Machine compromised
Jason L Tibbitts III
tibbs at math.uh.edu
Wed Dec 20 05:50:20 UTC 2006
>>>>> "b" == bhiksha <bhiksha at merl.com> writes:
b> Im not sure if "backup" was a valid account in the first place --
I have no such account on any of my machines, so it's certainly not
there by default. However, it's possible that some package you
installed created that account. I can't think of any package that
might have done so; the BackupPC package in extras adds a "backuppc"
account, but it's created disabled and with /sbin/nologin as the
shell.
b> Its easy to make out that its a classic dictionary attack --
b> they've tried about a hundred userids, and attempted to login
b> several thousand times. They tried "backup" thrice and managed to
b> get in.
Well, if you expose port 22 to the Internet, you will find that there
are hosts which constantly attempt dictionary attacks against you.
You should install something like denyhosts if you want to have them
automatically blocked. There are, however, many out there who just
treat this as nothing more than noise in their logs.
You should of course not leave your machine running and certainly not
connected to the Internet; it should be wiped and reinstalled. If you
want to do forensics, pull the drive first. There's no telling how
many backdoors or malicious bits were installed.
- J<
More information about the Fedora-security-list
mailing list