Kevin Mark wrote: > a day ago, I had a problem with su-ing to root. I checked out my auth.log > and found strange activity. I have a basic ipchains script and run apache > and sshd on a dialup connection. Consult: > http://kmark.home.pipeline.com/breakin.txt > as I did not want to overload the list. > somehow someone broke in using ssh.
There have been many brute-force attacks against SSH reported lately: http://isc.sans.org/diary.php?date=2004-09-11 http://isc.sans.org/diary.php?date=2004-08-22 http://isc.sans.org/diary.php?date=2004-07-28 You may have fallen victim to one. > Is there someway I can fix this? 1) Regain control of your system The best way to do this is to back up your logs and any data, then wipe and rebuild your system. It may seem drastic, but it's the only way to be certain that any backdoors, rootkits, etc. are gone. If you don't want to go that far, here's a good place to start: - Boot from known-good media (like a live CD) - Check for rootkits - Use debsums to compare the md5sums of installed files with those in the original packages, and reinstall any packages whose files have been tampered with 2) Secure SSH to prevent further brute force attacks. These two settings should take care of it: # Prevent root logins via ssh PermitRootLogin no # Use SSH keys instead of passwords for authentication PubkeyAuthentication yes PasswordAuthentication no 3) Report this attack to the owner of the IP block it came from (use whois to identify the owner). Include your SSH logs from the attack. Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
