Machine compromised
bhiksha
bhiksha at merl.com
Wed Dec 20 05:05:51 UTC 2006
Hi,
Ive installed FC5 on my machine.
In the past month, when I was away, some hackers (who seem to come in
from machines in canada, croatia, italy, and aol) ran a dictionary attack on
my machine, and managed to break into an account called "backup".
Im not sure if "backup" was a valid account in the first place -- the logs
show that the hackers failed to login to backup twice, and then successfully
logged in ever after.
Its easy to make out that its a classic dictionary attack -- they've tried
about a hundred userids, and attempted to login several thousand times.
They tried "backup" thrice and managed to get in.
Im particularly concerned that either
a. Backup is not a standard account and they managed to create it
nevertheless
or
b. They managed to login to a standard installation account, which should
really have had /bin/false as shell and should not have been
log-into-able.
Pls. advice. Im trying to ensure this doesnt happen again.
In the meantime, Ive written to the postmaster at aol about the hacker.
Thanks
Bhiksha
More information about the security
mailing list