sshd question

My system was recently broken into.
I noticed in the messages log a ton of messages saying

Failed password for root from xx.yy.zz.aa port 51699

Actually, hundreds of different ports.

The system is at least 2 years old and just kind of sat
there for transfering files in and out...so nothing was
really lost, but is this a known leak?

Thanks,
bsd_mike

"bsd_mike" <bsd_mike@hotmail.com> wrote in news:1102686971.937826.253210
@f14g2000cwb.googlegroups.com:

> The system is at least 2 years old and just kind of sat
> there for transfering files in and out...so nothing was
> really lost, but is this a known leak?
>

Yes, it is.
Read the paper "BruteSSH2 - 21st Century War Dialer" written by Bill
Thompson for his GIAC GCIH certification.
The paper can be found at:
http://www.giac.org/practical/GCIH/B...mpson_GCIH.pdf
It's a sophisticated bruteforce (well... not tooooo sophisticated
anyway).

"Nothing was lost", but your system was compromised, was potentially
trojanized, and if so can be used to launch attacks to other systems, and
you will be blamed for that, so better reinstall it from scratch, and
implement all recomendations in the paper mentioned above.

Cheers,
--
Nekromancer
PUF (FAQ) del grupo:
http://usuarios.lycos.es/n3kr0m4nc3r/
Apuntes de seguridad:
http://www.pclandia.net/nekromancer/

"El nivel de conocimientos adquiridos es
inversamente proporcional a la temperatura del cafe"

Sounds like your system was comprimised. The best solution at this
point would be to rebuild and put in place a comprehensive security
strategy that will try to prevent these types of intrusions.

First you need to be able to prevent intrustions by setting up
firewalls, good permissions, and common sense practices (e.g. not
allowing direct root acess, disabling uneccessary services, etc...)
Next you need a system to detect intrusions.
Look at tools like tripwire, snort.
And lastly you need to have an action plan in place to deal with
security violations.
There are many good references out there on how to build comprehensive
strategies that will go a long way in securing your environment. Look
at the O'Reilly series of books on security. You may also want to
check out one of the best books out there on computer security called
"Hacking Exposed". You'll get a lot of useful tips there.

Hope this helps.

Boston Technology Group
http://www.bostontechgroup.com
support@bostontechgroup.com

Hm, bsd_mike, are you sure that your system's been broken into. I've
seen a lot of times such a unsuccessfull tries to log to a system I'm
responsible for. Well I think that there're people who are just trying
a great range of IPs for default passwords like root/root root/admin
root/password ... After I noticed such a try for logging to my system
from unknown for me IPs I just put some firewall rules. The rules were
on the main firewall and they were blocking all outside ssh/telnet
traffic. I think that there's no problems now, but may be I'm just
taking the risk.

However, as you are saying your system is 2 years old and may be it's
time to install a more current one :)