0

I am facing weird issue on my server (Unix). There are couple vendors reported me that my server is sending malicious requests to their server by using SSH Protocol.

I have already checked the system logs under /var/log but didn't get anything there. Could you please guide me to stop these malicious activities being performed by my server.

Below are the logs received from different-2 vendors, complaining that your server is sending these requests 

*May 10 05:20:03 shared05 sshd[18300]: Invalid user dmcserver from 217.138.XX.YY port 41630
May 10 05:20:03 shared05 sshd[18300]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.138.XX.YY
May 10 05:20:05 shared05 sshd[18300]: Failed password for invalid user dmcserver from 217.138.XX.YY port 41630 ssh2
May 10 05:20:05 shared05 sshd[18300]: Received disconnect from 217.138.XX.YY port 41630:11: Bye Bye [preauth]
May 10 05:20:05 shared05 sshd[18300]: Disconnected from invalid user dmcserver 217.138.XX.YY port 41630 [preauth]*

Note : 217.138.XX.YY is my server public IP Address.

sumit vedi
  • 11

1 Answers1

2

block outbound 22 immediately on the external firewall

ss -p | grep ":ssh" will give you which processes are making the connection if the processes is currently making connections.

You'll likely need to wipe the box.

Since this port isn't always open, you can run a few commands to log the action and then run a command when the action occurs.

  1. IPTables rule
iptables -I OUT -p tcp --dport 22 -j LOG --log-prefix="SSHAccessTrigger"
  1. Capture processes when rule triggered
tail -f /var/log/kern.log | awk '/SSHAccessTrigger/ {system("ss -p | grep ':ssh'")}'

Both of these must be run as root/sudo, I'd run them in a tmux session and check on things every hour, you should've blocked/dropped traffic on your FW already.

Jacob Evans
  • 8,431