On Wed, 06 Aug 2003 16:01:39 +0200, Thijs Welman <[EMAIL PROTECTED]> wrote:
> >My loganalyzer showed four "Did not receive identification string from >w.x.y.z" logentries from sshd. This happens all the time and i certainly >don't check all of them out, but i happen to do so this time. That's probably people testing to see if port 22 is open. >I'm puzzled about how they managed to get those processes running (as >root). There are no local accounts, other than some accounts for the >sysadmins. Does anyone have any idea how they might have done this? Maybe they brute forced the root password ? Do you have "PermitRootLogin yes" in sshd_config ? I'd set up ssh to do protocol 2 only, no root logins, and no passwords/ public keys only if possible. You say that you have apache and php4 installed. Are you running any php applications that may have been compromised ? Although I'd expect those to leave the attacker with access to www-data rather than root. Alan.
