[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSH attack

On Mon, 3 Oct 2005, Pollywog wrote:

> On 10/03/2005 06:14 pm, Marty wrote:
> > Jared Hall wrote:
> > > It looks like I am being rooted right now.  How do I toss this guy off
> > > of my system.  he has an IP address of
> >
> > It's a kid!  Whois returns "Hanguk Kwangsan Technoledge High School."

nah .. maybe ..

- you make too much assumptions 

- how do you know its not a script kiddie on Mars (earth-nuetral country)
  or an expert cracker from pluto that has complete control of that PC at
  the high school or whomever currently has access to that ip#, possibly
  from their home or office

	- whois db is not 100% accurate or maybe even 5yrs obsolete
	in some cases ( remember the *.com bust )

> The PID is the number after "ESTABLISHED" in the output of that netstat 
> command.
> This might not work if the attacker has already entered the system and 
> installed their "rootkit".  In such a case, you would need to disconnect the 
> machine.

if you have a live connection wiht the "script kiddie"
	- get the local pd at Hanguk Kwangsan involved and tell them
	you want that PC confiscated for xxx reasons

	- if yu worked at a bank,, and that pc is used to connect
	to the not-so-bright-bank, than it becomes a federal case
	and fbi will get involved, and possibly the bank has to
	notify the consumers that their computers were connected to
	a cracked box ... and possibly blah-blah might NOT have happened

- if you do NOT know how to kick off a cracker from a PC,
  disconnecting or reinstalling will NOT help you from preventing
  the next cracker from breaking in using the exact same steps
  or slightly modified attack programs to get back in again

- they usually get in because of "user error", not the software

- if it was a hole in ssh, ALL and i mean ALL other Debianites and
  possibly other Linuxites will be equally susceptable and some of
  of them will have noticed that they too were successfully attacked

== time for you ( marty ) change the way you use ssh and/or the way you
== log into your PC  and/or update your PC, or let it run  and see if
== you can stop them from loggin in

	- it's a 2 second solution to stop somebody, anybody from
	logging in remotely even if they have userID and passwd
	and even if they have exploited a vulnerability to become 
	root esp if they got in the way you suspect ...

-- fun stuff ... swimming with the sharks or script kiddies

c ya

Reply to: