0

After stumbling upon some unknown folders in my unused OneDrive (posted question), I did some digging arround and found some interesting logs. Apparently, OpenSSH had been used for remote access on my machine. A description of the attack can be here https://az4n6.blogspot.com/2020/02/detecting-laterial-movment-with-winscp.html.

I did a comparison and found out that the log information was indeed an outlier. There were 1450 audit failures in the past 7 days with various account name attempts. And it gets worse, judging by the audit successes and OpenSSH operational logs, there were multiple sucessful connections via the sshd process from various adresses, all over the world.

I think there is now little room for doubt whether unauthorized remote access did take place. The question rather is, what can be done after the fact. I stopped and disabled the sshd-service, which seems prevented further remote access according to the event logs.

How should one proceed to ensure complete system sanitization in this case?

Example from audit successes.

SubjectUserName COMPUTERNAME
SubjectDomainName WORKGROUP
SubjectLogonId 0x3e7
LogonGuid {00000000-0000-0000-0000-000000000000}
TargetUserName sshd_1660
TargetDomainName VIRTUAL USERS
TargetLogonGuid {00000000-0000-0000-0000-000000000000}
TargetServerName localhost
TargetInfo localhost
ProcessId 0x67c
ProcessName C:\Windows\System32\OpenSSH\sshd.exe
IpAddress -
IpPort -

SubjectUserName COMPUTERNAME
SubjectDomainName WORKGROUP
SubjectLogonId 0x3e7
LogonGuid {00000000-0000-0000-0000-000000000000}
TargetUserName sshd_1336
TargetDomainName VIRTUAL USERS
TargetLogonGuid {00000000-0000-0000-0000-000000000000}
TargetServerName localhost
TargetInfo localhost
ProcessId 0x538
ProcessName C:\Windows\System32\OpenSSH\sshd.exe
IpAddress -
IpPort -

Examples from OpenSSH Operational logs.

EventData

process sshd
payload Disconnected from 45.67.14.20 port 43576 [preauth]

EventData

process sshd
payload Received disconnect from 45.67.14.20 port 49506:11: Bye Bye [preauth]

EventData

process sshd
payload Did not receive identification string from 139.162.75.112 port 56876

EventData

process sshd
payload Received disconnect from 222.186.15.115 port 20660:11: [preauth]

EventData

process sshd
Connection closed by 70.57.111.62 port 42988 [preauth]

user851
  • 101
  • 1
  • 5
    Does this answer your question? [How do I deal with a compromised server?](https://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server), [Advice on what to do after being hacked?](https://security.stackexchange.com/questions/23842/advice-on-what-to-do-after-being-hacked). – Steffen Ullrich Oct 18 '20 at 20:47
  • 1
    I don't know how to interpret the Windows logs, but the OpenSSH logs don't seem to indicate any successful logins. – multithr3at3d Oct 19 '20 at 23:16
  • Does "[preauth]" mean there was connection but no authentication? – user851 Oct 21 '20 at 09:27

0 Answers0