Here's a video using custom dictionaries and netcat:
http://bitcast-a.bitgravity.com/revision3/web/hak5/0511/hak5--0511--netcat-virtualization-wordpress--large.xvid.avi
You only see the foolish ones in your logs, these exploits can also use an
obfuscated source for a number of each of their source addresses, so what
you see as a distributed attack, is actually just one person running a 5 day
sized dictionary against the passwd file.
Check hydra, Jack the ripper, brutus (list here):
http://sectools.org/crackers.html
On Sun, May 10, 2009 at 10:05 AM, Lisa Kachold <
lisakachold@obnosis.com>wrote:
> This is the full lowdown on what to do:
>
> http://www.la-samhna.de/library/brutessh.html
>
>
>
> On Sun, May 10, 2009 at 9:57 AM, Lisa Kachold <lisakachold@obnosis.com>wrote:
>
>> This is the FIRST thing in setting up any secure server (along with say
>> not running Apache or Mysql as root, etc.)
>>
>> Evidently you have not attended the HackFests, where more than a few of
>> the group were well, able to gain a login on a machine with various tools
>> including Brute Forcing via Muppet, and dictionary attacks.
>>
>> http://a.mongers.org/muppets/20040808-sshscan-1
>>
>> http://blog.taragana.com/index.php/archive/brute-force-ssh-hacking-attempt-on-my-server-guess-who-was-responsible/
>>
>> What you say? Nothing in the logs? Pwnership immediately cloaks all
>> future access via nice wrappers for a list of binaries. Apt-get or yum
>> refresh your ls, top, netstat, who, last.
>>
>> What you say? You ran a rootkit search and found nothing. Sorry but the
>> simple truth is that most craft their own rootkits via simple gcc make to
>> even mimic the time/date creation and the file size.
>>
>> Setup a quick Snort and log to another server with no SSH to catch them in
>> your spider trap?
>>
>>
>>
>> On Sat, May 9, 2009 at 9:56 PM, Andrew "Tuna" Harris <
>> tuna@supertunaman.com> wrote:
>>
>>> Excerpts from Lisa Kachold's message of Sat May 09 20:17:24 -0700 2009:
>>> > Be afraid, very afraid!
>>> >
>>> Oh hamburgers!
>>>
>>> > You must put that IP in your firewall!
>>> >
>>> Done.
>>>
>>> > There's a good chance they already go in, if you didn't put in iptables
>>> > brute force controls?
>>> >
>>> OH SHI-
>>>
>>> How'd they get in? What's going on? :<
>>>
>>> > On Sat, May 9, 2009 at 5:39 PM, Andrew "Tuna" Harris
>>> > <tuna@supertunaman.com>wrote:
>>> >
>>> > > Helloes.
>>> > >
>>> > > Yes, another thread about the Chinese.
>>> > >
>>> > > Okayso over the past couple days I've been seeing things like this:
>>> > >
>>> > > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Connection from
>>> > > 200.111.157.187 port 51751
>>> > > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Did not receive
>>> > > identification string from 200.111.157.187
>>> > >
>>> > > And then I don't hear from that ip ever again. What's going on here?
>>> Did
>>> > > the script that all those kiddies are using break? Should I be more
>>> > > concerned?
>>> > >
>>> > > Thanks!
>>> > > ---------------------------------------------------
>>> > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>>> > > To subscribe, unsubscribe, or to change your mail settings:
>>> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>> > >
>>> >
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>
>>
>>
>>
>> --
>> www.obnosis.com (503)754-4452
>> "Contradictions do not exist." A. Rand
>>
>
>
>
> --
> www.obnosis.com (503)754-4452
> "Contradictions do not exist." A. Rand
>
--
www.obnosis.com (503)754-4452
"Contradictions do not exist." A. Rand
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)