help needed after intrusion from a ssh dictionary attack

Hello

One of our lab machine running Redhat Enterprise 3 has been intruded by
somebody. He used a simple ssh dictionary attack but unfortunately our
root is enabled through ssh and the root password was not strong
enough. We got report that there were 3GB of unexpected traffic during
that day throught ssh.
Now we are going to reset the root password but for some other reasons
we don't want to disable root login through ssh.
So I would like to do a dictionary attack on our machine first to make
sure our password is strong enough. Is there any well-known hacking
software that I can download and try to see if our system is secure?
Thanks a lot.

Shi

jinzishuai@gmail.com wrote:
> Hello
>
> One of our lab machine running Redhat Enterprise 3 has been intruded by
> somebody. He used a simple ssh dictionary attack but unfortunately our
> root is enabled through ssh and the root password was not strong
> enough. We got report that there were 3GB of unexpected traffic during
> that day throught ssh.

Goodness...

> Now we are going to reset the root password but for some other reasons
> we don't want to disable root login through ssh.

What you should do is unplug the compromised box from the net, backup
your data, wipe out the rest and reinstall Linux. With regard to "for
some other reasons we don't want to disable root login....", imho, is
bad thinking. At least disable password login and use private/public
RSA/DSA key authentication.

> So I would like to do a dictionary attack on our machine first to make
> sure our password is strong enough. Is there any well-known hacking
> software that I can download and try to see if our system is secure?
> Thanks a lot.

Bad thinking...

jinzishuai@gmail.com wrote:
> Hello
>
> One of our lab machine running Redhat Enterprise 3 has been intruded by
> somebody. He used a simple ssh dictionary attack but unfortunately our
> root is enabled through ssh and the root password was not strong
> enough. We got report that there were 3GB of unexpected traffic during
> that day throught ssh.
> Now we are going to reset the root password but for some other reasons
> we don't want to disable root login through ssh.
> So I would like to do a dictionary attack on our machine first to make
> sure our password is strong enough. Is there any well-known hacking
> software that I can download and try to see if our system is secure?
> Thanks a lot.

1. Your host has been compromised... nothing on the host can
be trusted. If you choose to examine the data for forensics sake,
do so using a forensics environment (something that won't damage
anything else). Wipe an reinstall to bring the server back online.

2. You'll just have to trust me.. you have NO good reason for
allowing root via tunneled clear text passwords. Use passphrase
protected keys... (more below)

3. In general:

a. Don't run ssh on port 22, put it somewhere else, somewhere
hard to guess... use port knocking if you can.

b. Reduce the number of ids allowed to login via ssh. No root...
especially if using tunneled clear text passwords (that's a
fancy phrase for what you normally do when using ssh... where
you have to type in your password for the remote host).

c. Switch to using passphrased protected key'd logins instead.
That way your password, in whatever form, is NEVER sent
on the wire during authentication. Just make sure that you
protect your private key and use a good passphrase as well.

jinzishuai@gmail.com wrote:
> Hello
>
> One of our lab machine running Redhat Enterprise 3 has been intruded by
> somebody. He used a simple ssh dictionary attack but unfortunately our
> root is enabled through ssh and the root password was not strong
> enough. We got report that there were 3GB of unexpected traffic during
> that day throught ssh.
> Now we are going to reset the root password but for some other reasons
> we don't want to disable root login through ssh.
> So I would like to do a dictionary attack on our machine first to make
> sure our password is strong enough. Is there any well-known hacking
> software that I can download and try to see if our system is secure?

It's not. Period.

You have to restore the OS from CD and data from backup.

Once a host has been compromised, nothing on it can be
trusted.

After you restore it, you really need to disable root login
and you probably want to install tcpwrappers or a firewall
to further limit your exposure.

base60 <nobody@whitehouse.com> writes:

>jinzishuai@gmail.com wrote:
>> Hello
>>
>> One of our lab machine running Redhat Enterprise 3 has been intruded by
>> somebody. He used a simple ssh dictionary attack but unfortunately our
>> root is enabled through ssh and the root password was not strong
>> enough. We got report that there were 3GB of unexpected traffic during
>> that day throught ssh.
>> Now we are going to reset the root password but for some other reasons
>> we don't want to disable root login through ssh.
>> So I would like to do a dictionary attack on our machine first to make
>> sure our password is strong enough. Is there any well-known hacking
>> software that I can download and try to see if our system is secure?

>It's not. Period.

>You have to restore the OS from CD and data from backup.

And then you have to search for suid files.


a) you can always get root by logging in as a user and then using
su
to get to root.

b)Or use passwordless login (rsa or dsa login).



>Once a host has been compromised, nothing on it can be
>trusted.

>After you restore it, you really need to disable root login
>and you probably want to install tcpwrappers or a firewall
>to further limit your exposure.

jinzishuai@gmail.com wrote:
> Hello
>
> One of our lab machine running Redhat Enterprise 3 has been intruded by
> somebody. He used a simple ssh dictionary attack but unfortunately our
> root is enabled through ssh and the root password was not strong
> enough. We got report that there were 3GB of unexpected traffic during
> that day throught ssh.
> Now we are going to reset the root password but for some other reasons
> we don't want to disable root login through ssh.
> So I would like to do a dictionary attack on our machine first to make
> sure our password is strong enough. Is there any well-known hacking
> software that I can download and try to see if our system is secure?
> Thanks a lot.

You should make correct decision, u need find balance beetwen risk and
benefits. You need know that your system has ben defaced, and it can be
done almost anthing (but why?).
You have few choices to do, one is find all changed files (comparing md5
summ from your backup) and check all suspcious files, and try make sure
that everything is under control :)

About securing it, i belive in chrooting paradigma for providing safer
systems. If you like read more, i'd like to suggest you visit those pages:
http://www.linuxfocus.org/English/Ja...ticle225.shtml
http://www.cgisecurity.com/webserver...he2-howto.html

There is lot of ways for chrooting systems. Fell free for discous about
it :)

Marek Wawro
--
wawro.yawda.com

In comp.os.linux.security jinzishuai@gmail.com:
> Hello

> One of our lab machine running Redhat Enterprise 3 has been intruded by
> somebody. He used a simple ssh dictionary attack but unfortunately our
> root is enabled through ssh and the root password was not strong
> enough. We got report that there were 3GB of unexpected traffic during
> that day throught ssh.

The question is why is your important (presuming since you pay RH
yearly cash) lab server accessible from the internet via ssh at
all?

> Now we are going to reset the root password but for some other reasons
> we don't want to disable root login through ssh.

As others already outlined there's no reason to enable direct
root login via ssh.

> So I would like to do a dictionary attack on our machine first to make
> sure our password is strong enough. Is there any well-known hacking
> software that I can download and try to see if our system is secure?
> Thanks a lot.

The cols (comp.os.linux.security) FAQ should be helpful on your
way reinstalling + securing the new installation or recovering
from the last backup (presuming you have one) + securing the
system:

http://www.linuxsecurity.com/docs/colsfaq.html

Good luck

BTW
Please read this before posting anything else:

http://cfaj.freeshell.org/google

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 370: Virus due to computers having unsafe sex.

base60 wrote:
> jinzishuai@gmail.com wrote:
> > Hello
> >
<snip>
> It's not. Period.
>
> You have to restore the OS from CD and data from backup.
>
> Once a host has been compromised, nothing on it can be
> trusted.
>

This statement, although probably founded for this scenario, is not
entirely true.

There are numerous host and/or network integrity applications, as well
as a multitude of hash algorithms, available that can in fact verify
that a resource is cryptographically equivalent and has not been
compromised.

> After you restore it, you really need to disable root login
> and you probably want to install tcpwrappers or a firewall
> to further limit your exposure.

I would proceed with these recommendations, and research the
host/network integrity application(s) that may be available to you to
further implement a layered security infrastructure approach to this
node and your networks security posture.

"Secure Buddha" wrote in the message
<1136962941.462769.200860@g14g2000cwa.googlegroups .com>:
> base60 wrote:
>> It's not. Period.
>> You have to restore the OS from CD and data from backup.
>> Once a host has been compromised, nothing on it can be
>> trusted.
>
> This statement, although probably founded for this scenario, is not
> entirely true.
> There are numerous host and/or network integrity applications, as well
> as a multitude of hash algorithms, available that can in fact verify
> that a resource is cryptographically equivalent and has not been
> compromised.
> [...]

Only if the kernel and the verification applications themselves have
_not_ been replaced with corrupted versions that always tell it's OK. You
can boot on a floppy or a CD-ROM to do your check, but you can't trust the
compromised host itself to tell wether it's secure or not.


Laura

Not all integrity verfication applications are host resident. For an
example, google for "osiris host integrity monitor".

Therefore, there is not a need to trust a suspect binary on the
compromised host. As well, archiving the results on the host itself is
a bad idea. This goes for hash checksums and logs.

I would suggest a secure one-way connection from the network nodes to
an archiving node.

These procedures/processes are not new to the information security
industry.