- May 12, 2001
- 12,452
- 2
- 0
I got a message from a website saying an IP owned by me was making MANY MANY ssh connections and asked me to stop. I logged into that box and found that one of the accounts I had created for ftp access had been compromised. In that folder there were mb upon mb of password lists ie
root root123
root password
root p@ssw0rd
etc. . .
i put a filter outbound on my firewall to reject all SSH outbound from that server and 8,552,655 ssh attempts were made over the course of about 5 minutes.
lithium381@ftpserver:~$ uptime
16:06:36 up 50 days, 4:40, 3 users, load average: 499.75, 331.11, 156.79
seems to be based on a cron job somehow since first thing i did was change that users password and it still went off, lasted about 5 minutes and then disapeared, but there are HUNDREDS of files all over
first steps?
root root123
root password
root p@ssw0rd
etc. . .
i put a filter outbound on my firewall to reject all SSH outbound from that server and 8,552,655 ssh attempts were made over the course of about 5 minutes.
lithium381@ftpserver:~$ uptime
16:06:36 up 50 days, 4:40, 3 users, load average: 499.75, 331.11, 156.79
seems to be based on a cron job somehow since first thing i did was change that users password and it still went off, lasted about 5 minutes and then disapeared, but there are HUNDREDS of files all over
first steps?
Facebook
Twitter