Darrin Chandler wrote:
> On Thu, Feb 22, 2007 at 09:15:27PM -0700, Jim wrote:
>   
>> Last night I came home from work and sat down at the computer.  I 
>> noticed the lights on the DSL router were blinking very rapidly.  I have 
>> an ftp server running on my linux box (Slackware 10.2).  So I thought 
>> someone might have been uploading something.
>>
>> Ftpwho showed no users logged in.  I checked the incoming directory and 
>> saw nothing there.
>>
>> Tcpdump showed me that they were sending something using ssh.
>>
>> I used find to look for anything they might have been uploading, but 
>> found nothing.
>>
>> /var/log/syslog contained the following over and over for about 4 hours 
>> before I got home
>>
>> Feb 22 20:43:56 ladmo smbd[6375]: [2007/02/22 20:43:56, 0] 
>> printing/print_cups.c:cups_cache_reload(85)
>> Feb 22 20:43:56 ladmo smbd[6375]:   Unable to connect to CUPS server 
>> localhost - Connection refused
>>
>> Then I found in /var/log/syslog this over and over
>>
>> Feb 21 22:11:14 ladmo sshd[26255]: error: Could not get shadow 
>> information for NOUSER
>>
>> I stopped sshd and edited /etc/sshd_config by adding the following:
>> AllowUsers root jim
>> AllowGroups root
>>
>> To test the change, I tried to log into the server via ssh and using 
>> another account.  It wouldn't let me log in using that other account via 
>> ssh.
>>
>> I also tried
>> find / -mmin 1200 -size +100k
>> and without the size option, but found nothing from the time this was 
>> going on.
>>
>> After all this I tried to send an email, but sendmail wasn't working.  I 
>> backed up my sendmail config files, uninstalled sendmail, reinstalled it 
>> and restored the config files.  Sendmail worked after that.
>>
>> Is there anything else I should do?
>>     
>
> Look for root kits. Reinstall?
>
> Stop all services that you don't actively use. For the remainder,
> consider restricting them to your local network (CUPS, etc).
>
> If you have a home network, consider plugging your DSL modem directly
> into one PC and using that as a firewall machine. Yes, you can also use
> it as a desktop if you need.
>
> Is there a compelling reason you need password authentication for ssh?
> It's very easy to generate public keys and use those. You can even keep
> one on a thumb drive to use if you have to. Then turn OFF password
> authentication (PasswordAuthentication no) in your sshd_config.
>
>   
    I'm guessing they got in through some kind of guest account you have
setup (but maybe didn't know about) or another common account name with
a weak password. I constantly watch my system logs and several times a
week I'll get a ton of attempts to try to brute force passwords to
various accounts through SSH.

-- 
Jon M. Hanson (N7ZVJ)
Homepage:  http://the-hansons-az.net
Weblog:    http://the-hansons-az.net/wordpress
Jabber IM: jon@the-hansons-az.net