of course, i've double changed all password and regenerated ssh keys. >>> >>> On Thu, Dec 29, 2011 at 7:44 PM, Taz <[email protected]> wrote: >>>> http://security.stackexchange.com/questions/10202/perl-script-rootkit >>>> >>>> here it is, all the details. please check out >>>> >>>> On Thu, Dec 29, 2011 at 7:31 PM, Kees de Jong <[email protected]> wrote: >>>>> If you are absolutely sure that they gained root access then there is no >>>>> other alternative then to kill the internet on those machines. >>>>> And then you should back up all the data you want to preserve so that you >>>>> can reinstall those machines safely. There is no telling if they installed >>>>> another SSH server or other nasty things like rootkits. >>>>> Most attackers install their own SSH server so that any changes your make >>>>> to >>>>> patch your security holes aren't putting them out of business. >>>>> Unless you have aide installed and made regular checksums of all the files >>>>> and configs then you have no idea if anything is changed since the attack. >>>>> You can also try rkhunter and chkrootkit to find any rootkits on your >>>>> system, but they aren't conclusive. >>>>> >>>>> The only way to be sure that you are in the clear is a total new start on >>>>> all the affected machines. >>>>> >>>>> >>>>> PS: We all got it now, fail2ban is a great tool ;-) >>>>> >>>>> >>>>> >>>>> >>>>> On Thu, Dec 29, 2011 at 15:04, Taz <[email protected]> wrote: >>>>>> >>>>>> Hello, we've got various debian servers, about 15, with different >>>>>> versions. All of them have been attacked today and granted root >>>>>> access. >>>>>> Can anybody help? We can give ssh access to attacked machine, it seems >>>>>> to be serious ssh vulnerability. >>>>>> >>>>>> How can i contact openssh mnt? >>>>>> >>>>>> Thank you. >>>>>> >>>>>> >>>>>> -- >>>>>> To UNSUBSCRIBE, email to [email protected] >>>>>> with a subject of "unsubscribe". Trouble? Contact >>>>>> [email protected] >>>>>> Archive: >>>>>> http://lists.debian.org/CA+0W4N=at0esj+y3d8drzw8u+s6tcr6bcuha+w+u5rl-80v...@mail.gmail.com >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Met vriendelijke groet, >>>>> Kees de Jong >>>>> >>>>> >>>>> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is >>>>> uitsluitend bestemd voor de geadresseerde(n). >>>>> Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet >>>>> te >>>>> gebruiken en de afzender direct te informeren door het bericht te >>>>> retourneren. >>>>> -- >>>>> The information contained in this message may be confidential and is >>>>> intended to be exclusively for the addressee(s). >>>>> Should you receive this message unintentionally, please do not use the >>>>> contents herein and notify the sender immediately by return e-mail. >>>>> >> >> >> -- >> To UNSUBSCRIBE, email to [email protected] >> with a subject of "unsubscribe". Trouble? Contact [email protected] >> Archive: >> http://lists.debian.org/CA+0W4Nmh1iUJ3u=2uxp0hhzqw5-j03fdsoch1w1adosty3c...@mail.gmail.com >> > >
-- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/CA+0W4N=q1nu80-du-ak7owwuytqw1ygv3k6ycsxjmrdsccs...@mail.gmail.com
