This is the full lowdown on what to do:
http://www.la-samhna.de/library/brutessh.html
On Sun, May 10, 2009 at 9:57 AM, Lisa Kachold <
lisakachold@obnosis.com>wrote:
> This is the FIRST thing in setting up any secure server (along with say
> not running Apache or Mysql as root, etc.)
>
> Evidently you have not attended the HackFests, where more than a few of the
> group were well, able to gain a login on a machine with various tools
> including Brute Forcing via Muppet, and dictionary attacks.
>
> http://a.mongers.org/muppets/20040808-sshscan-1
>
> http://blog.taragana.com/index.php/archive/brute-force-ssh-hacking-attempt-on-my-server-guess-who-was-responsible/
>
> What you say? Nothing in the logs? Pwnership immediately cloaks all
> future access via nice wrappers for a list of binaries. Apt-get or yum
> refresh your ls, top, netstat, who, last.
>
> What you say? You ran a rootkit search and found nothing. Sorry but the
> simple truth is that most craft their own rootkits via simple gcc make to
> even mimic the time/date creation and the file size.
>
> Setup a quick Snort and log to another server with no SSH to catch them in
> your spider trap?
>
>
>
> On Sat, May 9, 2009 at 9:56 PM, Andrew "Tuna" Harris <
> tuna@supertunaman.com> wrote:
>
>> Excerpts from Lisa Kachold's message of Sat May 09 20:17:24 -0700 2009:
>> > Be afraid, very afraid!
>> >
>> Oh hamburgers!
>>
>> > You must put that IP in your firewall!
>> >
>> Done.
>>
>> > There's a good chance they already go in, if you didn't put in iptables
>> > brute force controls?
>> >
>> OH SHI-
>>
>> How'd they get in? What's going on? :<
>>
>> > On Sat, May 9, 2009 at 5:39 PM, Andrew "Tuna" Harris
>> > <tuna@supertunaman.com>wrote:
>> >
>> > > Helloes.
>> > >
>> > > Yes, another thread about the Chinese.
>> > >
>> > > Okayso over the past couple days I've been seeing things like this:
>> > >
>> > > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Connection from
>> > > 200.111.157.187 port 51751
>> > > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Did not receive
>> > > identification string from 200.111.157.187
>> > >
>> > > And then I don't hear from that ip ever again. What's going on here?
>> Did
>> > > the script that all those kiddies are using break? Should I be more
>> > > concerned?
>> > >
>> > > Thanks!
>> > > ---------------------------------------------------
>> > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>> > > To subscribe, unsubscribe, or to change your mail settings:
>> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>> > >
>> >
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
>
> --
> www.obnosis.com (503)754-4452
> "Contradictions do not exist." A. Rand
>
--
www.obnosis.com (503)754-4452
"Contradictions do not exist." A. Rand
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss