[K12OSN] Help - possible hacking of our NFS/NIS LTSP server
cliebow at downeast.net
cliebow at downeast.net
Tue Mar 22 23:58:37 UTC 2005
this is a script kiddie attack which we captured at cave hill.it was run
entirely as a non priviledegd acct and after three weeks see no evidence of
any attempt to gain root..if you have accts like arthur jane pam with
trivial pw look at the bash_history as that at least in our case was
intact..look at your var log messges from the ime this happened and you
will see a successful login for a trivial acct..chuck
> well it looks like someone compromised our NFS/NIS server.
>
> Someone has reported to UNET that our server was trying this ssh login
> brute force attack. What is odd the report was on March 19 and the UNET
> folks looked today and didn't see anything.
>
> What can I do to look for this script or hack? How do I make sure it
> doesn't happen, if it happens again, they filter out that server and our
> entire LTSP system relies on that machine.
>
> I did find a test account logged in under odd circumstances, so I killed
> the processes and deleted the test account. But I worry about what damage
> may be done.
>
> thanks for any advice
> Shane
>
> Shane Stafford, MCSE, MCT
> Director Information Services Glenburn School and Town
> Educational System Integrator/Network Engineer
> S & B Consulting
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>
---------------------------------------------
This message was sent from Downeast.Net.
http://ellsworthme.com/
More information about the K12OSN
mailing list