Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2017-11-07, 21:13:17

Author Topic: Hack by ssh publickey  (Read 686 times)

0 Members and 1 Guest are viewing this topic.

Offline lolpop

  • Junior Member
  • *
  • Posts: 36
  • Karma: +0/-0
    • View Profile
Hack by ssh publickey
« on: 2017-01-02, 11:06:35 »
Hi,

Yesterday i receive a mail to informe me that someone connect on SSH on my serveur by publickey.
I don't use key to connect to serveur, just login /password.

All file i could find to trace this intrusion :

Quote
[root@vps252983 script]# sh /script/sysinfo

A. Kloxo-MR: 6.5.0.f-2016111301

B. OS: CentOS release 6.8 (Final) x86_64

C. Apps:
   1. MySQL: mysql55-5.5.53-1.ius.el6.x86_64
   2. PHP: php53u-5.3.29-1.ius.el6.x86_64
   3. Httpd: httpd-2.2.31-1.mr.el6.x86_64
   4. Lighttpd: --uninstalled--
   5. Nginx: --uninstalled--
   6. Qmail: qmail-toaster-1.03-1.3.55.mr.el6.x86_64
      - with: courier-imap-toaster-4.1.2-1.3.20.mr.el6.x86_64
   7. Dns: bind-9.9.7-1.mr.el6.x86_64

D. Php-type (for Httpd/proxy): mod_php_ruid2

E. Memory:
                total       used       free     shared    buffers     cached
   Mem:          1829       1710        118          0         26       1313
   -/+ buffers/cache:        370       1458
   Swap:            0          0          0



/var/log/secure

Jan  1 13:54:16 vps252983 sshd[30883]: Accepted publickey for root from 46.43.125.61 port 35257 ssh2
Jan  1 13:54:16 vps252983 sshd[30883]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan  1 13:54:18 vps252983 sshd[30883]: error: connect_to imap4.btconnect.com port 143: failed.
Jan  1 13:54:50 vps252983 sshd[30883]: error: connect_to 207.115.11.17 port 110: failed.
Jan  1 13:55:22 vps252983 sshd[30883]: error: connect_to smtp.comcast.net port 587: failed.
Jan  1 13:55:38 vps252983 sshd[30883]: pam_unix(sshd:session): session closed for user root

/var/log/cron

Jan  1 13:56:01 vps252983 CROND[31566]: (root) CMD (sleep 30 && exec 2>&1 && grep -v 46.43.125.61 /usr/local/lxlabs/kloxo/log/hiawatha-access.log > /tmp/sess_CqwvLbmYSsmhvnIB; echo y | cp -f /tmp/sess_CqwvLbmYSsmhvnIB /usr/local/lxlabs/kloxo/log/hiawatha-access.log && rm -f /tmp/sess_CqwvLbmYSsmhvnIB > /dev/null &sleep 30 && exec 2>&1 && grep -v 46.43.125.61 /usr/local/lxlabs/kloxo/log/hiawatha-error.log > /tmp/sess_sqwkGxQjbFiLeFRL; echo y | cp -f /tmp/sess_sqwkGxQjbFiLeFRL /usr/local/lxlabs/kloxo/log/hiawatha-error.log && rm -f /tmp/sess_sqwkGxQjbFiLeFRL > /dev/null &sleep 30 && exec 2>&1 && grep -v 46.43.125.61 /usr/local/lxlabs/kloxo/log/login_success > /tmp/sess_SJDqQsKICkDBNGlS; echo y | cp -f /tmp/sess_SJDqQsKICkDBNGlS /usr/local/lxlabs/kloxo/log/login_success && rm -f /tmp/sess_SJDqQsKICkDBNGlS > /dev/null &)
Jan  1 13:56:01 vps252983 CROND[31567]: (root) CMD (rm -rf /etc/cron.d/cleanup_cron.cron)

/root/.ssh/authorized_keys

# The following ssh key was injected by Nova
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDG6AGb7mde

I am not sur but in seeing /var/log/cron, the hacker use kloxo to connect to ssh.

Offline lolpop

  • Junior Member
  • *
  • Posts: 36
  • Karma: +0/-0
    • View Profile
Re: Hack by ssh publickey
« Reply #1 on: 2017-01-02, 11:22:53 »
And also :

Quote
/var/log/audit/audit.log
type=CRYPTO_KEY_USER msg=audit(1483275251.993:243691): user pid=30884 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=2a:8d:5d:ef:50:0c:06:d0:6d:2d:7b:eb:76:f8:97:cc direction=? spid=30884 suid=0  exe="/usr/sbin/sshd" hostname=? addr=46.43.125.61 terminal=? res=success'
« Last Edit: 2017-01-02, 11:31:20 by lolpop »

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,381
  • Karma: +112/-9
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Hack by ssh publickey
« Reply #2 on: 2017-01-02, 13:55:40 »
Did you set cron enable for client?.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline lolpop

  • Junior Member
  • *
  • Posts: 36
  • Karma: +0/-0
    • View Profile
Re: Hack by ssh publickey
« Reply #3 on: 2017-01-02, 15:00:42 »
Yes why?

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,381
  • Karma: +112/-9
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Hack by ssh publickey
« Reply #4 on: 2017-01-02, 15:32:38 »
 :P
Did you set cron enable for client?.
It's make other users possible execute ssh via cron.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline lolpop

  • Junior Member
  • *
  • Posts: 36
  • Karma: +0/-0
    • View Profile
Re: Hack by ssh publickey
« Reply #5 on: 2017-01-02, 17:05:18 »
The only user it's a friend and me. :/

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,381
  • Karma: +112/-9
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Hack by ssh publickey
« Reply #6 on: 2017-01-02, 17:09:52 »
The only user it's a friend and me. :/
In Kloxo-MR 7.0, only admin can create cron by default. Need set 'enable cron for all clients' to make cron able for other user.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

 


MRatWork Affiliates:    BIGRAF(R) Inc.    House of LMAR    EFARgrafix
Click Here

Page created in 0.047 seconds with 17 queries.

web stats analysis
 
Mirror created by MasterkinG32.CoM