Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSH probe attack afoot?

From: Jeffrey Goldberg <jeffrey () goldmark org>
Date: Tue, 15 Feb 2005 20:56:02 -0800
On Feb 11, 2005, at 8:37 PM, Jeffrey Goldberg wrote:
I fear that some hosts I'm responsible for are (they almost certainly were) such zombies. 

Just a followup and a thanks to all of the helpful advice.
Many of the suggestions I received were things that I would have liked to do, but have not (yet) been able to do. (Several hosts, I don't have physical access to, but giving a Knoppix disk to people who do and working by telephone, We've been able to make some progress.)
At least some of the machines are infected with something that clamAV identifies as Linux.RST.B. I've only found sketchy reports of what it does.
I am also convinced that in at least some cases, the fault has been with week passwords. Freshly rebuilt machines with all patches installed have been reinfected. There were some weak passwords involved.
So rebuilding machines and switching to better passwords has been the bulk of my activity. I've also blocked out-going ssh (except for specific pinholes) and irc.
My boss also found an interesting (and new to me) idea for dealing with this described on 

  http://www.soloport.com/iptables.html
We're are/will be using m0n0wall at the periphery, but I could see setting this up on all of the individual hosts that need to run sshd. 

-j
Previous By Date Next
Previous By Thread Next

Current thread: