Funny title. I've now been awake for 44 of the last 48 hours securing, studying, and rebuilding a multiuser public access linux system that got compromised (fully up to date Debian etch). I think I'll go to sleep instead of reading the article though.
From my stored packet and logfile analysis it went about like this:
1. POP/IMAP password driller guesses defunct account password. (Darn Canadians.)
2. 7 minutes after SSHing in, root is compromised.
3. They create a new account with uid=0, how quaint.
4. A trojan /usr/bin/ssh is installed.
5. A couple more accounts have their passwords guessed (probably from a copy of /etc/shadow)
6. The nightly backups failed, catching my attention.
Now I need to take a long think about how to detect and halt this sooner. It was mostly luck that his trojan ssh had a regression bug that tripped on my configuration files.
I rebuilt the machine as a virtual machine inside its physical hardware. I'll see what I can do scanning traffic and manipulating the firewalls of the outer machine. I have high hopes.
From my stored packet and logfile analysis it went about like this:
Now I need to take a long think about how to detect and halt this sooner. It was mostly luck that his trojan ssh had a regression bug that tripped on my configuration files.I rebuilt the machine as a virtual machine inside its physical hardware. I'll see what I can do scanning traffic and manipulating the firewalls of the outer machine. I have high hopes.