Hey guys I have a question it has been brought to my attention that a box i just got put in charge of is attempting ssh into another box with several random username. what should i look for? Thanks

It sounds as if the box has been compromised.

In general, once a box is tainted, a clean OS install is the only 100% sure way to make sure it's clean.

If this is not possible, you should read up on rootkits and securing ssh, as they likely exploited a weak ssh password initially to gain control of the box.

Something piggybacking onto a vulnerable setup or a good breach of security. I don't know. No info. I'd say log the full process, open files, user logins and network connection data (off site), then raise the firewall to only allow traffic from and to your management IP (range), then kill all 'net-facing services except SSH, then look around for stray processes. Then post info here to help us help you. For checks after that read the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html.


...but before you do, you should put some effort into investigating the matter. With breaches of security there's no room for gut feelings, "thinking" or assumptions. If you don't then sure you can harden a box the next time around but you won't know what caused it.


What clues did I miss it's that specific vector?