boot force attack help

Michael Torrie torriem at chem.byu.edu
Mon Jul 25 16:19:51 MDT 2005


On Mon, 2005-07-25 at 15:42 -0600, bibhor dhungel wrote:
> hi Jeff,
> thanks for the quick reply. The server is hosted by a company out in
> the east and they emailed  us with complaints from other server on the
> network that they are trying to access their servers.
> they sent us sample offending messages:
> ip=207.234.130.169
> server has not yet been disabled
>   king/password from ip.ip.ip.ip: 5 

If the ip address listed is your machine's ip address then you have
indeed been compromised.  

I find this a little odd, though, since I haven't had a compromised
Fedora Core machine ever, as long as I just did yum updates (as it
sounds like you did).  

This particular attack tries to ssh into a machine using various common
passwords.  It sounds like you have a weak root password or a weak user
password on your machine and someone got in and started attacking others
the same way.  The attacker may or may not have gained root access, but
you can't count on anything.  Things to do (google for more info):

1. disable all remote password logins.  Use ssh public keys only
2. Enforce strong passwords on all accounts
3. Shutdown all non-essential services.  Common ones that run on FC3
(stupidly) include portmap and nfslock, both of which have no business
running for most people)

Since you've probably been compromised, you'll want to reinstall the OS
and then lock it down tight.

> I have installed some programs but all through yum (using the default
> repository and DAG).
> I will probably have to do a reinstall.
> thanks
> bibhor
> .| This has been a P.L.U.G. mailing. |
> |      Don't Fear the Penguin.      |
> |  IRC: #utah at irc.freenode.net   |
> `
-- 
Michael Torrie <torriem at chem.byu.edu>



More information about the PLUG mailing list