[K12OSN] OT: Break-In report
James P. Kinney III
jkinney at localnetsolutions.com
Wed Jan 2 14:42:36 UTC 2008
On Wed, 2008-01-02 at 08:15 -0600, Les Mikesell wrote:
> Rob Owens wrote:
> >
> > I particularly like the use of " " as a directory name. Nice and
> > invisible. Also note that the invader put his files in two directories
> > which have the "sticky" bit set: /dev/shm and /var/tmp
> >
> > In the end, it seems that all the invader succeeded in doing was a bunch
> > of port-scanning. The OS is going to be re-installed anyway, just to be
> > safe.
>
> It is probably looking for additional systems to compromise, and may
> have reported itself back to some controlling system.
>
> > Are there any organizations out there that this should be reported to?
> > (For instance, the way one might send reports to an antivirus group or a
> > content filtering group).
Run a tool like rootkithunter (http://rkhunter.sourceforge.net/) to see
if it is a know setup (most are as they are run by "script kiddies" and
not the black hat pros that write them).
If the system is a K12LTSP box, rpm -Va will check the integrity of
every package installed and report if the config or binary has been
changed. This is a good start for production machines that really can't
be whisked offline for a wipe and rebuild.
>
> There is quite a lot of ssh password guessing going on over the
> internet. If you have systems with the ssh port exposed, you can expect
> to see a few hundred attempts a day
I have seen systems that are hit thousands of times a day. Tools like
sshdfilter will do great things like block the attacker with an iptables
rule after a set number of failed logins. Sometime moving ssh to a port
other than 22 will help, but the "security through obscurity" arguments
arise here (i.e. - it only lasts until someone port scans and finds the
new port number).
> in the logs - a slow enough rate
> that you might not notice but the attackers are probably spreading their
> attempts over thousands of systems. There are some packages that watch
> the logs and firewall addresses with repeated failed attempts but none
> are included in the distribution.
>
> --
> Les Mikesell
> lesmikesell at gmail.com
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>
--
James P. Kinney III
CEO & Director of Engineering
Local Net Solutions,LLC
770-493-8244
http://www.localnetsolutions.com
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/k12osn/attachments/20080102/53040ac6/attachment.sig>
More information about the K12OSN
mailing list