Re: SSH attack

To: Pollywog <linux-debian@shadypond.com>
Cc: debian-user@lists.debian.org
Subject: Re: SSH attack
From: Alvin Oga <aoga@mail.Linux-Consulting.com>
Date: Mon, 3 Oct 2005 12:23:35 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.3.96.1051003121150.28126A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 200510031835.41504.linux-debian@shadypond.com>

On Mon, 3 Oct 2005, Pollywog wrote:

> On 10/03/2005 06:14 pm, Marty wrote:
> > Jared Hall wrote:
> > > It looks like I am being rooted right now.  How do I toss this guy off
> > > of my system.  he has an IP address of 210.95.212.131
> >
> > It's a kid!  Whois returns "Hanguk Kwangsan Technoledge High School."

nah .. maybe ..

- you make too much assumptions 

- how do you know its not a script kiddie on Mars (earth-nuetral country)
  or an expert cracker from pluto that has complete control of that PC at
  the high school or whomever currently has access to that ip#, possibly
  from their home or office

	- whois db is not 100% accurate or maybe even 5yrs obsolete
	in some cases ( remember the *.com bust )

> The PID is the number after "ESTABLISHED" in the output of that netstat 
> command.
> 
> This might not work if the attacker has already entered the system and 
> installed their "rootkit".  In such a case, you would need to disconnect the 
> machine.

if you have a live connection wiht the "script kiddie"
	- get the local pd at Hanguk Kwangsan involved and tell them
	you want that PC confiscated for xxx reasons

	- if yu worked at a bank,, and that pc is used to connect
	to the not-so-bright-bank, than it becomes a federal case
	and fbi will get involved, and possibly the bank has to
	notify the consumers that their computers were connected to
	a cracked box ... and possibly blah-blah might NOT have happened

- if you do NOT know how to kick off a cracker from a PC,
  disconnecting or reinstalling will NOT help you from preventing
  the next cracker from breaking in using the exact same steps
  or slightly modified attack programs to get back in again

- they usually get in because of "user error", not the software

- if it was a hole in ssh, ALL and i mean ALL other Debianites and
  possibly other Linuxites will be equally susceptable and some of
  of them will have noticed that they too were successfully attacked

==
== time for you ( marty ) change the way you use ssh and/or the way you
== log into your PC  and/or update your PC, or let it run  and see if
== you can stop them from loggin in
==

	- it's a 2 second solution to stop somebody, anybody from
	logging in remotely even if they have userID and passwd
	and even if they have exploited a vulnerability to become 
	root esp if they got in the way you suspect ...


-- fun stuff ... swimming with the sharks or script kiddies

c ya
alvin

Reply to:

Follow-Ups:
- Re: SSH attack
  - From: Marty <martyb@ix.netcom.com>
- Re: SSH attack
  - From: Jared Hall <jrhall@gmail.com>
- Re: SSH attack
  - From: Gene Heskett <gene.heskett@verizon.net>

References:
- Re: SSH attack
  - From: Pollywog <linux-debian@shadypond.com>

Prev by Date: Mozilla-mail message-list pane not updating
Next by Date: Re: Want to move from root LVM/LILO to LVM/Grub
Previous by thread: Re: SSH attack
Next by thread: Re: SSH attack
Index(es):
- Date
- Thread