[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSH attack

On Monday 03 October 2005 15:23, Alvin Oga wrote:
>On Mon, 3 Oct 2005, Pollywog wrote:
>> On 10/03/2005 06:14 pm, Marty wrote:
>> > Jared Hall wrote:
>> > > It looks like I am being rooted right now.  How do I toss this guy
>> > > off of my system.  he has an IP address of
>> >
>> > It's a kid!  Whois returns "Hanguk Kwangsan Technoledge High
>> > School."
>nah .. maybe ..
>- you make too much assumptions
>- how do you know its not a script kiddie on Mars (earth-nuetral
> country) or an expert cracker from pluto that has complete control of
> that PC at the high school or whomever currently has access to that
> ip#, possibly from their home or office
I'm going to play the devils advocate here, and quote a
variation of a southern type expression:  "Who knows, or gives a toot
as long as he is locked out of MY machine?"

> - whois db is not 100% accurate or maybe even 5yrs obsolete
> in some cases ( remember the *.com bust )
>> The PID is the number after "ESTABLISHED" in the output of that
>> netstat command.

Somebody mentioned portsentry, and I don't know why so many admins
seem to hate it.  I've been running it here for probably 6-7 years,
and its automaticly dropped lots of connection attempts back when I
was using dialup on ppp.  But now I've a dsl connection, with a
router between the modem and the firewall, the firewall is 2 nics
with iptables between them.  In 3 years+ of dsl, I've been hit 3
times hard enough to make it to the logs, and 2 of them got in
because the ip was a familiar ip, it was the verizon dns server I
have to use, a windows box that was apparently hacked each time. 
The 3rd attempt was some script kiddie from shanghai, and he got
dropped on the first new-not-syn packet by iptables.

>> This might not work if the attacker has already entered the system
>> installed their "rootkit".  In such a case, you would need to
>> disconnect the machine.
>if you have a live connection wiht the "script kiddie"
>	- get the local pd at Hanguk Kwangsan involved and tell them
>	you want that PC confiscated for xxx reasons

Rotsa ruck, they're probably in on the deal.

>	- if yu worked at a bank,, and that pc is used to connect
>	to the not-so-bright-bank, than it becomes a federal case
>	and fbi will get involved, and possibly the bank has to
>	notify the consumers that their computers were connected to
>	a cracked box ... and possibly blah-blah might NOT have happened
>- if you do NOT know how to kick off a cracker from a PC,
>  disconnecting or reinstalling will NOT help you from preventing
>  the next cracker from breaking in using the exact same steps
>  or slightly modified attack programs to get back in again
>- they usually get in because of "user error", not the software
>- if it was a hole in ssh, ALL and i mean ALL other Debianites and
>  possibly other Linuxites will be equally susceptable and some of
>  of them will have noticed that they too were successfully attacked
>== time for you ( marty ) change the way you use ssh and/or the way you
>== log into your PC  and/or update your PC, or let it run  and see if
>== you can stop them from loggin in
>	- it's a 2 second solution to stop somebody, anybody from
>	logging in remotely even if they have userID and passwd
>	and even if they have exploited a vulnerability to become
>	root esp if they got in the way you suspect ...
>-- fun stuff ... swimming with the sharks or script kiddies
>c ya

Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
99.35% setiathome rank, not too shabby for a WV hillbilly
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2005 by Maurice Eugene Heskett, all rights reserved.

Reply to: