Hacks
in [UK Linux]
|
Prev: Printer..
Next: Off-line Files?
From: Simon Dean on 27 Feb 2007 04:07 Hi, Are people going round doing any brute force attacks? Maybe it was because I had port 22 open (yeah yeah), but looks like someone has brute force attacked my server, FC6. httpd is unresponsive and doesn't start as a system service, and bash looks compromised in that it freezes. Also the starting of the login screen results in errors something about the jpeg not being recognised, and I remember a number as 0x37. This is reminiscint of another attack a friend of mine had a couple months back where many of the files in /bin were compromised (altered). Any thoughts? Cheers Simon
From: Geoffrey Clements on 27 Feb 2007 04:50 "Simon Dean" <sjdean(a)simtext.plus.com> wrote in message news:54ialvF20179cU1(a)mid.individual.net... > Hi, > > Are people going round doing any brute force attacks? > > Maybe it was because I had port 22 open (yeah yeah), but looks like > someone has brute force attacked my server, FC6. > I have a home PC that's on and off all the time, I also have port 22 open. My logs show that I have brute force attacks on port 22 roughly every one session in three, they go on for a few minutes and then stop and then start agin a few minutes later. They've never been major attacks though and they've never dispruted the operation of the PC (in fact I only noticed them because I was trawling through the system logs about year or so ago). > httpd is unresponsive and doesn't start as a system service, and bash > looks compromised in that it freezes. > > Also the starting of the login screen results in errors something about > the jpeg not being recognised, and I remember a number as 0x37. > > This is reminiscint of another attack a friend of mine had a couple months > back where many of the files in /bin were compromised (altered). > Rootkit? Hopefully someone else can offer advice as I'm pretty clueless in this area. -- Geoff
From: Nick Leverton on 27 Feb 2007 06:15 In article <54ialvF20179cU1(a)mid.individual.net>, Simon Dean <sjdean(a)simtext.plus.com> wrote: >Hi, > >Are people going round doing any brute force attacks? > >Maybe it was because I had port 22 open (yeah yeah), but looks like >someone has brute force attacked my server, FC6. Sadly port 22 scans are very common these days, if you let them they will sit there trying different logins (and presumably passwords) for minutes or even hours. I only expose port 22 to three particular hosts - I can always get to one of them from anywhere else and then hop in - but if you need to have it open, look at something like fail2ban (Python) or the Perl rewrite of it whose name I forget. I hope you're fortunate and haven't been hacked - with any luck it will just turn out to be "bit-rot" or "bloody puters" or somethiing ! Nick -- http://www.leverton.org/ ... So express yourself
From: Andy Burns on 27 Feb 2007 06:28 On 27/02/2007 11:04, Tim wrote: > You might consider these things to beef up sshd: > > 1) Limit the allowed ssh logins to specific usernames - best see the > documentation for how to - I don't recall the specifics. > > 2) Patch sshd with any Fedora security updates. > > 3) Deny root logins using both step 1 and explicitly in the sshd_config > (there is an option for it). 4) setup SSH to *only* use certificate base login, and allowing root login from trusted subnet(s) only.
From: tinnews on 27 Feb 2007 06:54
Geoffrey Clements <geoffrey.clementsNO(a)spambaesystems.com> wrote: > "Simon Dean" <sjdean(a)simtext.plus.com> wrote in message > news:54ialvF20179cU1(a)mid.individual.net... > > Hi, > > > > Are people going round doing any brute force attacks? > > > > Maybe it was because I had port 22 open (yeah yeah), but looks like > > someone has brute force attacked my server, FC6. > > > > I have a home PC that's on and off all the time, I also have port 22 open. > My logs show that I have brute force attacks on port 22 roughly every one > session in three, they go on for a few minutes and then stop and then start > agin a few minutes later. They've never been major attacks though and > they've never dispruted the operation of the PC (in fact I only noticed them > because I was trawling through the system logs about year or so ago). > Ditto. My Linux box is on all the time and has a static IP. The attacks are not 'brute force' attacks though, they look much more like someone attempting to log in manually and trying a few obvious user IDs and passwords. Thus there is no significant performance hit at all. -- Chris Green |