Never Hacked or Infected--Yet (Was: Re: End of life for FC12?)

Hiisi saippua5 at gmail.com
Thu Nov 11 08:20:33 UTC 2010


to, 2010-11-11 kello 14:28 +0800, Ed Greshko kirjoitti:
> On 11/11/2010 02:19 PM, Patrick Bartek wrote:
> > --- On Wed, 11/10/10, Andras Simon <szajmi at gmail.com> wrote:
> >
> >> I hope that you're not deluding yourself...
> > Why would you think I am?
> >
> >
> Because it is whole lot of "fun" to play the speculation game....  Some
> people have too much time on their hands....
> 
> 

I think this question shouldn't be associated only with someone's
speculation or paranoia. This is a typical entries from logwatch reports
on my machine:
--------------------- pam_unix Begin ------------------------ 

 dovecot:
    Authentication Failures:
       web6p5 rhost=178.77.68.97 : 242 Time(s)
       web7p1 rhost=178.77.68.97 : 239 Time(s)
       web6p4 rhost=178.77.68.97 : 238 Time(s)
       web6p3 rhost=178.77.68.97 : 235 Time(s)
       web6p2 rhost=178.77.68.97 : 232 Time(s)
.....
sshd:
    Authentication Failures:
       unknown (mail.access350.co.ke): 845 Time(s)
       root (222.33.56.100): 800 Time(s)
 vsftpd:
    Authentication Failures:
       Administrator rhost=ns.medicalyohin.com : 2283 Time(s)
       admin rhost=ns.medicalyohin.com : 2283 Time(s)
    Password Failures:
       user unknown: 4566 Time(s)

Also there's a lot of 404-error messages from httpd, when somebody
(something?) looked for mysql or phpmyadmin web-cinfiguration:
--------------------- httpd Begin ------------------------
......
//php-my-admin/config/config.inc.php?p=phpinfo();
.....

When I first saw it all I was scared that occasionally THEY will guess
root passwd and will take control over my machine. So, I did a bit of
modification of stock configuration (i.e. ssh root login is now
forbidden, every user on the system has strong passwd, phpmyadmin is
uninstalled, system is always up-to-date and so on). Probably I should
also configure rkhunter or sshd to allow only 3 authentication failures
before blacklisting the intruder IP. Anyway, this topic is not a joke!
THEY ARE hunting for us!
-- 
Never trust an operating system you don't have sources for. ;-)
	-- Unknown source




More information about the users mailing list