Hi guys,

My apologies for replying a little late ...

It was an absolute struggle getting things to work just so that I can give more
information about the intrusion. I narrowed it down to cron ... What would
happen is this ... After a boot the network would work fine but would start
degrading at different times ... sometimes after 5 minutes, sometime after a
longer period of time ...

So what I did was do disable all startup scripts/servers/services and then
enable only one at a time ... then I would reboot and wait and keep an eye on
"/boot" (I deleted all randomly generated files, so I could see if a file was
added or not, and it was also the only way I knew for certain that the culprit
was active or not, hence that is how I could time it) ...

All went well untill I enabled cron ... I checked all cron jobs and they all
"look" normal ... here is an "ls" of my cron directories ...

anacron atop mrtg php5

anacron atop mrtg php5

cron.sh sarg 

0anacron sarg

0anacron apt-xapian-index man-db sarg

For those of you who asked ... here is 

file -k
bxerzoalfk: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), 
statically linked, for GNU/Linux 2.6.9, not stripped


grep -ir
Binary file kvvcqvddix matches
Binary file aknaykocbs matches
Binary file bxerzoalfk matches
Binary file isrgzlchmx matches
Binary file ryrfvxjggh matches
Binary file wevzubbsgn matches
grub/grub.cfg:# from /etc/grub.d and settings from /etc/default/grub
grub/grub.cfg:### BEGIN /etc/grub.d/00_header ###
grub/grub.cfg:### END /etc/grub.d/00_header ###
grub/grub.cfg:### BEGIN /etc/grub.d/05_debian_theme ###
grub/grub.cfg:### END /etc/grub.d/05_debian_theme ###
grub/grub.cfg:### BEGIN /etc/grub.d/10_linux ###
grub/grub.cfg:### END /etc/grub.d/10_linux ###
grub/grub.cfg:### BEGIN /etc/grub.d/20_linux_xen ###
grub/grub.cfg:### END /etc/grub.d/20_linux_xen ###
grub/grub.cfg:### BEGIN /etc/grub.d/30_os-prober ###
grub/grub.cfg:### END /etc/grub.d/30_os-prober ###
grub/grub.cfg:### BEGIN /etc/grub.d/40_custom ###
grub/grub.cfg:### END /etc/grub.d/40_custom ###
grub/grub.cfg:### BEGIN /etc/grub.d/41_custom ###
grub/grub.cfg:### END /etc/grub.d/41_custom ###
Binary file esijfkmwnd matches
Binary file cwpgfmvkrk matches
Binary file gyimenpwnt matches
Binary file fndswijgdk matches
Binary file rfjmdtlsoj matches
Binary file zfmpizunja matches
Binary file zkdjlvhuui matches
Binary file hutaslspbf matches
Binary file dkseypedtx matches
Binary file hjmmvaxfzq matches
Binary file izytxsbskq matches
Binary file czhlgmsgzh matches
Binary file ttqssdikcn matches
Binary file xjeemjyuly matches

Since I killed cron at bootup everything seems fine ... network is back to
normal ... 

However, as soon as my network was up and running I got attacked ...
here is an excerpt of one of the fail2ban mails ...

The IP has just been banned by Fail2Ban after
3 attempts against ssh.

Jan  8 04:23:15 fever sshd[17406]: Connection from port 38090 on port 22
Jan  8 04:23:17 fever sshd[17406]: Invalid user zhangyan from
Jan  8 04:23:17 fever sshd[17406]: pam_unix(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost= 
Jan  8 04:23:20 fever sshd[17406]: Failed password for invalid user zhangyan 
from port 38090 ssh2
Jan  8 04:23:20 fever sshd[17406]: Received disconnect from 11: 
Bye Bye [preauth]
Jan  8 04:23:20 fever sshd[17408]: Connection from port 39800 on port 22
Jan  8 04:23:22 fever sshd[17408]: Invalid user dff from
Jan  8 04:23:23 fever sshd[17408]: pam_unix(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost= 
Jan  8 04:23:24 fever sshd[17408]: Failed password for invalid user dff from port 39800 ssh2

What is interesting to me is the user in the above excerpt "zhangyan" ...
By using a username that is unfamiliar to the western world tells me that
whatever is on my system had to respond to this username otherwise why would
this guy use a username that only he is familiar with ... Other usernames that
were used: 3D, ssht and ftfl ... Also, attempts were made from China, Hong Kong,
Belgium and Canada ...

Anyway, I have decided to get new hardware and do a clean install of everything
... as many of you have suggested ...

However, as I fly a lot internationally, is there a way I can temporarily block
these country's IP's for a few days at most untill I have enough time on
hand to do a fresh install ...

Currently my iptables looks like this ...

:PREROUTING ACCEPT [73562:7321518]
:INPUT ACCEPT [26916:2177387]
:OUTPUT ACCEPT [80090:6554227]
#For squid to reroute HTTP trafic to port 80
-A PREROUTING -s -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 
-A PREROUTING -i wlan0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
:INPUT ACCEPT [5927:1484640]
:FORWARD ACCEPT [1571:107578]
:OUTPUT ACCEPT [4983:1212852]
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j 
-A FORWARD -s -i eth1 -o wlan0 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -s -j DROP
-A INPUT -p tcp -s -j DROP
-A INPUT -p tcp -s -j DROP
-A INPUT -p tcp -s -j DROP
-A INPUT -p tcp -s -j DROP
-A INPUT -p tcp -s -j DROP
-A INPUT -p tcp -s -j DROP

As you can see ... I am already DROPping some of these IP's ... I just need
something to block an ENTIRE country ...

Thank you ... and thanks to everyone replying ... I apreciate it ...


To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150108205345.GA4732@fever.havannah.local

Reply via email to