Do you still allow SSH for root? Then we go to you!

    The real log of the conversation with my colleague - I quote without any bills or corrections.

    [13:22:33] Admin1: an interesting story - I found a living one like a trojan
    [13:22:36] Admin1: in Linux
    [13:22:49] Admin1: where has he been there for a long time
    [13:23:07] Admin1: nothing is detected
    [13:23:16] Admin1: the client complained of a traffic leak
    [13:23:24] Admin2:
    oops [13:23:27] Admin2: tell me!
    [13:24:20] Admin1: in general, I’ll start from the middle
    [13:24:47] Admin1: the client has 3 computers, all are connected via wifi
    [13:24:57] Admin1: + wifi point and ADSL modem
    [13 : 25: 21] Admin1: to the point, even now (after changing all the passwords), someone continues to
    crack [13:25:29] Admin1: to the modem too
    [13:26:03] Admin1: but this is so, the consequences are already :)
    [13:26:49] Admin1: the computer has the /etc/trail/.ssh/./.../ directory
    [13:27:02 ] Admin1: well, there are a couple of interesting files :)

    [13:27:19] Admin2: hmmm ... How could they get there? without root?
    [13:27:21] Admin1: very similar to the IRC bot
    [13:27:25] Admin1: with root
    [13:27:46] Admin1: there the root password was simple and root was allowed in ssh !!!
    [13:27:55] Admin2: clear
    [13:27:57] Admin2: :)
    [13:28:46] Admin1: the Trojan (or whatever it was) stopped working recently, a couple of days ago (before the computer got to me)
    [13:29:05] Admin1: after the next update, it seems
    [13:29:06] Admin2: I still think that the insider worked :)
    [13:29:14] Admin1: 100% not
    [13:29:14] Admin2: what is the axis?
    [13:29:29] Admin1: debian seed
    [13:29:40] Admin2: very strange
    [13:29:52] Admin2: and once again proves that it is necessary to close the root under SSH
    [13:29:58] Admin2 : and do not call it root at all!
    [13:30:02] Admin1: well, that goes without
    saying [13:30:10] Admin1: but what's the difference
    [13:30:18] Admin1: the main thing is not to log in via ssh
    [13:31:51] Admin1 : the trojan hit the tube it looks like March 28th, this is the date on the directories, and until that date the logs are all wiped
    [13:32:02] Admin2: damn
    [13:32:05] Admin2: smart crap
    [13:32:08] Admin2: what did he do?
    [13:32:12] Admin2: did you prepare the botnet? :)
    [13:32:18] Admin1: like that
    [13:32:36] Admin1: and something original
    [13:32:38] Admin2: can I post our conversation with shabby names on Habr?
    [13:32:53] Admin1: rkhunter does not know him, chkrootkit too
    [13:33:04] Admin1: yes, it can
    [13:33:08] Admin2: thank you :)
    [13:33:26] Admin1: I in general the Trojan could not fully identify
    [13:33:31] Admin1: but !!!
    [13:33:48] Admin1: yesterday, one person on the Internet wrote a similar one
    [13:33:58] Admin1: and it was in the debian
    [13:34:03] Admin2: so she must be moved :) :)
    [13:34:21 ] Admin2: did you save the scripts?
    [13:34:21] Admin1: although he has a slightly different
    situation [13:34:27] Admin1: everything is there
    [13:34:32] Admin1: I saved everything
    [13:34:40] Admin2: can send it to Debian.org
    [13:34:55] Admin1: set up external logs - so as not to be rubbed - and wait
    [13:34:59] Admin1: can anyone come :)
    [13 : 35: 03] Admin2: :)
    [13:35:08] Admin2: are you waiting with a pitchfork? ;)
    [13:36:24] Admin1: dumb, with a magnifying glass and headphones :)
    [13:36:29] Admin2: :)
    [13:36:39] Admin1: and then how it goes :)
    [13: 36:48] Admin1: maybe it’s possible to use nuclear weapons :)
    [13:37:56] Admin1: I somehow read the report of a competent person - he tweaked the botnet code a bit (he also found it somewhere from the client) - and stuck the rootkit to the host :)


    Well, actually everything is in the transcript. How many copies have already been broken about such simple truths? And still there are people who say that closing SSH is paranoia and so on. So long as it’s not thumping nearby, you won’t cross yourself. Once again I want to convey to everyone a simple thought: there is not much protection. Especially if you know how much your information is worth!

    Also popular now: