Hacked - slowdssh

rharri1 · June 24, 2010, 6:49pm

I’m running openSuse 11.1. Noticed markedly slowed responsiveness. Top shows 20-30 “slowdssh” processes running as root. Rkhunter shows warnings for chkconfig, lld, ifup etc. The machine has clearly been exploited but I don’t know how and searching for “slowdssh” did not reveal anything useful. Any experience with this or suggestions on how to identify this?

Many Thanks,
Bob

FeatherMonkey · June 24, 2010, 7:07pm

I simply wouldn’t, for sure it probably could be done but I’m just not sure it is worth it.

You have executables triggering rkhunter already, it might be possible to do a checksum verify with rpm but honestly you can’t trust it. At this point IMO it is a rebuild and data retrieval(Nothing that is executable or scriptable unless you can audit), it is too far gone. Had you had some kinda of system integrity checks to use it might of been possible.

I’d treat it as a lesson learnt and lock down ssh ideally with key pass only and maybe even further down to ip’s and users/groups etc and moving the default port if not done so…

markone · June 26, 2010, 12:28am

Personally, fortunately, I don’t know anything about slowdssh, but I was interested enough to do a bit of poking about. Disturbingly, I can’t see any evidence of anyone really dealing with this seriously enough to give any solid advice or any evidence of anyone following an established incident response checklist.

have a look here
That grumpy BSD guy: A Third Time, Uncharmed
or
https://gridmotorsports.com/forum/techsupport/461492203/view

The inference is that whoever got in, got in, in the first instance via weaknesses in the ssh setup, but I am not clear that there is actual evidence of this and it might just be a ‘best guess’, which isn’t really satisfactory; maybe the ‘evidence’ is that, once exploited, that the machine tries to crack ssh on other boxes, which isn’t what you’d call ‘stand up in court’ evidence, but would be a strong suggestion.

This might be a bit old, but still worth a read.

(and this on ssh setup; even older, but again worth a read, or this summary from samhain.)

Clearly, if there are any weaknesses in your ssh setup, you need to do something about it, but whether there is a guarantee that this does the business, or not, is open to question.

rharri1 · June 27, 2010, 3:37pm

Thanks everyone. I’m pretty sure SSH was compromised. Just wanted to see if any other possibilities were raised. Time to scrub and reinstall!

Bob