-->

DEVOPSZONES

  • Recent blogs

    sync_supers Generating High load Due to Brute SSH attack

    My Alerting system has reported that one of the server is reporting high Load. The Server is in question has not been so stressed in recent past.So i was curios to look at it. While doing the Investigation i found that it was not a CPU load due to processes that are in the server. But it was a brute attack on the server. bssh2z (brute ssh) is for brute-forcing list of ips with various passwords  is doing all the damage.

    1. User krish (krish:x:500:500::/home/krish:/bin/bash) was running multiple instance of Perl Scripts, Which was attributing to High CPU Load. load average: 6.31, 5.83, 5.72
    12215 krish     25   0 86224 3680 1140 R 99.9  0.0 924:27.46 perl
    19900 krish     25   0 86224 3676 1140 R 99.9  0.0   3267:42 perl
    26054 krish     25   0 86224 3720 1180 R 99.9  0.0   3589:34 perl
    28916 krish     25   0 86224 3676 1140 R 99.9  0.0   2174:35 perl
    29648 krish     25   0 86224 3680 1140 R 99.9  0.0 930:58.31 perl
    23030 krish     25   0 86224 3680 1140 R 99.5  0.0 947:45.61 perl

    2. After Checking Further Found,  it was running sync_supers (File System Related process which flush the data to Disk) and http (Web Server).
    krish     2408  0.0  0.0  86224  2848 ?        S    Sep19   0:00 [sync_supers]
    krish     2409  0.0  0.0  63856  1060 ?        S    Sep19   0:00 sh -c ./bssh2z 300 22 10 CHANNEL >> .asd.log 2>&1 3>&1
    krish     2410  0.0  0.0   2716  2604 ?        S    Sep19   0:01 /usr/sbin/http

    3. All it was doing through the bssh2z (brute ssh) binary.
    bssh2z: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
    krish    pts/0        77.40.116.2      Wed Aug 31 16:52 - 16:52  (00:00)
    krish    pts/0        77.40.116.2      Wed Aug 31 16:34 - 16:34  (00:00)
    krish    pts/0        77.40.116.2      Wed Aug 31 16:13 - 16:13  (00:00)

    Action Taken:
    1. User “krish” deleted.
    2. Process related to krish Killed.
    3. Blocked SSH Access on Public IP .

    No comments