Shulou(Shulou.com)06/03 Report--

This article mainly explains "how to solve the problem of ssh service brute force cracking alarm". The content of the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "how to solve the problem of ssh service brute force cracking alarm".

Situation introduction

Sitting at the computer desk, I often wander all over the world. in my life as a primary school student, can I think of my future work with computers every day? Just when we were addicted to fantasies, our security engineers found on the situational awareness platform that our mainframe (IP:10.xx.xx.xx) carried out ssh service brute force cracking on multiple iP of the public network from 18:30 on March x to 6:00 on March 16, 2021. The situation awareness platform generated more than 20, 000 ssh service brute force cracking alarms. All right, let's live!

After communicating with the host administrator, we learned that the machine has a web service and the ssh port is open to the outside world, but for security reasons, the port has been modified to a large port 5XX22 that is not frequently used and has set a whitelist, so it is less likely to get system permissions through ssh brute force cracking. It is very likely that the intrusion is carried out through web vulnerabilities, and the other open ports are 3XX2, 4XX2, 1XX22, and 8080. The following enters the stage of detailed investigation on the plane:

Log in to the situational awareness platform and find more than 20, 000 external ssh brute force cracking alarms. For well-known reasons, screenshots are temporarily omitted:

Check the host on the computer and use uname-an and cat / proc/version to determine that the host system is ubuntu:

Check the currently logged-in users to see if any attackers have logged in to the same host as us, and found that only my own ssh connection:

Check the network connection of the host and find that the host is connected to a foreign IP. Check the result in the threat intelligence database as follows:

Use the lsof-p command to view the relevant processes, and find that there is a process file in the tmp directory, which is suspicious:

Retrieve the user name that the host can log in to, and use the command cat / etc/passwd | grep "/ bin/bash" to find that only ubuntu and root accounts can log in:

To view an account with administrator privileges, only root:

Look at the scheduled task and find a suspect that the scheduled task uses hidden files:

Looking at the files in the / tmp directory, we found three suspicious folders, all from yesterday:

Check the contents of the files under the folder and find that there are external exploding IP addresses and dictionary contents in the .ts file, which are judged as dictionaries, ip lists and scripts left by hackers on the server:

Based on the investigation of the files under the .ms folder, it is found that there are mining Trojan horse features, and the planned tasks are written as follows:

The attacker investigates the intrusion of this host and looks at the log of login success, all of which are login for troubleshooting personnel:

It is found that the host has been violently cracked by multiple IP in the public network:

Disposal situation

In the process of security disposal, it is recommended to let the host manager watch your operation, especially the business host (blood lesson), so as to avoid affecting the normal business during the disposal process, thus being pulled into the blacklist.

Kill malicious processes that connect to foreign IP

Delete scheduled tasks

Safety analysis recommendations

Threat intelligence database is often used for mining and remote control in the process of security analysis.

Common disposal orders need to be memorized clearly, and sometimes the victim host is unable to provide a remote environment and does not flip his notes when he needs to get on the computer (mainly in front of aspect A).

Emergency response recommends a book, "practical Guide to Network Security Emergency response Technology" (Qianxin sees the transfer of money)

More practice, long illness into a good doctor, hackers invaded more, basically God emergency is not, the general emergency ability will be strengthened!

Thank you for your reading. The above is the content of "how to solve the problem of ssh service brute force cracking alarm". After the study of this article, I believe you have a deeper understanding of how to solve the problem of ssh service brute force cracking alarm, and the specific usage needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.