[K12OSN] OT: Break-In report

Les Mikesell les at futuresource.com
Wed Jan 2 14:15:33 UTC 2008

Rob Owens wrote:
> I particularly like the use of " " as a directory name.  Nice and 
> invisible.  Also note that the invader put his files in two directories 
> which have the "sticky" bit set:  /dev/shm and /var/tmp
> In the end, it seems that all the invader succeeded in doing was a bunch 
> of port-scanning.  The OS is going to be re-installed anyway, just to be 
> safe.

It is probably looking for additional systems to compromise, and may 
have  reported itself back to some controlling system.

> Are there any organizations out there that this should be reported to? 
> (For instance, the way one might send reports to an antivirus group or a 
> content filtering group).

There is quite a lot of ssh password guessing going on over the 
internet.  If you have systems with the ssh port exposed, you can expect 
to see a few hundred attempts a day in the logs - a slow enough rate 
that you might not notice but the attackers are probably spreading their 
attempts over thousands of systems.  There are some packages that watch 
the logs and firewall addresses with repeated failed attempts but none 
are included in the distribution.

   Les Mikesell
    lesmikesell at gmail.com

More information about the K12OSN mailing list