On Mon, 12 Dec 2005 14:57:28 -0500
Chasecreek Systemhouse <chasecreek.systemhouse@xxxxxxxxx> opined:
> On 12/11/05, Craig White <craigwhite@xxxxxxxxxxx> wrote:
>
> > > Whats the general removal procedure for this, and better yet, how
> > > did they get in?
> > ----
> > it would seem that ssh, root allowed to login via password would be
> > the magic combination of bad judgement...it's been so thoroughly
> > discussed on this list as of late.
>
> About three months ago I reported a box I admin'ed was accessed thru
> DDoS on the ssh access port -- the sshd was hit 90,000 times a hour
> and the attacker gained access. They didn't get to do much as the box
> had no compiler, no Perl, and was locked up by SELinux. I made the
> report to both openssh and to the RedHat ssh developers. I was
> running FC4 with the then current patches up-to-date.
>
At the risk of being redundant, running the swatch daemon can add these
nitwits to the firewall on the first attempt.
--
Our DNSRBL -
Eliminate Spam: http://www.TQMcube.com/spam_trap.php
Multi-RBL Check: http://www.TQMcube.com/rblcheck.php
Zombie Graphs: http://www.TQMcube.com/zombies.php
GeoGraphics: http://www.TQMcube.com/origins.php
