Security breach: Changed sshd_config and system time

Support for security such as Firewalls and securing linux
Post Reply
Alan_SP
Posts: 1
Joined: 2012/03/14 15:04:49

Security breach: Changed sshd_config and system time

Post by Alan_SP » 2012/03/14 15:26:22

What I know:

Yesterday I had problem with server's system time. It was changed to year 2008 (date and time was otherwise accurate). Also, there was restart of sshd (which helped me to spot change of year). I configured time and thought it's possible attack, or maybe some bug, whatever.

Anyway, today I received mail from rkhunter that in sshd_config root login isn't set (PermitRootLogin No was commented out). This is not my standard configuration and yesterday it wasn't commented out. So, someone obviously commented it out and after that restarted sshd. Everything else was unchanged on first look, but to be sure I overwrite that file with my backup version of sshd_config. Also I noticed that date of changes was in the future, October 6 of this year. It looks like that there was more than simple time tampering with server's time.

I have setup that when someone logs with ssh I receive mail about it. I didn't received any mails with warnings like this. Also, in logs I didn't found any login attempts, successful or unsuccessful. OK, I understand that someone could gain control over server and later delete logs about his access to server. But I'm not sure how he avoided mail being sent when he logged first time. Maybe he didn't gained access with SSH? And, just to mention, SSH isn't on standard port.

I didn't noticed other changes on server, and rkhunter didn't reported anything else different.

Does someone have any idea how it is possible and what should I do to prevent this in the future?

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: Security breach: Changed sshd_config and system time

Post by pschaff » 2012/03/14 23:14:11

Welcome to the CentOS fora. Please see the recommended reading for new users linked in my signature.

In the US we did just have a change to Daylight Savings last weekend, but that would not explain the errors and anomalies in the absence of other problems. All I can suggest is trying other tools such as chkrootkit and running "rpm -Va".

unspawn
Posts: 172
Joined: 2006/12/11 12:28:52

Security breach: Changed sshd_config and system time

Post by unspawn » 2012/03/24 16:09:28

//FWIW the thread, leading to slightly more info, was also posted [url=https://www.linuxquestions.org/questions/linux-security-4/security-breach-changed-sshd_config-and-system-time-934430/]here[/url]. Apparently the OP fscked up file ownership and also didn't have SELinux running.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: Security breach: Changed sshd_config and system time

Post by pschaff » 2012/03/24 16:19:44

Thanks for the link. Guess this thread is done, as the OP never bothered to return.

Post Reply