Chinese Kiddos with Broken Dicts?

Lisa Kachold lisakachold at obnosis.com
Sun May 10 09:57:40 MST 2009


This is the FIRST thing in setting up any secure server  (along with say not
running Apache or Mysql as root, etc.)

Evidently you have not attended the HackFests, where more than a few of the
group were well, able to gain a login on a machine with various tools
including Brute Forcing via Muppet, and dictionary attacks.

http://a.mongers.org/muppets/20040808-sshscan-1
http://blog.taragana.com/index.php/archive/brute-force-ssh-hacking-attempt-on-my-server-guess-who-was-responsible/

What you say?  Nothing in the logs?  Pwnership immediately cloaks all future
access via nice wrappers for a list of binaries.  Apt-get or yum refresh
your ls, top, netstat, who, last.

What you say?  You ran a rootkit search and found nothing.  Sorry but the
simple truth is that most craft their own rootkits via simple gcc make to
even mimic the time/date creation and the file size.

Setup a quick Snort and log to another server with no SSH to catch them in
your spider trap?


On Sat, May 9, 2009 at 9:56 PM, Andrew "Tuna" Harris
<tuna at supertunaman.com>wrote:

> Excerpts from Lisa Kachold's message of Sat May 09 20:17:24 -0700 2009:
> > Be afraid, very afraid!
> >
> Oh hamburgers!
>
> > You must put that IP in your firewall!
> >
> Done.
>
> > There's a good chance they already go in, if you didn't put in iptables
> > brute force controls?
> >
> OH SHI-
>
> How'd they get in? What's going on? :<
>
> > On Sat, May 9, 2009 at 5:39 PM, Andrew "Tuna" Harris
> > <tuna at supertunaman.com>wrote:
> >
> > > Helloes.
> > >
> > > Yes, another thread about the Chinese.
> > >
> > > Okayso over the past couple days I've been seeing things like this:
> > >
> > > /var/log/messages:May  9 11:00:10 (none) sshd[688]: Connection from
> > > 200.111.157.187 port 51751
> > > /var/log/messages:May  9 11:00:10 (none) sshd[688]: Did not receive
> > > identification string from 200.111.157.187
> > >
> > > And then I don't hear from that ip ever again. What's going on here?
> Did
> > > the script that all those kiddies are using break? Should I be more
> > > concerned?
> > >
> > > Thanks!
> > > ---------------------------------------------------
> > > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > > To subscribe, unsubscribe, or to change your mail settings:
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > >
> >
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



-- 
www.obnosis.com (503)754-4452
"Contradictions do not exist." A. Rand
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090510/a19304ab/attachment.htm 


More information about the PLUG-discuss mailing list