[K12OSN] OT: Break-In report
Les Mikesell
les at futuresource.com
Wed Jan 2 14:15:33 UTC 2008
Rob Owens wrote:
>
> I particularly like the use of " " as a directory name. Nice and
> invisible. Also note that the invader put his files in two directories
> which have the "sticky" bit set: /dev/shm and /var/tmp
>
> In the end, it seems that all the invader succeeded in doing was a bunch
> of port-scanning. The OS is going to be re-installed anyway, just to be
> safe.
It is probably looking for additional systems to compromise, and may
have reported itself back to some controlling system.
> Are there any organizations out there that this should be reported to?
> (For instance, the way one might send reports to an antivirus group or a
> content filtering group).
There is quite a lot of ssh password guessing going on over the
internet. If you have systems with the ssh port exposed, you can expect
to see a few hundred attempts a day in the logs - a slow enough rate
that you might not notice but the attackers are probably spreading their
attempts over thousands of systems. There are some packages that watch
the logs and firewall addresses with repeated failed attempts but none
are included in the distribution.
--
Les Mikesell
lesmikesell at gmail.com
More information about the K12OSN
mailing list