[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] OT: Break-In report

On Wed, 2008-01-02 at 08:15 -0600, Les Mikesell wrote:
> Rob Owens wrote:
> > 
> > I particularly like the use of " " as a directory name.  Nice and 
> > invisible.  Also note that the invader put his files in two directories 
> > which have the "sticky" bit set:  /dev/shm and /var/tmp
> > 
> > In the end, it seems that all the invader succeeded in doing was a bunch 
> > of port-scanning.  The OS is going to be re-installed anyway, just to be 
> > safe.
> It is probably looking for additional systems to compromise, and may 
> have  reported itself back to some controlling system.
> > Are there any organizations out there that this should be reported to? 
> > (For instance, the way one might send reports to an antivirus group or a 
> > content filtering group).

Run a tool like rootkithunter (http://rkhunter.sourceforge.net/)  to see
if it is a know setup (most are as they are run by "script kiddies" and
not the black hat pros that write them).

If the system is a K12LTSP box, rpm -Va will check the integrity of
every package installed and report if the config or binary has been
changed. This is a good start for production machines that really can't
be whisked offline for a wipe and rebuild.
> There is quite a lot of ssh password guessing going on over the 
> internet.  If you have systems with the ssh port exposed, you can expect 
> to see a few hundred attempts a day
I have seen systems that are hit thousands of times a day. Tools like
sshdfilter will do great things like block the attacker with an iptables
rule after a set number of failed logins. Sometime moving ssh to a port
other than 22 will help, but the "security through obscurity" arguments
arise here (i.e. - it only lasts until someone port scans and finds the
new port number).

>  in the logs - a slow enough rate 
> that you might not notice but the attackers are probably spreading their 
> attempts over thousands of systems.  There are some packages that watch 
> the logs and firewall addresses with repeated failed attempts but none 
> are included in the distribution.
> -- 
>    Les Mikesell
>     lesmikesell gmail com
> _______________________________________________
> K12OSN mailing list
> K12OSN redhat com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
James P. Kinney III          
CEO & Director of Engineering 
Local Net Solutions,LLC        

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney localnetsolutions com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7

Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]