Pantek Library

Hosting Provided By

CybrHost

High Speed Hosting

Re:

From: Bruno Saverio Delbono <bruno.delbono(at)devil.lucifer.at>
Date: Mon Nov 11 2002 - 17:48:37 EST

At 05:34 PM 11/11/2002 -0500, Jon Quiros wrote:
>I got back from a trip last night and noticed a new user in my passwd

Neat. A hacker! :-)...stupid one too :P

>koped:*:1010:10:Mr. Kopad Koped:/home/koped:/bin/csh

>these are the connections i see the person made (as koped):

He never cleaned the /var/log for his trace? Interesting...

>Nov 9 13:39:13 tlaloc sshd[10102]: Accepted password for koped from

>I also see this for one of the addresses in authlog:

I get a hundred of these a day at times. I wonder who would want to brute-force via ssh (*sigh*)

Do you need help?

Does it look like
>a) a brute force attack to ssh right when i set pf to allow ssh

No.

>b) could i have been compromised through the then unpatched smrsh

You need a local account for this.

>c) i haven't the nearest clue but you can help me see things i'm not

I may go as far as to suggest that they may have tried to get in via ssh. See http://online.securityfocus.com/bid/5093

I think vanilla 3.1 is vulnerable to this.

Also see http://blow.packetfu.org:1337/hnd.html

Do you need more help?

Bruno Received on Mon Nov 11 18:00:45 2002

This message: [ Message body ]
Next message: Dan: "Re:"
Previous message: Dries Schellekens: "Re: OpenBSD Questions part 2<G>"
In reply to Dan: "Re:"
Next in thread: Dan: "Re:"
Reply: Dan: "Re:"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:31:29 EDT

Contact Us Legal Notices Order Services Online
Pantek Home Privacy Policy IT news Site Map Pantek Library