Re: Debian Stable server hacked

To: Thijs Welman <thijs@balpol.tudelft.nl>
Cc: debian-security@lists.debian.org
Subject: Re: Debian Stable server hacked
From: Alan James <alan@rangercom.com>
Date: Wed, 06 Aug 2003 16:14:55 +0100
Message-id: <[🔎] ka42jv0fsgc23d1mgo725i7qbbkd45pnt2@mail.ranger>
In-reply-to: <[🔎] 3F310A43.9060101@balpol.tudelft.nl>
References: <[🔎] 3F310A43.9060101@balpol.tudelft.nl>

On Wed, 06 Aug 2003 16:01:39 +0200, Thijs Welman <thijs@balpol.tudelft.nl>
wrote:

>
>My loganalyzer showed four "Did not receive identification string from
>w.x.y.z" logentries from sshd. This happens all the time and i certainly
>don't check all of them out, but i happen to do so this time.

That's probably people testing to see if port 22 is open.

>I'm puzzled about how they managed to get those processes running (as
>root). There are no local accounts, other than some accounts for the
>sysadmins. Does anyone have any idea how they might have done this? 

Maybe they brute forced the root password ?
Do you have "PermitRootLogin yes" in sshd_config ?

I'd set up ssh to do protocol 2 only, no root logins, and no passwords/
public keys only if possible.

You say that you have apache and php4 installed. Are you running any php
applications that may have been compromised ? Although I'd expect those
to leave the attacker with access to www-data rather than root.

Alan.

Reply to:

References:
- Debian Stable server hacked
  - From: Thijs Welman <thijs@balpol.tudelft.nl>

Prev by Date: Re: Debian Stable server hacked
Next by Date: Re: Debian Stable server hacked
Previous by thread: Re: Debian Stable server hacked
Next by thread: Re: Debian Stable server hacked
Index(es):
- Date
- Thread