[SATLUG] Need some help...
Ed
etillman93 at peoplepc.com
Thu Sep 27 02:29:54 CDT 2007
Charles Hogan wrote:
> Ed wrote:
>> Charles Hogan wrote:
>>> 1. What services are you running on this box that are available to
>>> the outside world?
>>>
>>> 2. The first several lines output from netstat would be helpful here.
>> Here's a few lines. Notes: My System Monitor shows the offending
>> program as "ssh-agent" with a status of "Zombie." It won't stop, end
>> or kill.
>>
>> unix 3 [ ] STREAM CONNECTED 2374882 unix
>> 3 [ ] STREAM CONNECTED 2374868
>> /tmp/orbit-root/linc-7f7d-0-186a9c186874b
>> unix 3 [ ] STREAM CONNECTED 2374867 unix
>> 3 [ ] STREAM CONNECTED 2374866
>> /tmp/orbit-root/linc-7f91-0-26c988038e00e
>> unix 3 [ ] STREAM CONNECTED 2374865 unix
>> 3 [ ] STREAM CONNECTED 2374846
>> /tmp/orbit-root/linc-7f7d-0-186a9c186874b
> The "/tmp/orbit-root" has me a bit concerned. I see orbit-<usrname>
> in netstat all the time, but never root. Then again, I don't run Ubuntu.
What is the orbit function?
>
> ssh-agent is an authentication agent.
>
> I would next run "who" to see who is logged into the system and from
> where. This can be done under your normal usr account.
root at starfury:/home/ed# who
ed :0 2007-09-25 21:34
root pts/0 2007-09-27 02:06 (:0.0)
> If someone is logged into your system from the outside it will most
> likely show up here.
Should root be logged-in as itself? I'm still a bit new at this...
>
> I'm thinking that someone may have brute forced your root password via
> ssh.
> 1. Are your passwords weak or strong?
> 2. Have you disabled root login in your sshd-config file?
No. How's that done?
>>>
>>> If you don't resolve the vulnerability it will be exploited over and
>>> over again.
>> I know... Leave it to me: If there's a way to screw-up Linux, I'd
>> find it... <sigh>
> There are likely very few people who have not had something like this
> happen to them. I know that I cannot count myself among those few. :)
Yet I see/hear so many, even in this forum, trying to tell me that Linux
is inviolable to anything, and decrying the fact that I run both a
firewall and an anti-virus program. I'm an applied computer science
teacher who often lets his students experiment with the laptop and linux
environment. In that regard, I try to keep the system as safe and clean
as possible...
>>> I'm sure that there are others on the list that can/will provide
>>> more and better information than I have provided here.
Only one other, so far, has provided info, and I'll be responding to him
too. Thanks so much, and, please don't go too far away...
Cheers;
Ed
=============================
>>>
>>> Charlie
>>>
>>>
>>> Ed wrote:
>>>> Hello...
>>>>
>>>> I think I've caught a live bot, apparently the _ssh zombie_. Its
>>>> apparently trying to get out on ports (order of persistence) 47391,
>>>> 51976, 19275, 50277 and 47203. Source/destination IP addresses are
>>>> all over the world. I have these ports all blocked via
>>>> Firestarter, so nothing from them leaves my system (I think...),
>>>> but, I need to know if anyone has suggestions on how I rid myself
>>>> of the problem. Any thoughts?
>>>>
>>>> Cheers
>>>>
>>>> Ed
>>>> (Acer Aspire 3050; 1.8 GHz CPU, 1 GB Ram, Ubuntu 7.04 Feisty Fawn)
>>
More information about the SATLUG
mailing list