[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] OT: Break-In report

Rob Owens wrote:

I particularly like the use of " " as a directory name. Nice and invisible. Also note that the invader put his files in two directories which have the "sticky" bit set: /dev/shm and /var/tmp

In the end, it seems that all the invader succeeded in doing was a bunch of port-scanning. The OS is going to be re-installed anyway, just to be safe.

It is probably looking for additional systems to compromise, and may have reported itself back to some controlling system.

Are there any organizations out there that this should be reported to? (For instance, the way one might send reports to an antivirus group or a content filtering group).

There is quite a lot of ssh password guessing going on over the internet. If you have systems with the ssh port exposed, you can expect to see a few hundred attempts a day in the logs - a slow enough rate that you might not notice but the attackers are probably spreading their attempts over thousands of systems. There are some packages that watch the logs and firewall addresses with repeated failed attempts but none are included in the distribution.

  Les Mikesell
   lesmikesell gmail com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]