5. How many instances of an SSH server were installed and at what times?

(see also the sequence of events as described in Answer N.9)

 

We have already seen that there are several services that have been identified as ssh servers:
 PID  Proc.Name  Name of service that normally uses that port  Port  Proto
 25239  xopen    3049  UDP
 25241  xopen  squid-proxy  3128   TCP
 3137  smbd -D  http  80  TCP
 3137  smbd -D  https  443  TCP
 3137  smbd -D  cfinger  2003  TCP
 669  sshd  ssh  22  TCP


And we have seen some of their banners:

telnet localhost 2003

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-1.5-By-ICE_4_All ( Hackers Not Allowed! )
Protocol mismatch.

 

telnet localhost 3128

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-1.5-1.2.32
Protocol mismatch.


Let's see the sequence of events, and how and when these services have been started:

 

Aug 10 13:33:33 localhost smbd -D[3137]: log: Server listening on port 2003.
Aug 10 13:33:33 localhost smbd -D[3137]: log: Generating 768 bit RSA key.
Aug 10 13:33:34 localhost smbd -D[3137]: log: RSA key generation complete.
Aug 10 13:33:35 localhost smbd -D[3150]: error: bind: Address already in use
Aug 10 13:33:35 localhost smbd -D[3150]: fatal: Bind to port 2003 failed: Transport endpoint is not connected.
Aug 10 13:33:56 localhost smbd -D[3225]: error: bind: Address already in use
Aug 10 13:33:56 localhost smbd -D[3225]: fatal: Bind to port 2003 failed: Transport endpoint is not connected.

 

the one on port 2003 ('Hackers Not Allowed') is the one that gets started first.
The process bound to that port also uses port 80 and 443 (as we have seen from 'netstat' - see Answer N.1), which have been made available unbinding them from the apache process.
Interesting is also to note that the process is called 'smbd', which is usually part of SAMBA... most likely this was meant to be a measure not to raise suspects in the administrators of the server, and to be sure to be able to pass through firewalls, since a webserver is usually accessible...

 

Let's see what's next:

 

Aug 10 14:14:41 localhost smbd -D[5505]: log: Connection from 213.154.118.218 port 2020
Aug 10 14:14:42 localhost smbd -D[3137]: log: Generating new 768 bit RSA key.
Aug 10 14:14:44 localhost smbd -D[3137]: log: RSA key generation complete.
Aug 10 14:14:52 localhost smbd -D[5505]: log: Password authentication for root failed.
Aug 10 14:14:58 localhost smbd -D[5505]: log: Password authentication failed for user root from extreme-service-10.is.pcnet.ro.
Aug 10 14:14:58 localhost smbd -D[5505]: log: Password authentication for root failed.
Aug 10 14:15:14 localhost smbd -D[5505]: log: Password authentication failed for user root from extreme-service-10.is.pcnet.ro.
Aug 10 14:15:14 localhost smbd -D[5505]: log: Password authentication for root failed.
Aug 10 14:15:17 localhost smbd -D[5505]: fatal: Connection closed by remote host.
Aug 10 14:17:08 localhost smbd -D[8170]: log: Connection from 213.154.118.218 port 2021
Aug 10 14:17:09 localhost smbd -D[3137]: log: Generating new 768 bit RSA key.
Aug 10 14:17:10 localhost smbd -D[3137]: log: RSA key generation complete.
Aug 10 14:17:17 localhost smbd -D[8170]: log: Password authentication for root failed.
Aug 10 14:17:21 localhost smbd -D[8170]: log: Password authentication failed for user root from extreme-service-10.is.pcnet.ro.
Aug 10 14:17:21 localhost smbd -D[8170]: log: Password authentication for root failed.
Aug 10 14:17:26 localhost smbd -D[8170]: log: Password authentication failed for user root from extreme-service-10.is.pcnet.ro.
Aug 10 14:17:26 localhost smbd -D[8170]: log: Password authentication for root failed.
Aug 10 14:17:38 localhost smbd -D[8170]: log: Password authentication failed for user root from extreme-service-10.is.pcnet.ro.
Aug 10 14:17:38 localhost smbd -D[8170]: log: Password authentication for root failed.
Aug 10 14:17:42 localhost smbd -D[8170]: log: Password authentication failed for user root from extreme-service-10.is.pcnet.ro.
Aug 10 14:17:42 localhost smbd -D[8170]: log: Password authentication for root failed.
Aug 10 14:17:47 localhost smbd -D[8170]: fatal: Local: Too many password authentication attempts from extreme-service-10.is.pcnet.ro for user root.
Aug 10 14:17:51 localhost smbd -D[8935]: log: Connection from 213.154.118.218 port 2022
Aug 10 14:17:52 localhost smbd -D[3137]: log: Generating new 768 bit RSA key.
Aug 10 14:17:53 localhost smbd -D[3137]: log: RSA key generation complete.
Aug 10 14:18:00 localhost smbd -D[8935]: log: Password authentication for root failed.
Aug 10 14:18:04 localhost smbd -D[8935]: log: Password authentication failed for user root from extreme-service-10.is.pcnet.ro.
Aug 10 14:18:04 localhost smbd -D[8935]: log: Password authentication for root failed.
Aug 10 14:18:09 localhost smbd -D[8935]: log: Password authentication failed for user root from extreme-service-10.is.pcnet.ro.
Aug 10 14:18:09 localhost smbd -D[8935]: log: Password authentication for root failed.
Aug 10 14:23:20 localhost smbd -D[8935]: log: Password authentication failed for user root from extreme-service-10.is.pcnet.ro.
Aug 10 14:23:20 localhost smbd -D[8935]: log: Password authentication for root failed.
Aug 10 14:23:24 localhost smbd -D[8935]: fatal: Connection closed by remote host.

Here we can see some connection attempts. The port in this case are the source ports of the attacker's computer.

 

Then we can see how the trojan process 'xopen' is started at 15:32:

root 25239 0.0 0.3 1880 336 ? S 15:32 0:00 /lib/.x/s/xopen -q -p
root 25241 0.0 0.7 1888 672 ? S 15:32 0:00 /lib/.x/s/xopen -q -p
root 25247 0.0 0.7 1668 732 ? S 15:32 0:00 /lib/.x/s/lsn

And at the same time also the sniffer 'lsn' gets started (More info about this in the next answers).

 

 

The 'real' sshd started instead the day before (even if most likely has received a kill -HUP to re-read the 'modified' configuration file 'sshd_config' present from /lib/.x/s/).

ps -Af |grep sshd

root 699 0.0 1.3 2676 1272 ? S Aug 9 0:00 /usr/sbin/sshd

Moreover, the PID of this process (699) is a relatively small number, compared to those we've just seen (25239, 25241, etc). This shows it had been started earlier.

Since the process is bound to port 22, we can confirm that this is also the configuration present in /lib/.x/s/sshd_config:

# This is ssh server systemwide configuration file.
Port 22
ListenAddress 0.0.0.0
HostKey /lib/.x/s/s_h_k
RandomSeed /lib/.x/s/r_s
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
IgnoreRhosts yes
StrictModes yes
QuietMode yes
X11Forwarding yes
X11DisplayOffset 10
FascistLogging no
PrintMotd yes
KeepAlive yes
SyslogFacility DAEMON
RhostsAuthentication no
RhostsRSAAuthentication yes
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords yes
UseLogin no

CheckMail yes
PidFile /lib/.x/s/pid
# AllowHosts *.our.com friend.other.com
# DenyHosts lowsecurity.theirs.com *.evil.org evil.org
# Umask 022
# SilentDeny yes

 

 

 

 Previous  To answer N.6 --> Which instances of the SSH servers from question 5 were run?  Home