On Fri, Nov 6, 2009 at 8:08 AM, Stephen P Rufle <stephen.p.rufle@cox.net>wrote:

> A strangely compromised Linux box
> http://aplawrence.com/Linux/strange-hack.html
>

Hey Steven,

Thanks for that!  It's just so amusing -- they never do ANYTHING that is
standard linux administration or security on this!

I.E. Collect exact information and mitigate the threats.

SSH (attack vector) versions, configuration and known exploit mitigation
(keys, protocol 1, forwarding, etc)
crc check against all binary source and cronjobs for veracity
low level file analysis

Mitigation:

IMMEDIATELY the machine must be REBUILT
password management (secure passwords - re-assigned and rotated)
IPTABLE deny and report the source address
IPTABLE dictionary attack - port knocking - brute forcing protection or

OPTIMALLY OpenVPN - (#%*&^%$#)

This was probably a script process that was interrupted before restoring the
/etc/passwd users that was no-doubt unable to find a tool library or a path
for one of the tools it needed to successfully complete.

Serious Laughter!

-- 
Skype: (623)239-3392
AT&T: (503)754-4452
www.it-clowns.com