This is the full lowdown on what to do: http://www.la-samhna.de/library/brutessh.html On Sun, May 10, 2009 at 9:57 AM, Lisa Kachold wrote: > This is the FIRST thing in setting up any secure server (along with say > not running Apache or Mysql as root, etc.) > > Evidently you have not attended the HackFests, where more than a few of the > group were well, able to gain a login on a machine with various tools > including Brute Forcing via Muppet, and dictionary attacks. > > http://a.mongers.org/muppets/20040808-sshscan-1 > > http://blog.taragana.com/index.php/archive/brute-force-ssh-hacking-attempt-on-my-server-guess-who-was-responsible/ > > What you say? Nothing in the logs? Pwnership immediately cloaks all > future access via nice wrappers for a list of binaries. Apt-get or yum > refresh your ls, top, netstat, who, last. > > What you say? You ran a rootkit search and found nothing. Sorry but the > simple truth is that most craft their own rootkits via simple gcc make to > even mimic the time/date creation and the file size. > > Setup a quick Snort and log to another server with no SSH to catch them in > your spider trap? > > > > On Sat, May 9, 2009 at 9:56 PM, Andrew "Tuna" Harris < > tuna@supertunaman.com> wrote: > >> Excerpts from Lisa Kachold's message of Sat May 09 20:17:24 -0700 2009: >> > Be afraid, very afraid! >> > >> Oh hamburgers! >> >> > You must put that IP in your firewall! >> > >> Done. >> >> > There's a good chance they already go in, if you didn't put in iptables >> > brute force controls? >> > >> OH SHI- >> >> How'd they get in? What's going on? :< >> >> > On Sat, May 9, 2009 at 5:39 PM, Andrew "Tuna" Harris >> > wrote: >> > >> > > Helloes. >> > > >> > > Yes, another thread about the Chinese. >> > > >> > > Okayso over the past couple days I've been seeing things like this: >> > > >> > > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Connection from >> > > 200.111.157.187 port 51751 >> > > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Did not receive >> > > identification string from 200.111.157.187 >> > > >> > > And then I don't hear from that ip ever again. What's going on here? >> Did >> > > the script that all those kiddies are using break? Should I be more >> > > concerned? >> > > >> > > Thanks! >> > > --------------------------------------------------- >> > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >> > > To subscribe, unsubscribe, or to change your mail settings: >> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >> > > >> > >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >> > > > > -- > www.obnosis.com (503)754-4452 > "Contradictions do not exist." A. Rand > -- www.obnosis.com (503)754-4452 "Contradictions do not exist." A. Rand