Root attempts
|
|||
|
Rank: ? (2172)
Member #: 11609 |
Code:
Look familiar to any of you? There were a total of 735 attempts at login via SSH to this server. They were successful in somehow making apache fork 213 child processes, causing it to hang. How stupid can people be?  
A guy gets on a bus and starts threatening everybody: "I'll integrate you! I'll differentiate you!!!" So everybody gets scared and runs away. Only one person stays. The guy comes up to him and says: "Aren't you scared, I'll integrate you, I'll differentiate you!!!" And the other guy says: "No, I am not scared, I am e to the power of x."
|
||
|
|||
|
|||
|
Rank: Unregistered
|
Does anyone know what this is?
I have seen thiese in my logs. I think that they are some sort of bug in ssh. I am logging into root from a non-root account on another system using an ssh-agent. I have noticed lately (this did not used to be the case) that when I log in my agent-info file does not contain my actual environment settings for: $ env | grep SSH_AGENT_PID SSH_AGENT_PID=3198 $ cat agent-info SSH_AGENT_PID=2122 It used to be when I logged in that the agent-info file would be up to date and match my environment. Currently they do not. Is this causing this problem? |
||
|
|||
|
|||
|
Rank: Unregistered
|
Here's a proposed solution using iptables.
|
||
|
|||
|
|||
|
Rank: ? (1533)
Member #: 15283 |
TY for that link AC.
If I knew your name I'd thank you personally. An elegant solution indeed. Cheers. _B_
Beware the Big Koala. It originated the recursive malapropism when it found itself supernumerary to a specific task and commented, "I think I'm erroneous here". -which it wasn't until it said so, but then it was, -so it wasn't. It also once won a staring contest, with a stuffed cat.
|
||
|
|||
|
|||
|
Rank: ? (614)
Member #: 9832 |
Yes indeed, I had problem at work with root attemps on one server in DMZ. I asked twice the higher-ups to fix the situation (to make the external firewall not accept that kind of stuff) but that didn't happen (Oh sorry we forgot, yes yes we'll do it and that shit)
so that prompted me to learn about IPtables. Well, the situ is now more or less under control, I learned new stuff and nobody got hurt... But it could have been a lot worse. It just happened that this problem was affecting servers run by me (security freak), almost everyone else in the company seems to think that security stuff is something that gets you arrested and should not be touched...  No wonder script kiddies have fun time when sysadmins think studying IPtables or encryption is illegal... Would scaring them shitless be considered immoral or educational in this case?
Edit: I traced many of these root attempts to South-Korean elementary school... don't know what to say about that. Well they didn't manage to crash apache, I don't even know how that can happen through SSH... » Post edited 2005-02-05, 04:42am by Crypdoctor.
Chaos reigns within - Reflect, repent, and reboot - Order shall return
|
||
|
|||
|
|||
|
Rank: ? (2172)
Member #: 11609 |
Crypdoctor writes...
Well they didn't manage to crash apache, I don't even know how that can happen through SSH...
They probably weren't related after all. OpenSSH is insecure though, so who knows. I traced all those IPs to South Korea, China, and Thailand. Some of them originated from satellite networks.
A guy gets on a bus and starts threatening everybody: "I'll integrate you! I'll differentiate you!!!" So everybody gets scared and runs away. Only one person stays. The guy comes up to him and says: "Aren't you scared, I'll integrate you, I'll differentiate you!!!" And the other guy says: "No, I am not scared, I am e to the power of x."
|
||
|
Please login or register to post a reply.
