Re: SSH attack
On Monday 03 October 2005 15:23, Alvin Oga wrote:
>On Mon, 3 Oct 2005, Pollywog wrote:
>> On 10/03/2005 06:14 pm, Marty wrote:
>> > Jared Hall wrote:
>> > > It looks like I am being rooted right now. How do I toss this guy
>> > > off of my system. he has an IP address of 126.96.36.199
>> > It's a kid! Whois returns "Hanguk Kwangsan Technoledge High
>> > School."
>nah .. maybe ..
>- you make too much assumptions
>- how do you know its not a script kiddie on Mars (earth-nuetral
> country) or an expert cracker from pluto that has complete control of
> that PC at the high school or whomever currently has access to that
> ip#, possibly from their home or office
I'm going to play the devils advocate here, and quote a
variation of a southern type expression: "Who knows, or gives a toot
as long as he is locked out of MY machine?"
> - whois db is not 100% accurate or maybe even 5yrs obsolete
> in some cases ( remember the *.com bust )
>> The PID is the number after "ESTABLISHED" in the output of that
>> netstat command.
Somebody mentioned portsentry, and I don't know why so many admins
seem to hate it. I've been running it here for probably 6-7 years,
and its automaticly dropped lots of connection attempts back when I
was using dialup on ppp. But now I've a dsl connection, with a
router between the modem and the firewall, the firewall is 2 nics
with iptables between them. In 3 years+ of dsl, I've been hit 3
times hard enough to make it to the logs, and 2 of them got in
because the ip was a familiar ip, it was the verizon dns server I
have to use, a windows box that was apparently hacked each time.
The 3rd attempt was some script kiddie from shanghai, and he got
dropped on the first new-not-syn packet by iptables.
>> This might not work if the attacker has already entered the system
>> installed their "rootkit". In such a case, you would need to
>> disconnect the machine.
>if you have a live connection wiht the "script kiddie"
> - get the local pd at Hanguk Kwangsan involved and tell them
> you want that PC confiscated for xxx reasons
Rotsa ruck, they're probably in on the deal.
> - if yu worked at a bank,, and that pc is used to connect
> to the not-so-bright-bank, than it becomes a federal case
> and fbi will get involved, and possibly the bank has to
> notify the consumers that their computers were connected to
> a cracked box ... and possibly blah-blah might NOT have happened
>- if you do NOT know how to kick off a cracker from a PC,
> disconnecting or reinstalling will NOT help you from preventing
> the next cracker from breaking in using the exact same steps
> or slightly modified attack programs to get back in again
>- they usually get in because of "user error", not the software
>- if it was a hole in ssh, ALL and i mean ALL other Debianites and
> possibly other Linuxites will be equally susceptable and some of
> of them will have noticed that they too were successfully attacked
>== time for you ( marty ) change the way you use ssh and/or the way you
>== log into your PC and/or update your PC, or let it run and see if
>== you can stop them from loggin in
> - it's a 2 second solution to stop somebody, anybody from
> logging in remotely even if they have userID and passwd
> and even if they have exploited a vulnerability to become
> root esp if they got in the way you suspect ...
>-- fun stuff ... swimming with the sharks or script kiddies
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
99.35% setiathome rank, not too shabby for a WV hillbilly
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2005 by Maurice Eugene Heskett, all rights reserved.