Re: Debian Stable server hacked
On Wed, 06 Aug 2003 16:01:39 +0200, Thijs Welman <firstname.lastname@example.org>
>My loganalyzer showed four "Did not receive identification string from
>w.x.y.z" logentries from sshd. This happens all the time and i certainly
>don't check all of them out, but i happen to do so this time.
That's probably people testing to see if port 22 is open.
>I'm puzzled about how they managed to get those processes running (as
>root). There are no local accounts, other than some accounts for the
>sysadmins. Does anyone have any idea how they might have done this?
Maybe they brute forced the root password ?
Do you have "PermitRootLogin yes" in sshd_config ?
I'd set up ssh to do protocol 2 only, no root logins, and no passwords/
public keys only if possible.
You say that you have apache and php4 installed. Are you running any php
applications that may have been compromised ? Although I'd expect those
to leave the attacker with access to www-data rather than root.