This is the full lowdown on what to do:

http://www.la-samhna.de/library/brutessh.html



On Sun, May 10, 2009 at 9:57 AM, Lisa Kachold <lisakachold@obnosis.com> wrote:
This is the FIRST thing in setting up any secure server  (along with say not running Apache or Mysql as root, etc.)

Evidently you have not attended the HackFests, where more than a few of the group were well, able to gain a login on a machine with various tools including Brute Forcing via Muppet, and dictionary attacks.  

http://a.mongers.org/muppets/20040808-sshscan-1
http://blog.taragana.com/index.php/archive/brute-force-ssh-hacking-attempt-on-my-server-guess-who-was-responsible/

What you say?  Nothing in the logs?  Pwnership immediately cloaks all future access via nice wrappers for a list of binaries.  Apt-get or yum refresh your ls, top, netstat, who, last.

What you say?  You ran a rootkit search and found nothing.  Sorry but the simple truth is that most craft their own rootkits via simple gcc make to even mimic the time/date creation and the file size. 

Setup a quick Snort and log to another server with no SSH to catch them in your spider trap?



On Sat, May 9, 2009 at 9:56 PM, Andrew "Tuna" Harris <tuna@supertunaman.com> wrote:
Excerpts from Lisa Kachold's message of Sat May 09 20:17:24 -0700 2009:
> Be afraid, very afraid!
>
Oh hamburgers!

> You must put that IP in your firewall!
>
Done.

> There's a good chance they already go in, if you didn't put in iptables
> brute force controls?
>
OH SHI-

How'd they get in? What's going on? :<

> On Sat, May 9, 2009 at 5:39 PM, Andrew "Tuna" Harris
> <tuna@supertunaman.com>wrote:
>
> > Helloes.
> >
> > Yes, another thread about the Chinese.
> >
> > Okayso over the past couple days I've been seeing things like this:
> >
> > /var/log/messages:May  9 11:00:10 (none) sshd[688]: Connection from
> > 200.111.157.187 port 51751
> > /var/log/messages:May  9 11:00:10 (none) sshd[688]: Did not receive
> > identification string from 200.111.157.187
> >
> > And then I don't hear from that ip ever again. What's going on here? Did
> > the script that all those kiddies are using break? Should I be more
> > concerned?
> >
> > Thanks!
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
>
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss



--
www.obnosis.com (503)754-4452
"Contradictions do not exist." A. Rand



--
www.obnosis.com (503)754-4452
"Contradictions do not exist." A. Rand