[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: My machine was hacked - possibly via sshd?

On Mon, 2005-03-28 at 15:58 -0500, Malcolm Ferguson wrote:
> Mark Foster wrote:
> > Malcolm Ferguson wrote:
> >
> >> My machine was cracked on Thursday evening.  I'm trying to understand 
> >> how it happened so that it doesn't go down again. 
> >
> >
> > Sounds to me like you know exactly how it happened - ssh user 
> > enumeration won the jackpot.
> Thanks: you got me thinking.  I see exactly what happened now.  A 
> dictionary attack via ssh found user 'steve' with a weak password.  The 
> auth.log shows this user login and su to root.  Perhaps a local exploit?

I have a short summary of my tracking of these Bruteforce SSH2 attempts
that are taking up bandwidth.

Here is what I have come up with ending 21mar2005 2100 GMT:
      * Starting July 26th, 2004 totals for recent Bruteforce attempts
        on knight.gregfolkert.net
      * Total of 8,988 events seperated by minutes sometimes, hours,
        days, never weeks, months or years
      * 158,913 bruteforce total attempts to password guess or stumble
        onto a no password user
      * 3727 unique combinations of username-(from)IP Address
      * 663 unique names used
      * 210 unique IP Addresses have been identified as sources of the

Amazing ain't it?

So, indeed It has been on the increase. Time to review those password

This is just the SSH2 problems, not to mention the Apache related
applications. We can basically quadruple the counts as a total for
everything that machine has seen.
greg, greg@gregfolkert.net

The technology that is
Stronger, better, faster: Linux

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: