Do you still allow ssh for root? Then we go to you!
The real log of the conversation with my colleague - I quote without any bills or corrections.
[13:22:33] Admin1: interesting story - I found a living kind of trojan
[13:22:36] Admin1: in Linux
[13:22:49] Admin1: where is he there for a long time
[13:23:07] Admin1: not detected
[13:23:16] Admin1: customer complained about traffic leaks
[13:23:24] admin2: opa
[13:23:27] Admin2: tell me!
[13:24:20] Admin1: in general, I'll start from the middle
[13:24:47] Admin1: client has 3 computers, all are connected via wifi
[13:24:57] Admin1: + wifi point and ADSL modem
[13:25:21] Admin1: even now (after changing all passwords) someone continues to break even
[13:25:29] Admin1: and in the modem too
[13:26:03] Admin1: but this is so, the consequences are already :)
[13:26:49] Admin1: the computer has a directory /etc/trail/.ssh/./.../
[13:27:02] Admin1: well, and there are a couple of interesting files :)
[13:27:19] Admin2: hmmm ... How could they get there? without root?
[13:27:21] Admin1: very similar to IRC bot
[13:27:25] Admin1: with root
[13:27:46] Admin1: there the root password was simple, and root was allowed in ssh !!!
[13:27:55] admin2: clear
[13:27:57] Admin2: :)
[13:28:46] Admin1: the trojan (or that it was there) stopped working recently, a couple of days ago (before the computer got to me)
[13:29:05] Admin1: after the next update, it seems
[13:29:06] Admin2: I still think that an insider was working :)
[13:29:14] Admin1: 100% none
[13:29:14] Admin2: what's the axis?
[13:29:29] admin1: debian seed
[13:29:40] admin2: very strange
[13:29:52] Admin2: and again proves that it is necessary to close the root for SSH
[13:29:58] Admin2: and you don’t need to call it root at all!
[13:30:02] Admin1: well, it goes without saying
[13:30:10] Admin1: so what's the difference
[13:30:18] Admin1: the main thing that ssh was not to go
[13:31:51] Admin1: the trojan got a tuba looks like March 28th — that date on the directories, and until that date, the logs are all rubbed
[13:32:02] Admin2: pancake
[13:32:05] Admin2: smart crap
[13:32:08] Admin2: what did he do?
[13:32:12] Admin2: did the botnet cook? :)
[13:32:18] Admin1: like that
[13:32:36] Admin1: moreover, something original
[13:32:38] Admin2: can I put our conversation with shabby names on Habr?
[13:32:53] Admin1: rkhunter does not know him, chkrootkit too
[13:33:04] Admin1: yes you can
[13:33:08] Admin2: Thank you :)
[13:33:26] Admin1: I, in general, the Trojan could not fully identify
[13:33:31] Admin1: but !!!
[13:33:48] Admin1: yesterday one person in the internet wrote a similar
[13:33:58] Admin1: and it’s in debian
[13:34:03] Admin2: it should be a shevelitstso :)
[13:34:21] Admin2: you saved the scripts?
[13:34:21] Admin1: although his situation is slightly different
[13:34:27] Admin1: everything is there
[13:34:32] Admin1: I saved everything
[13:34:40] Admin2: send can in debian.org
[13:34:55] Admin1: ponastavil external logs - so as not to rub it - and wait
[13:34:59] Admin1: can anyone come :)
[13:35:03] Admin2: :)
[13:35:08] Admin2: do you wait with pitchforks? ;)
[13:36:24] Admin1: him with a magnifying glass and headphones :)
[13:36:29] Admin2: :)
[13:36:39] Admin1: and then - as it will :)
[13:36:48] Admin1: maybe it will work for nuclear weapons :)
[13:37:56] Admin1: I somehow read the report of a competent chela - he slightly corrected the botnet code (I also found a client somewhere) - and put the rootkit in to the host :)
Well, actually everything in the transcript. How many copies have been broken about such simple truths? Still, there will be people who say that shutting down SSH is paranoia and so on. Here while so close does not plunk - you will not cross. Once again I want to convey to everyone a simple idea: there is not much protection. Especially if you know how much your information is worth!
[13:22:33] Admin1: interesting story - I found a living kind of trojan
[13:22:36] Admin1: in Linux
[13:22:49] Admin1: where is he there for a long time
[13:23:07] Admin1: not detected
[13:23:16] Admin1: customer complained about traffic leaks
[13:23:24] admin2: opa
[13:23:27] Admin2: tell me!
[13:24:20] Admin1: in general, I'll start from the middle
[13:24:47] Admin1: client has 3 computers, all are connected via wifi
[13:24:57] Admin1: + wifi point and ADSL modem
[13:25:21] Admin1: even now (after changing all passwords) someone continues to break even
[13:25:29] Admin1: and in the modem too
[13:26:03] Admin1: but this is so, the consequences are already :)
[13:26:49] Admin1: the computer has a directory /etc/trail/.ssh/./.../
[13:27:02] Admin1: well, and there are a couple of interesting files :)
[13:27:19] Admin2: hmmm ... How could they get there? without root?
[13:27:21] Admin1: very similar to IRC bot
[13:27:25] Admin1: with root
[13:27:46] Admin1: there the root password was simple, and root was allowed in ssh !!!
[13:27:55] admin2: clear
[13:27:57] Admin2: :)
[13:28:46] Admin1: the trojan (or that it was there) stopped working recently, a couple of days ago (before the computer got to me)
[13:29:05] Admin1: after the next update, it seems
[13:29:06] Admin2: I still think that an insider was working :)
[13:29:14] Admin1: 100% none
[13:29:14] Admin2: what's the axis?
[13:29:29] admin1: debian seed
[13:29:40] admin2: very strange
[13:29:52] Admin2: and again proves that it is necessary to close the root for SSH
[13:29:58] Admin2: and you don’t need to call it root at all!
[13:30:02] Admin1: well, it goes without saying
[13:30:10] Admin1: so what's the difference
[13:30:18] Admin1: the main thing that ssh was not to go
[13:31:51] Admin1: the trojan got a tuba looks like March 28th — that date on the directories, and until that date, the logs are all rubbed
[13:32:02] Admin2: pancake
[13:32:05] Admin2: smart crap
[13:32:08] Admin2: what did he do?
[13:32:12] Admin2: did the botnet cook? :)
[13:32:18] Admin1: like that
[13:32:36] Admin1: moreover, something original
[13:32:38] Admin2: can I put our conversation with shabby names on Habr?
[13:32:53] Admin1: rkhunter does not know him, chkrootkit too
[13:33:04] Admin1: yes you can
[13:33:08] Admin2: Thank you :)
[13:33:26] Admin1: I, in general, the Trojan could not fully identify
[13:33:31] Admin1: but !!!
[13:33:48] Admin1: yesterday one person in the internet wrote a similar
[13:33:58] Admin1: and it’s in debian
[13:34:03] Admin2: it should be a shevelitstso :)
[13:34:21] Admin2: you saved the scripts?
[13:34:21] Admin1: although his situation is slightly different
[13:34:27] Admin1: everything is there
[13:34:32] Admin1: I saved everything
[13:34:40] Admin2: send can in debian.org
[13:34:55] Admin1: ponastavil external logs - so as not to rub it - and wait
[13:34:59] Admin1: can anyone come :)
[13:35:03] Admin2: :)
[13:35:08] Admin2: do you wait with pitchforks? ;)
[13:36:24] Admin1: him with a magnifying glass and headphones :)
[13:36:29] Admin2: :)
[13:36:39] Admin1: and then - as it will :)
[13:36:48] Admin1: maybe it will work for nuclear weapons :)
[13:37:56] Admin1: I somehow read the report of a competent chela - he slightly corrected the botnet code (I also found a client somewhere) - and put the rootkit in to the host :)
Well, actually everything in the transcript. How many copies have been broken about such simple truths? Still, there will be people who say that shutting down SSH is paranoia and so on. Here while so close does not plunk - you will not cross. Once again I want to convey to everyone a simple idea: there is not much protection. Especially if you know how much your information is worth!
')
Source: https://habr.com/ru/post/96227/
All Articles