Hi,

>From our router log, I noticed that a number of outgoing calls to port
22 were being made from one of our machines. When I look at the process
list on the machine (ps -a), I see a bunch of "ssh-scan" processes
running.

Can someone please enlighten me on what is going on and how I can fix
it?

Thank you in advance for your help.

Pradeep

In comp.os.linux.setup Pradeep <pradeep@tapadiya.net>:

> From our router log, I noticed that a number of outgoing calls to port
> 22 were being made from one of our machines. When I look at the process
> list on the machine (ps -a), I see a bunch of "ssh-scan" processes
> running.

> Can someone please enlighten me on what is going on and how I can fix
> it?

It sounds as if the system is already cracked and used to scan
hosts on the internet to further abuse them. I'd take the box
off-line now and try to debug the problem with no network cable
attached.

The cols (comp.os.linux.security) FAQ should be helpful:

http://www.linuxsecurity.com/docs/colsfaq.html

Good luck

BTW
Please read this before posting anything else:

http://cfaj.freeshell.org/google
--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 103: operators on strike due to broken coffee
machine

"Michael Heiming" <michael+USENET@www.heiming.de> wrote in message
news:gbhd93-8m.ln1@news.heiming.de...
> In comp.os.linux.setup Pradeep <pradeep@tapadiya.net>:
>
>> From our router log, I noticed that a number of outgoing calls to port
>> 22 were being made from one of our machines. When I look at the process
>> list on the machine (ps -a), I see a bunch of "ssh-scan" processes
>> running.
>
>> Can someone please enlighten me on what is going on and how I can fix
>> it?
>
> It sounds as if the system is already cracked and used to scan
> hosts on the internet to further abuse them. I'd take the box
> off-line now and try to debug the problem with no network cable
> attached.

Or it could be someone local doing it to probe their own systems, but it's
still really irritating.

Fortunately, ssh-scan is crap that could be rewritten by a drunken baboon. A
very modest set if alterations can be done to make it faster by a factor 10
if not a factor of 100, without too much difficulty: I've done so for
scanning Beowulf clusters.

Michael Heiming wrote:
> In comp.os.linux.setup Pradeep <pradeep@tapadiya.net>:
>
>
>>From our router log, I noticed that a number of outgoing calls to port
>>22 were being made from one of our machines. When I look at the process
>>list on the machine (ps -a), I see a bunch of "ssh-scan" processes
>>running.
>
>
>>Can someone please enlighten me on what is going on and how I can fix
>>it?
>
>
> It sounds as if the system is already cracked and used to scan
> hosts on the internet to further abuse them. I'd take the box
> off-line now and try to debug the problem with no network cable
> attached.

I suggest getting some rootkit detection tools, such as rkhunter. Run
them, bearing in mind that failure to FIND a problem doesn't always mean
failure to HAVE a problem. And vice-versa, false positaves are rare but
possible.
>
> The cols (comp.os.linux.security) FAQ should be helpful:
>
> http://www.linuxsecurity.com/docs/colsfaq.html
>
> Good luck
>
> BTW
> Please read this before posting anything else:
>
> http://cfaj.freeshell.org/google


--
bill davidsen
SBC/Prodigy Yorktown Heights NY data center
http://newsgroups.news.prodigy.com

Bill Davidsen <davidsen@deathstar.prodigy.com> wrote:

> I suggest getting some rootkit detection tools, such as rkhunter. Run
> them, bearing in mind that failure to FIND a problem doesn't always mean
> failure to HAVE a problem. And vice-versa, false positaves are rare but
> possible.

If you don't mind a mini-editorial: Any admin who has to rely on a lame
pattern-matching engine such as rkhunter or chkrootkit has bigger
problems, i.e., not being able to distinguish between a machine doing
what it's supposed to, and one operating under an attacker's control.
If I honestly couldn't handle that task, _that's_ the problem I'd fix,
first.

I mean, think about it: Ultimately, the most-reliable way you know a
machine has been compromised by strangers is because you find it doing a
stranger's bidding -- which includes making changes requiring
privileged-user authority that you know _authorised_ privileged users
never did.

That latter bit is what rkhunter and chkrootkit aim to do -- but rather
badly, using what amounts to guesswork. To do better, use a file-based
IDS (something like Samhain, Integrit, AIDE, Prelude-IDS -- set up in
advance).

rkhunter and chkrootkit are a poor substitute for a real file-based IDS,
not to mention _relying_ on their guesswork being a poor substitute for
knowing one's system.

--
Cheers, "He who hesitates is frost."
Rick Moen -- Inuit proverb
rick@linuxmafia.com

"Rick Moen" <rick@linuxmafia.com> wrote in message
news:2acc7$43d098e0$c690c3ba$19815@TSOFT.COM...
> Bill Davidsen <davidsen@deathstar.prodigy.com> wrote:
>
>> I suggest getting some rootkit detection tools, such as rkhunter. Run
>> them, bearing in mind that failure to FIND a problem doesn't always mean
>> failure to HAVE a problem. And vice-versa, false positaves are rare but
>> possible.
>
> If you don't mind a mini-editorial: Any admin who has to rely on a lame
> pattern-matching engine such as rkhunter or chkrootkit has bigger
> problems, i.e., not being able to distinguish between a machine doing
> what it's supposed to, and one operating under an attacker's control.
> If I honestly couldn't handle that task, _that's_ the problem I'd fix,
> first.

Whoah. Even a skilled admin can use a scripted tool to scan for obvious
tasks. It's a very reasonable *part* of good security practices.

> That latter bit is what rkhunter and chkrootkit aim to do -- but rather
> badly, using what amounts to guesswork. To do better, use a file-based
> IDS (something like Samhain, Integrit, AIDE, Prelude-IDS -- set up in
> advance).

And they also use some experience by other admins about what is commonly
abused. That experience is precious, and reasonable to take advantage of.

> rkhunter and chkrootkit are a poor substitute for a real file-based IDS,
> not to mention _relying_ on their guesswork being a poor substitute for
> knowing one's system.

Well, yes. Now find me a month to create a more sophisticated intrusion
detection kit, in my busy schedule.

Nico Kadel-Garcia <nkadel@comcast.net> wrote:

> Whoah. Even a skilled admin can use a scripted tool to scan for obvious
> tasks.

I call your attention once again to my phrase "rely on", which I
carefully used twice. Should I have used emphasis, to ensure that
readers like you didn't miss it?

> Well, yes. Now find me a month to create a more sophisticated intrusion
> detection kit, in my busy schedule.

Wait, you need to be able to _create_ a file-based IDS, not just install
and run one?

"Rick Moen" <rick@linuxmafia.com> wrote in message
news:91977$43d12824$c690c3ba$18622@TSOFT.COM...
> Nico Kadel-Garcia <nkadel@comcast.net> wrote:
>
>> Whoah. Even a skilled admin can use a scripted tool to scan for obvious
>> tasks.
>
> I call your attention once again to my phrase "rely on", which I
> carefully used twice. Should I have used emphasis, to ensure that
> readers like you didn't miss it?

No. If you meant "rely on only" such a tool, please be clear about it. You
"rely on" it for a quick scan or casual review on a system you haven't had a
chance to deeply review and put in better tools for.

>> Well, yes. Now find me a month to create a more sophisticated intrusion
>> detection kit, in my busy schedule.
>
> Wait, you need to be able to _create_ a file-based IDS, not just install
> and run one?

Just "installing and running" an IDS is not an "install and run" process.
I've done a few: they all require tuning for local setups.

Rick Moen wrote:
> Bill Davidsen <davidsen@deathstar.prodigy.com> wrote:
>
>
>>I suggest getting some rootkit detection tools, such as rkhunter. Run
>>them, bearing in mind that failure to FIND a problem doesn't always mean
>>failure to HAVE a problem. And vice-versa, false positaves are rare but
>>possible.
>
>
> If you don't mind a mini-editorial: Any admin who has to rely on a lame
> pattern-matching engine such as rkhunter or chkrootkit has bigger
> problems, i.e., not being able to distinguish between a machine doing
> what it's supposed to, and one operating under an attacker's control.
> If I honestly couldn't handle that task, _that's_ the problem I'd fix,
> first.

Do you really have enough people to have one admin monitoring each
machine every minute of every day? Do you really have a good way to tell
that a machine is "operating under an attacker's control," when the
rootkit is doing something like building a list of IP addresses and
ports used on the first packet of the start of an ssh session and after
a month making a single connect to a remote machine, sending the info,
and totally removing itself from memory? If you say yes I want to know
how you found it, given that it didn't leave hints in memory (looked
like a few k of buffer or cache).

In the real world a sysadmin might have full or partial responsibility
for 30-50 machines and would have a few other things to do than back to
back total checks of the machine.

I won't tell anyone how I found the above kit, or how it got in, but the
hole is blocked if your FC4 is current, and the patload was not delivered.
>
> I mean, think about it: Ultimately, the most-reliable way you know a
> machine has been compromised by strangers is because you find it doing a
> stranger's bidding -- which includes making changes requiring
> privileged-user authority that you know _authorised_ privileged users
> never did.

That's only effective for the most childish slash and burn intrusion,
those are not the real threats...
>
> That latter bit is what rkhunter and chkrootkit aim to do -- but rather
> badly, using what amounts to guesswork. To do better, use a file-based
> IDS (something like Samhain, Integrit, AIDE, Prelude-IDS -- set up in
> advance).
>
> rkhunter and chkrootkit are a poor substitute for a real file-based IDS,
> not to mention _relying_ on their guesswork being a poor substitute for
> knowing one's system.
>
And doing what you can in the time you have is no substitute for
god-like powers and eternal life, but they are readily available,
rkhunter siglist is updated reasonably often, and they are free.

I see no benefit to telling people the easy stuff isn't perfect,
particularly after I told them similar things. A list of additional
products with reasons to use them would have been more useful, I suppoes
you're convinced a bunch of people that the packages I mentioned aren't
worth the effort, and based on the scans I have made on problem machine,
a lot of the script kiddies have worse technology than the simple root kits.

--
bill davidsen
SBC/Prodigy Yorktown Heights NY data center
http://newsgroups.news.prodigy.com

Bill Davidsen <davidsen@deathstar.prodigy.com> wrote:

> Do you really have enough people to have one admin monitoring each
> machine every minute of every day?

No, why do you ask? (I _do_ love dumb rhetorical questions, and appreciate
this contribution to my collection, but this has no connection
whatsoever to what I was saying.)

> Do you really have a good way to tell that a machine is "operating
> under an attacker's control," when the rootkit is doing something like
> building a list of IP addresses and ports used on the first packet of
> the start of an ssh session and after a month making a single connect
> to a remote machine, sending the info, and totally removing itself
> from memory?

Oh, my _dear_ Mr. Davidsen: Not being entirely devoid of system
administration experience, I do know from experience the typical, rather
non-subtle behaviour patterns of rooted Internet hosts -- as shown both
by direct, routine monitoring on the host itself and by monitoring the
network traffic.

Back in dinosaur days when I was new at this stuff, I also used to fret
quite a lot about _subtle_ intruders, who might in theory be a whole lot
more difficult to notice than the usual "Gosh, I wonder why a certain
number of utilities are suddenly tending to segfault" or "Gosh, I wonder
why /var is suddenly so close to full" or "Gosh, where's all this
network traffic coming from?" stuff. Subtlety seemed in short supply,
but paranoiacs with time on their hands worry about such things -- and
the obvious answer, when I stopped to think things over properly, was
AIDE and kin thereof.

All of which is of course perfectly obvious, but you seem to be so
desparate to find someone to pick a fight with that you'd like to
imagine I've said something really stupid, for your own rhetorical
convenience.

I really don't mind. Knock yourself out.

> In the real world a sysadmin might have full or partial responsibility
> for 30-50 machines and would have a few other things to do than back to
> back total checks of the machine.

Well, no shit, Sherlock. Please do teach me about such things, having
had scant exposure to larger arrays than the 1024 quad-Itanium2 Linux
cluster I helped build, test, and qualify for LLNL. Probably, I need a
lot of tutoring, then.

No, I'll tell you what: On second thought, I really don't think so.
(Rest snipped.)