Break-In Attempt -- Now What?

CLIFFORD ILKAY clifford_ilkay-biY6FKoJMRdBDgjK7y7TUQ at public.gmane.org
Wed Dec 1 02:13:21 UTC 2004


On Tuesday 30 November 2004 11:24, Rob Sutherland wrote:
> On Tue, 30 Nov 2004 11:00:29 -0500
>
> Peter King <peter.king-H217xnMUJC0sA/PxXw9srA at public.gmane.org> wrote:
> > Yesterday someone tried to break into my system (behind a firewall with
> > only port 22 open for ssh), apparently running some sort of kit: a few
> > thousand attempts in about seven minutes, most trying for "obvious"
> > names (web server root admin and so on). I caught this about two hours
> > later while reviewing my logfiles, which, in addition to faithfully
> > logging all the break-in attempts, also snagged the intruder's IP
> > address.
> >
> > Two hours later? Well, what the hell, I thought, and ran traceroute on
> > it. And there it was: the computer from which the attacks had been
> > launched was up and running on the net somewhere (I think Korea but it
> > wasn't entirely clear from traceroute).
>
> Yeah, they're a busy bunch - they hit my box last week. If you change your
> ssh configuration to listen on a different port, that will at least stop
> your system from getting DOSed. Yes, it was Korea.

Rob, when you say they "hit" your box last week, what do you mean? Did they 
just attempt to connect via ssh, which I do not see as a big deal, or did 
they successfully get a shell, which *is* a big deal?
-- 
Regards,

Clifford Ilkay
Dinamis Corporation
3266 Yonge Street, Suite 1419
Toronto, ON
Canada  M4N 3P6

+1 416-410-3326
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list