system seems hacked...
David A. Bandel
david.bandel at gmail.com
Thu Feb 21 18:14:39 PST 2008
On Thu, Feb 21, 2008 at 8:00 PM, Jerry McBride <mcbrides9 at comcast.net> wrote:
[snip]
> > All is sorted. Seems it was:
> >
> > http://www.energymech.net/
> >
> > which is a non-root IRC bot. One thing it does is hide the real process
> > name. It was not /usr/bin/sshd. It was the IRC bot running from a user
> > folder with only that user's rights. Still, I am not happy. There will
> > be a password shakeup with the users!
>
> Wow. That's frightening. Did you figure out how it was put on your server.
> Knowing what it is, is one thing. Knowing how it got there is another.
>
There have been a number of these over the years. I've had a couple
of systems "compromised" by similar things.
They've always come in via SSH through some moron "Web Master"'s
account who has no clue about security and uses something stupid like
testing123 as a password.
So I turn off password logins on SSH, block port 22 to most of the
world, and drop web accounts of people too stupid to use a proper
password (after charging them heavily for their blunder).
Ciao,
David A. Bandel
--
Focus on the dream, not the competition.
- Nemesis Air Racing Team motto
More information about the Linux-users
mailing list