Re: Chinese Kiddos with Broken Dicts?

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: Main PLUG discussion list
Subject: Re: Chinese Kiddos with Broken Dicts?
This is the FIRST thing in setting up any secure server (along with say not
running Apache or Mysql as root, etc.)

Evidently you have not attended the HackFests, where more than a few of the
group were well, able to gain a login on a machine with various tools
including Brute Forcing via Muppet, and dictionary attacks.

http://a.mongers.org/muppets/20040808-sshscan-1
http://blog.taragana.com/index.php/archive/brute-force-ssh-hacking-attempt-on-my-server-guess-who-was-responsible/

What you say? Nothing in the logs? Pwnership immediately cloaks all future
access via nice wrappers for a list of binaries. Apt-get or yum refresh
your ls, top, netstat, who, last.

What you say? You ran a rootkit search and found nothing. Sorry but the
simple truth is that most craft their own rootkits via simple gcc make to
even mimic the time/date creation and the file size.

Setup a quick Snort and log to another server with no SSH to catch them in
your spider trap?


On Sat, May 9, 2009 at 9:56 PM, Andrew "Tuna" Harris
<>wrote:

> Excerpts from Lisa Kachold's message of Sat May 09 20:17:24 -0700 2009:
> > Be afraid, very afraid!
> >
> Oh hamburgers!
>
> > You must put that IP in your firewall!
> >
> Done.
>
> > There's a good chance they already go in, if you didn't put in iptables
> > brute force controls?
> >
> OH SHI-
>
> How'd they get in? What's going on? :<
>
> > On Sat, May 9, 2009 at 5:39 PM, Andrew "Tuna" Harris
> > <>wrote:
> >
> > > Helloes.
> > >
> > > Yes, another thread about the Chinese.
> > >
> > > Okayso over the past couple days I've been seeing things like this:
> > >
> > > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Connection from
> > > 200.111.157.187 port 51751
> > > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Did not receive
> > > identification string from 200.111.157.187
> > >
> > > And then I don't hear from that ip ever again. What's going on here?
> Did
> > > the script that all those kiddies are using break? Should I be more
> > > concerned?
> > >
> > > Thanks!
> > > ---------------------------------------------------
> > > PLUG-discuss mailing list -
> > > To subscribe, unsubscribe, or to change your mail settings:
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > >
> >
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>




--
www.obnosis.com (503)754-4452
"Contradictions do not exist." A. Rand
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss