Linode Forum
Linode Community Forums 		 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic

Board index » Linux Community Forums » General Discussion
  Previous topic | Next topic 
Author Message
zunzun
PostPosted: Thu Jan 24, 2008 9:23 pm 
Offline
Senior Member

Joined: Fri Feb 18, 2005 4:09 pm
Posts: 594
Quote:
"According to cPanel, if you are unable to create a directory name beginning with a numeral -- as in mkdir 1 -- you're infected. Another test is to monitor the packets from the server with the following tcpdump command:

tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"

One great unknown thus far is how the servers come to be infected. Absent any forensic evidence of break-ins, the current thinking is that the malware authors gained access to the servers using stolen root passwords."


http://www.linux.com/feature/125548

James
Top
   
Reply with quote  
cz9qvh
 Post subject:
PostPosted: Fri Jan 25, 2008 3:22 pm 
Offline
Senior Newbie

Joined: Sat Jan 19, 2008 8:37 pm
Posts: 19
scary stuff. time to go back to work on my firewall script, heh.
Top
   
Reply with quote  
rjp
 Post subject:
PostPosted: Mon Jan 28, 2008 10:40 am 
Offline
Senior Member
User avatar

Joined: Fri Aug 15, 2003 2:15 pm
Posts: 111
Website: http://fubegra.net/
I can't help but think that successful SSH brute-force password attacks are at least part of the problem. My systems get hammered with bruteforcers daily (never mind that I disable passwords in favor of keys for SSH access).

_________________
Bus error (passengers dumped)
Top
   
Reply with quote  
blogpuzzles
 Post subject: Disable root login.
PostPosted: Wed Feb 20, 2008 9:30 pm 
Offline
Senior Newbie

Joined: Tue Feb 19, 2008 11:13 pm
Posts: 16
Yet another compelling reason to disable root logins via SSH. :)

_________________
Add fun puzzles to your site: BlogPuzzles.net
Top
   
Reply with quote  
Risar
 Post subject:
PostPosted: Sat May 03, 2008 3:01 pm 
Offline
Senior Newbie

Joined: Tue Apr 29, 2008 8:31 pm
Posts: 7
http://denyhosts.sourceforge.net/
Top
   
Reply with quote  
Deckert
 Post subject:
PostPosted: Sun May 04, 2008 6:43 pm 
Offline
Senior Member
User avatar

Joined: Sat Mar 24, 2007 6:09 pm
Posts: 59
Location: South Africa
Or just rate-limit incoming connections to your SSH server. I've seen excellent results with this:

Code:
# rate limit incomig port 22 connections
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 -j DROP


That will limit the number of connections coming from one IP to two per minute. Anything more and it gets blocked. If they keep on hitting it, it stays blocked. Best of all, access from your own IP is not affected.

--deckert
Top
   
Reply with quote  
ravasolutions
 Post subject: fail2ban + fwbuilder
PostPosted: Mon Jun 16, 2008 12:08 am 
Offline
Newbie

Joined: Wed May 21, 2008 8:59 pm
Posts: 4
ICQ: 160235155
Website: http://www.RavaSolutions.com
Yahoo Messenger: ychonry
Location: Stamford, CT
- get fail2ban to take care of any future bruteforce attacks
- get fwbuilder to manage your IP tables with ease
- make sure you dont run your apache as root
- read milion other tips on google about securing your apache webserver
Top
   
Reply with quote  
Display posts from previous:  Sort by  
Post new topic  Reply to topic

Board index » Linux Community Forums » General Discussion


Who is online

Users browsing this forum: apkehoe and 5 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group