[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Stable server hacked



On Wed, Aug 06, 2003 at 05:56:47PM +0200, Thijs Welman wrote:
> Alan James wrote:
> >Maybe they brute forced the root password ? Do you have
> >"PermitRootLogin yes" in sshd_config ?
> 
> No, i didn't at that moment. But there's no sign of an succesfull root
> login. Not in ps aux, not in netstat and no ssh traffic other than my
> own session in tcpdump. I guess a brute-force would show up in the ssh
> logfiles. Only thing there is four times "Did not receive identification
> string".

 sshd logs IP addresses of connections.  Was the IP address for those did
not receive id connections inside your site, or does it belong to an ISP
somewhere, or what?  If it's a local address, and not a computer lab, that
might give you some clues about whose door to knock on...

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@cor , des.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC

Attachment: pgpCrY1AlT4E6.pgp
Description: PGP signature


Reply to: