Here's a video using custom dictionaries and netcat: http://bitcast-a.bitgravity.com/revision3/web/hak5/0511/hak5--0511--netcat-virtualization-wordpress--large.xvid.avi You only see the foolish ones in your logs, these exploits can also use an obfuscated source for a number of each of their source addresses, so what you see as a distributed attack, is actually just one person running a 5 day sized dictionary against the passwd file. Check hydra, Jack the ripper, brutus (list here): http://sectools.org/crackers.html On Sun, May 10, 2009 at 10:05 AM, Lisa Kachold wrote: > This is the full lowdown on what to do: > > http://www.la-samhna.de/library/brutessh.html > > > > On Sun, May 10, 2009 at 9:57 AM, Lisa Kachold wrote: > >> This is the FIRST thing in setting up any secure server (along with say >> not running Apache or Mysql as root, etc.) >> >> Evidently you have not attended the HackFests, where more than a few of >> the group were well, able to gain a login on a machine with various tools >> including Brute Forcing via Muppet, and dictionary attacks. >> >> http://a.mongers.org/muppets/20040808-sshscan-1 >> >> http://blog.taragana.com/index.php/archive/brute-force-ssh-hacking-attempt-on-my-server-guess-who-was-responsible/ >> >> What you say? Nothing in the logs? Pwnership immediately cloaks all >> future access via nice wrappers for a list of binaries. Apt-get or yum >> refresh your ls, top, netstat, who, last. >> >> What you say? You ran a rootkit search and found nothing. Sorry but the >> simple truth is that most craft their own rootkits via simple gcc make to >> even mimic the time/date creation and the file size. >> >> Setup a quick Snort and log to another server with no SSH to catch them in >> your spider trap? >> >> >> >> On Sat, May 9, 2009 at 9:56 PM, Andrew "Tuna" Harris < >> tuna@supertunaman.com> wrote: >> >>> Excerpts from Lisa Kachold's message of Sat May 09 20:17:24 -0700 2009: >>> > Be afraid, very afraid! >>> > >>> Oh hamburgers! >>> >>> > You must put that IP in your firewall! >>> > >>> Done. >>> >>> > There's a good chance they already go in, if you didn't put in iptables >>> > brute force controls? >>> > >>> OH SHI- >>> >>> How'd they get in? What's going on? :< >>> >>> > On Sat, May 9, 2009 at 5:39 PM, Andrew "Tuna" Harris >>> > wrote: >>> > >>> > > Helloes. >>> > > >>> > > Yes, another thread about the Chinese. >>> > > >>> > > Okayso over the past couple days I've been seeing things like this: >>> > > >>> > > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Connection from >>> > > 200.111.157.187 port 51751 >>> > > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Did not receive >>> > > identification string from 200.111.157.187 >>> > > >>> > > And then I don't hear from that ip ever again. What's going on here? >>> Did >>> > > the script that all those kiddies are using break? Should I be more >>> > > concerned? >>> > > >>> > > Thanks! >>> > > --------------------------------------------------- >>> > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >>> > > To subscribe, unsubscribe, or to change your mail settings: >>> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >>> > > >>> > >>> --------------------------------------------------- >>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >>> To subscribe, unsubscribe, or to change your mail settings: >>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >>> >> >> >> >> -- >> www.obnosis.com (503)754-4452 >> "Contradictions do not exist." A. Rand >> > > > > -- > www.obnosis.com (503)754-4452 > "Contradictions do not exist." A. Rand > -- www.obnosis.com (503)754-4452 "Contradictions do not exist." A. Rand