[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] OT: Break-In report

From: Les Mikesell <les futuresource com>
To: "Support list for open source software in schools." <k12osn redhat com>
Subject: Re: [K12OSN] OT: Break-In report
Date: Wed, 02 Jan 2008 08:15:33 -0600

Rob Owens wrote:

I particularly like the use of " " as a directory name. Nice andinvisible. Also note that the invader put his files in two directorieswhich have the "sticky" bit set: /dev/shm and /var/tmp
In the end, it seems that all the invader succeeded in doing was a bunchof port-scanning. The OS is going to be re-installed anyway, just to besafe.

It is probably looking for additional systems to compromise, and mayhave reported itself back to some controlling system.

Are there any organizations out there that this should be reported to?(For instance, the way one might send reports to an antivirus group or acontent filtering group).

There is quite a lot of ssh password guessing going on over theinternet. If you have systems with the ssh port exposed, you can expectto see a few hundred attempts a day in the logs - a slow enough ratethat you might not notice but the attackers are probably spreading theirattempts over thousands of systems. There are some packages that watchthe logs and firewall addresses with repeated failed attempts but noneare included in the distribution.


--
  Les Mikesell
   lesmikesell gmail com

Follow-Ups:
- Re: [K12OSN] OT: Break-In report
  - From: Michael Blinn
- Re: [K12OSN] OT: Break-In report
  - From: James P. Kinney III
- Re: [K12OSN] OT: Break-In report
  - From: Rob Owens

References:
- [K12OSN] OT: Break-In report
  - From: Rob Owens

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]