3

I have a Digital Ocean droplet running Ubuntu 14.04. I use it for running quick node.js tests on a publicly available server. I just logged in via SSH and did $ lsof -i to see what ports I was using. At the bottom of the list I noticed:

sshd    30952 root    3u  IPv4 66978103      0t0  TCP xxx.xxx.xxx.xxx:ssh->120.52.72.81:7810 (ESTABLISHED)
sshd    30953 sshd    3u  IPv4 66978103      0t0  TCP xxx.xxx.xxx.xxx:ssh->120.52.72.81:7810 (ESTABLISHED)

I didn't expect these ssh connections (it should only be me!) so I looked up the IP address and it seems to be in China. So what should I do now to check whether these ssh connections are malicious and if so what they may have done to the server. I'd rather not nuke it but if it's been compromised (since they have root access I presume it has!) then perhaps that's the simplest thing to do.

Update: Since writing the above, I have 2 different SSH connections so I presume it really is compromised.

sshd    31009 root    3u  IPv4 66979206      0t0  TCP xxx.xxx.xxx.xxx:ssh->221.194.44.218:50829 (ESTABLISHED)
sshd    31010 sshd    3u  IPv4 66979206      0t0  TCP xxx.xxx.xxx.xxx:ssh->221.194.44.218:50829 (ESTABLISHED)

If anyone can suggest a sensible approach to checking for a compromise/cleaning this up/seeing what's happened that would be great to help me learn (I'm such a n00b!).

Update 2: It appears that this isn't signs of a compromise but rather the signs of brute force log in attempts - see the comments from @bodgit and @ultrajohn below.

Community
  • 1
James
  • 133
  • 5
  • 1
    It's probably not a compromise situation, you likely just have a bot trying to brute-force guess a username/password. The ports used by the connection should change frequently and you should have some `sshd` logs somewhere that should show the (hopefully failed) attempts. – bodgit Jul 25 '16 at 15:06
  • you can try checking out the logs at /var/log/auth.log and identify all successful login attempts. Most likely you will find the IP addresses you mentioned in some of the failed password entries of the log. – ultrajohn Jul 25 '16 at 15:11
  • Thanks (super helpful to have a comment/answer rather than simply being marked as a duplicate! :-) . The IP addresses seem to change as do the ports being tried. The fact that it had (ESTABLISHED) at the end made me think it was successful. I'll keep exploring. – James Jul 25 '16 at 15:12
  • ESTABLISHED has nothing to do with ssh. Go read about TCP/IP. – user9517 Jul 25 '16 at 15:15
  • @ultrajohn & bodgit Thanks both for your super-helpful comments. I've checked the auth.log and it is indeed all OK and the server hasn't been compromised. I'll edit my Q to emphasise the "has it been compromised?" nature of my Q and if you submit an answer I'll mark it as correct. – James Jul 25 '16 at 15:29

1 Answers1

3

No, this isn't evidence of a compromise.

Any server on the Internet can expect regular attempts to brute SSH and other types of logins. These types of attacks are automated, and not targeted. Usually the goal of the attack is to install a bot that can be used to send spam or initiate more attacks. The attacks are usually dictionary-based.

Obviously, if some attacker is going to try a random username and password, they will start off by establishing a connection to your SSH server. That is what you are seeing in lsof (and would also see in netstat).

If you want to check for compromise, look at wtmp (type who), and look at the system logs. Audit records in syslog (like "session opened for user james") will shed some light.

You could also look for users you do not recognize, and inspect traffic and connections (the commandnetstat -nvlp can be handy) to see whether your server is running unexpected processes that are doing things like sending email or originating connections to other services.

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92