Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?

To: Water NB <netbsd78%126.com@localhost>
Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Date: Fri, 12 Jan 2007 15:10:31 +0100

On Fri, Jan 12, 2007 at 05:17:13PM +0800, Water NB wrote:
> In the recent days, a cracker always attack my host.
> The cracker's IP is from Japan, Croatia and some coutries.
> But I guess it is the same cracker and remote-conrolled those hosts.
> Because he always did the same works:
> 1) try to ssh account one by one: root, postfix, ... cyrus.
> 2) at last, login successfully via account cyrus.
> 3) install a program psyBNC 2.3.1 under /tmp and run it.
> 4) sometimes he changes the password of cyrus.
> 
> Question 1) Is it a bug of sshd?
> Yesterday, I change the password of cyrus to 16 characters which contain
> digit, symbol and  capital/lowercase letter, So I think it is more
> secure.
> But this morning I found the cracker still logined the system after only
> two tries.

Did you check for .rhosts, .shosts for authorised_keys files the
cracker could have setup to get back without password.

-- 
Manuel Bouyer, LIP6, Universite Paris VI.           
Manuel.Bouyer%lip6.fr@localhost
     NetBSD: 26 ans d'experience feront toujours la difference
--

References:
- NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
  - From: Water NB

Prev by Date: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
Next by Date: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
Previous by Thread: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
Next by Thread: pkgsrc idea
Indexes:

Home | Main Index | Thread Index | Old Index