Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SSH probe attack afoot?

from [Jeffrey Goldberg] Network Security [Permanent Link]
Subject: Re: SSH probe attack afoot?
Date: Tue, 15 Feb 2005 20:56:02 -0800 
On Feb 11, 2005, at 8:37 PM, Jeffrey Goldberg wrote:

I fear that some hosts I'm responsible for are (they almost certainly were) such zombies. 

Just a followup and a thanks to all of the helpful advice.

Many of the suggestions I received were things that I would have liked to do, but have not (yet) been able to do. (Several hosts, I don't have physical access to, but giving a Knoppix disk to people who do and working by telephone, We've been able to make some progress.)

At least some of the machines are infected with something that clamAV identifies as Linux.RST.B. I've only found sketchy reports of what it does.

I am also convinced that in at least some cases, the fault has been with week passwords. Freshly rebuilt machines with all patches installed have been reinfected. There were some weak passwords involved.

So rebuilding machines and switching to better passwords has been the bulk of my activity. I've also blocked out-going ssh (except for specific pinholes) and irc.

My boss also found an interesting (and new to me) idea for dealing with this described on

  http://www.soloport.com/iptables.html

We're are/will be using m0n0wall at the periphery, but I could see setting this up on all of the individual hosts that need to run sshd.

-j

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: eBay Account Phishing with eBay Redirect, Israel Torres
Next by Date:  "Guide to Disaster Recovery", Michael Erbschloe, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Previous by Thread:  Re: eBay Account Phishing with eBay Redirect, Nick FitzGerald
Next by Thread:  Re: SSH probe attack afoot?, Joe Egloff
Indexes:  [Date] [Thread] [Top] [All Lists]