Re: SSH attack

Mon, 03 Oct 2005 12:23:51 -0700 

On Mon, 3 Oct 2005, Pollywog wrote:

> On 10/03/2005 06:14 pm, Marty wrote:
> > Jared Hall wrote:
> > > It looks like I am being rooted right now.  How do I toss this guy off
> > > of my system.  he has an IP address of 210.95.212.131
> >
> > It's a kid!  Whois returns "Hanguk Kwangsan Technoledge High School."

nah .. maybe ..

- you make too much assumptions 

- how do you know its not a script kiddie on Mars (earth-nuetral country)
  or an expert cracker from pluto that has complete control of that PC at
  the high school or whomever currently has access to that ip#, possibly
  from their home or office

        - whois db is not 100% accurate or maybe even 5yrs obsolete
        in some cases ( remember the *.com bust )

> The PID is the number after "ESTABLISHED" in the output of that netstat 
> command.
> 
> This might not work if the attacker has already entered the system and 
> installed their "rootkit".  In such a case, you would need to disconnect the 
> machine.

if you have a live connection wiht the "script kiddie"
        - get the local pd at Hanguk Kwangsan involved and tell them
        you want that PC confiscated for xxx reasons

        - if yu worked at a bank,, and that pc is used to connect
        to the not-so-bright-bank, than it becomes a federal case
        and fbi will get involved, and possibly the bank has to
        notify the consumers that their computers were connected to
        a cracked box ... and possibly blah-blah might NOT have happened

- if you do NOT know how to kick off a cracker from a PC,
  disconnecting or reinstalling will NOT help you from preventing
  the next cracker from breaking in using the exact same steps
  or slightly modified attack programs to get back in again

- they usually get in because of "user error", not the software

- if it was a hole in ssh, ALL and i mean ALL other Debianites and
  possibly other Linuxites will be equally susceptable and some of
  of them will have noticed that they too were successfully attacked

==
== time for you ( marty ) change the way you use ssh and/or the way you
== log into your PC  and/or update your PC, or let it run  and see if
== you can stop them from loggin in
==

        - it's a 2 second solution to stop somebody, anybody from
        logging in remotely even if they have userID and passwd
        and even if they have exploited a vulnerability to become 
        root esp if they got in the way you suspect ...


-- fun stuff ... swimming with the sharks or script kiddies

c ya
alvin



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to