Re: SSH attack
On Mon, 3 Oct 2005, Pollywog wrote:
> On 10/03/2005 06:14 pm, Marty wrote:
> > Jared Hall wrote:
> > > It looks like I am being rooted right now. How do I toss this guy off
> > > of my system. he has an IP address of 210.95.212.131
> >
> > It's a kid! Whois returns "Hanguk Kwangsan Technoledge High School."
nah .. maybe ..
- you make too much assumptions
- how do you know its not a script kiddie on Mars (earth-nuetral country)
or an expert cracker from pluto that has complete control of that PC at
the high school or whomever currently has access to that ip#, possibly
from their home or office
- whois db is not 100% accurate or maybe even 5yrs obsolete
in some cases ( remember the *.com bust )
> The PID is the number after "ESTABLISHED" in the output of that netstat
> command.
>
> This might not work if the attacker has already entered the system and
> installed their "rootkit". In such a case, you would need to disconnect the
> machine.
if you have a live connection wiht the "script kiddie"
- get the local pd at Hanguk Kwangsan involved and tell them
you want that PC confiscated for xxx reasons
- if yu worked at a bank,, and that pc is used to connect
to the not-so-bright-bank, than it becomes a federal case
and fbi will get involved, and possibly the bank has to
notify the consumers that their computers were connected to
a cracked box ... and possibly blah-blah might NOT have happened
- if you do NOT know how to kick off a cracker from a PC,
disconnecting or reinstalling will NOT help you from preventing
the next cracker from breaking in using the exact same steps
or slightly modified attack programs to get back in again
- they usually get in because of "user error", not the software
- if it was a hole in ssh, ALL and i mean ALL other Debianites and
possibly other Linuxites will be equally susceptable and some of
of them will have noticed that they too were successfully attacked
==
== time for you ( marty ) change the way you use ssh and/or the way you
== log into your PC and/or update your PC, or let it run and see if
== you can stop them from loggin in
==
- it's a 2 second solution to stop somebody, anybody from
logging in remotely even if they have userID and passwd
and even if they have exploited a vulnerability to become
root esp if they got in the way you suspect ...
-- fun stuff ... swimming with the sharks or script kiddies
c ya
alvin
Reply to: