Ok, it was my own stupidity, but somebody logged onto my box yesterday through the clamav account which was used for my mail scanning and filtering. I get an email every day from the logwatch cron job which gives me a summary of what had happened throughout the day, and in this case, I just happened to see that the user clamav had logged in three times through SSH, from three different IP addresses. I had changed the default shell from /bin/false to /bin/bash to set up some anti-virus scanning stuff with ClamAV, and I forgot to change the shell back to /bin/false when I had finished and the password was still set to clamav.

I logged on to find the process own running at 100% cpu. I killed it quick smart and started investigating. The user didn’t have any home directory, so no bash history was available, unfortunately. What I did find was a folder called local with some goodies in it.

total 3588
-rwxr-xr-x 1 clamav clamav 19599 Feb 21 16:23 a
-rwxr-xr-x 1 clamav clamav 307990 Apr 10 11:46 aVe
-rwxr-xr-x 1 clamav clamav 452101 Oct 16 2004 brk2
-rwxr-xr-x 1 clamav clamav 4491 Mar 14 02:24 buffer
-rwxr-xr-x 1 clamav clamav 26584 Jan 15 12:49 elf
-rw-r--r-- 1 clamav clamav 10828 Jan 27 14:56 ex_gpsd.c
-rwxr-xr-x 1 clamav clamav 164 Apr 2 19:35 exim.pl
-rwxr-xr-x 1 clamav clamav 5939 Jan 15 12:49 gcc
-rwxr-xr-x 1 clamav clamav 445809 Feb 15 2004 h2
-rwxr-xr-x 1 clamav clamav 468696 Jan 15 12:50 kmx
-rwxr-xr-x 1 clamav clamav 9176 Mar 13 22:35 krad
-rwxr-xr-x 1 clamav clamav 27841 Jan 15 12:49 loc
-rwxr-xr-x 1 clamav clamav 551 Dec 14 2004 mailbomb
-rwxr-xr-x 1 clamav clamav 446714 Jan 8 15:50 mmap2
-rwxr-xr-x 1 clamav clamav 408978 Jan 8 15:52 mremap_pte
-rwxr-xr-x 1 clamav clamav 428551 Feb 12 09:18 op
-rwxr-xr-x 1 clamav clamav 19910 Mar 20 2003 own
-rwxr-xr-x 1 clamav clamav 14282 Mar 13 22:40 pwned
-rwxr-xr-x 1 clamav clamav 7745 Mar 23 05:28 root
-rwxr-xr-x 1 clamav clamav 9870 Apr 2 19:31 stackgrow2
-rw-r--r-- 1 clamav clamav 8366 Jan 16 17:30 stackgrow2.c
-rwxr-xr-x 1 clamav clamav 468689 Jan 8 15:56 w00t

I have had a poke around, and it seems that this is the only thing that has happened on the box. From the looks of it, they are a random bunch of local root exploits. Also a mailbomber too. There are no rootkits (I have scanned with rkhunter and chkrootkit) and currently no unaccounted open network connections, so I think i’m ok.

I have been noticing the amount of SSH attempts at random accounts appearing in my PAM logs. Mostly to root, but some to other accounts like test, admin and various common names. Out of interest sake (and I know that Timmy blocked email from all of China), I have decided to have a look at where these SSH attempts were coming from. I installed an IP-to-country converter on my server and checked the location of some of these attempts. The short list is:

• Korea
• China
• India
• Hong Kong
• Hungary
• Romania

I found a script on the net to generate iptables rules based on IP ranges of countries. I hope that it helps…

So, the lesson of the day is: don’t leave any accounts open with a default password and a valid shell!