> Jan 10 14:04:46 weylandyutani sshd[15443]: Server listening on :: port
> 443.
The compromise is prior to this. 443 is the port usually used for https,
so this looks like an obfuscation technique to allow traffic to flow
unnoticed. It will also tend to get around tarpits.
> Jan 10 14:20:10 weylandyutani sshd[5310]: error: Bad prime description in
> line 185
That's serious; it looks the initial attack managed to knock out the prime
moduli. That would make keys very easy to attack.
> Jan 15 16:09:20 weylandyutani useradd[16214]: new user: name=sysconf,
> UID=0, GID=0, home=/home/sysconf, shell=/bin/sh
> Jan 15 16:09:29 weylandyutani passwd[16238]: pam_unix(passwd:chauthtok):
> password changed for sysconf
OK, the attacker set up a user. That's probably no big deal - by this
stage, he's already got a login with sufficient privilege to run useradd -
i.e. likely has root privilege. But note that his user has UID=0 :-(
> Jan 15 16:10:03 weylandyutani sshd[16341]: Accepted password for sysconf
> from ::ffff:87.219.62.79 port 49985 ssh2
Right, so you know the attack came from a dynamic IP is Spain. This might
be a proxy, rather than the real attacker's IP.
> So what now, last I heard there really wasn't a good way to "fix" a system
> once it was compromised.
Well, it can be done from a rescue CD - but considering the ease with
which a Linux system can be reinstalled, it's rarely worth the effort.
> I can re-install and re-configure the server, but I'd really like to know
> what was exploited to get in originally so I can make sure it doesn't
> happen again.
>
> Any suggestions on where to look for that?
Firstly - save all your log files. The initial exploit is before any of
the snippets you posted. You need to find out how sshd was started on port
443.
