Hello Everyone, Fighting a bit of a nasty morning... anyone seen this before?We have a number of servers that have password authentication disabled as well as shell access disabled for all users except those whom have keys. These servers run cPanel and have been updated to the following specs:
2.6.18-164.el5PAE #1 SMP Thu Sep 3 04:10:44 EDT 2009 i686 i686 i386 GNU/Linux
openssh-4.3p2-36.el5_4.2Early (around midnight-1am CST) this morning we had a widespread attack via an unknown vector. In the attack, the only thing that I can find is the following (IP blacked out, although it is the attackers' address):
Nov 12 04:31:22 sharedserver/sharedserver sshd[16083]: Received disconnect from 100.100.100.100: 11: No supported authentication methods available Nov 12 04:32:14 sharedserver/sharedserver sshd[11265]: Received signal 15; terminating. Nov 12 04:32:14 sharedserver/sharedserver sshd[16570]: Server listening on :: port 2. Nov 12 04:32:14 sharedserver/sharedserver sshd[16570]: error: Bind to port 2 on 0.0.0.0 failed: Address already in use. Nov 12 04:32:27 sharedserver/sharedserver sshd[16611]: Accepted password for root from 100.100.100.100 port 3630 ssh2 Nov 12 04:32:27 sharedserver/sharedserver sshd[16611]: pam_unix(sshd:session): session opened for user root by (uid=0)
The concerning part is that it obviously appears that there is someone reloading SSHD, but there is no successful login (at all) via shell prior to this.
This time corresponds with a modified sshd_config that then allows password authentication, whereby the user then logs in as root and has a good time, so to speak.
I know that the following vulnerability is out in the wild: Linux Kernel 'sock_sendpage()' NULL Pointer Dereference VulnerabilityHowever, since the user never actually logged into the server from what I can see, I'm still searching for the real way that this occurred.
I have logs from these servers, if you need other information to possibly help track this down that is possible. I'm having a hard time finding the vector for this attack though...
Any assistance would be greatly appreciated.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature