|
|
Incidents
SSH probe attack afoot? Feb 06 2005 03:09PM Bernie Cosell (bernie fantasyfarm com) (5 replies) Re: SSH probe attack afoot? Feb 07 2005 08:23PM xyberpix (xyberpix xyberpix com) (1 replies) Re: SSH probe attack afoot? Feb 07 2005 11:55PM Stephen Warren (swarren wwwdotorg org) (1 replies) Re: SSH probe attack afoot? Feb 08 2005 05:25PM j (at) 65535 (dot) com [email concealed] (j 65535 com) Re: SSH probe attack afoot? Feb 07 2005 06:42PM Martin Sarsale (martin sarsale tnsweb com) (2 replies) |
|
Privacy Statement |
> I fear that some hosts I'm responsible for are (they almost certainly
> were) such zombies.
Just a followup and a thanks to all of the helpful advice.
Many of the suggestions I received were things that I would have liked
to do, but have not (yet) been able to do. (Several hosts, I don't
have physical access to, but giving a Knoppix disk to people who do and
working by telephone, We've been able to make some progress.)
At least some of the machines are infected with something that clamAV
identifies as Linux.RST.B. I've only found sketchy reports of what it
does.
I am also convinced that in at least some cases, the fault has been
with week passwords. Freshly rebuilt machines with all patches
installed have been reinfected. There were some weak passwords
involved.
So rebuilding machines and switching to better passwords has been the
bulk of my activity. I've also blocked out-going ssh (except for
specific pinholes) and irc.
My boss also found an interesting (and new to me) idea for dealing with
this described on
http://www.soloport.com/iptables.html
We're are/will be using m0n0wall at the periphery, but I could see
setting this up on all of the individual hosts that need to run sshd.
-j
[ reply ]