On Monday 03 October 2005 15:23, Alvin Oga wrote: >On Mon, 3 Oct 2005, Pollywog wrote: >> On 10/03/2005 06:14 pm, Marty wrote: >> > Jared Hall wrote: >> > > It looks like I am being rooted right now. How do I toss this guy >> > > off of my system. he has an IP address of 210.95.212.131 >> > >> > It's a kid! Whois returns "Hanguk Kwangsan Technoledge High >> > School." > >nah .. maybe .. > >- you make too much assumptions > >- how do you know its not a script kiddie on Mars (earth-nuetral > country) or an expert cracker from pluto that has complete control of > that PC at the high school or whomever currently has access to that > ip#, possibly from their home or office > I'm going to play the devils advocate here, and quote a variation of a southern type expression: "Who knows, or gives a toot as long as he is locked out of MY machine?"
> - whois db is not 100% accurate or maybe even 5yrs obsolete > in some cases ( remember the *.com bust ) > >> The PID is the number after "ESTABLISHED" in the output of that >> netstat command. Somebody mentioned portsentry, and I don't know why so many admins seem to hate it. I've been running it here for probably 6-7 years, and its automaticly dropped lots of connection attempts back when I was using dialup on ppp. But now I've a dsl connection, with a router between the modem and the firewall, the firewall is 2 nics with iptables between them. In 3 years+ of dsl, I've been hit 3 times hard enough to make it to the logs, and 2 of them got in because the ip was a familiar ip, it was the verizon dns server I have to use, a windows box that was apparently hacked each time. The 3rd attempt was some script kiddie from shanghai, and he got dropped on the first new-not-syn packet by iptables. >> This might not work if the attacker has already entered the system and >> installed their "rootkit". In such a case, you would need to >> disconnect the machine. > >if you have a live connection wiht the "script kiddie" > - get the local pd at Hanguk Kwangsan involved and tell them > you want that PC confiscated for xxx reasons Rotsa ruck, they're probably in on the deal. > - if yu worked at a bank,, and that pc is used to connect > to the not-so-bright-bank, than it becomes a federal case > and fbi will get involved, and possibly the bank has to > notify the consumers that their computers were connected to > a cracked box ... and possibly blah-blah might NOT have happened > >- if you do NOT know how to kick off a cracker from a PC, > disconnecting or reinstalling will NOT help you from preventing > the next cracker from breaking in using the exact same steps > or slightly modified attack programs to get back in again > >- they usually get in because of "user error", not the software > >- if it was a hole in ssh, ALL and i mean ALL other Debianites and > possibly other Linuxites will be equally susceptable and some of > of them will have noticed that they too were successfully attacked > >== >== time for you ( marty ) change the way you use ssh and/or the way you >== log into your PC and/or update your PC, or let it run and see if >== you can stop them from loggin in >== > > - it's a 2 second solution to stop somebody, anybody from > logging in remotely even if they have userID and passwd > and even if they have exploited a vulnerability to become > root esp if they got in the way you suspect ... > > >-- fun stuff ... swimming with the sharks or script kiddies > >c ya >alvin -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) 99.35% setiathome rank, not too shabby for a WV hillbilly Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
