MORE SSH Hacking: heads-up
Scot L. Harris
webid at cfl.rr.com
Fri Jul 30 20:33:51 UTC 2004
On Fri, 2004-07-30 at 05:45, Brian Fahrlander wrote:
> rhost=216.97.110.1 : 1 Time(s)
> authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=ccia-062-204-197-193.uned.es : 1 Time(s)
>
> su:
> Sessions Opened:
> brian(uid=500) -> root: 1 Time(s)
>
> ------------------------------------------------------------------------
>
> Ok, guys- what do we do with this? Should we be writing down the
> addresses from which these attempts were made? They're probably all
> 'stooge' addresses, I know, but it might help authorities to know what
> other machines have been compromised...
>
> I'll go save the log somewhere...
>
> ------------------------------------------------------------------------
Other than double checking your system, running chkrootkit, verify
tripwire is setup, monitoring logs, etc. The best thing you can do if
you see the same addresses hitting your system is to block them in
iptables. And if you don't really need ssh access out to the Internet
disable that service.
Every day people attempt to login into systems all over. There is no
way anyone would be interested in doing anything unless they actually
compromise an important system at a company or government facility.
I could be wrong about that but I doubt if any government organization
would lift a finger if someones personal system was hacked. (unless you
have lots of money that is.)
But like I said, I could be way to cynical about this.
--
Scot L. Harris
webid at cfl.rr.com
The bug starts here.
More information about the fedora-list
mailing list