[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Stable server hacked

On Wed, 06 Aug 2003 16:01:39 +0200, Thijs Welman <thijs@balpol.tudelft.nl>

>My loganalyzer showed four "Did not receive identification string from
>w.x.y.z" logentries from sshd. This happens all the time and i certainly
>don't check all of them out, but i happen to do so this time.

That's probably people testing to see if port 22 is open.

>I'm puzzled about how they managed to get those processes running (as
>root). There are no local accounts, other than some accounts for the
>sysadmins. Does anyone have any idea how they might have done this? 

Maybe they brute forced the root password ?
Do you have "PermitRootLogin yes" in sshd_config ?

I'd set up ssh to do protocol 2 only, no root logins, and no passwords/
public keys only if possible.

You say that you have apache and php4 installed. Are you running any php
applications that may have been compromised ? Although I'd expect those
to leave the attacker with access to www-data rather than root.


Reply to: