Re: possible hack thoughts please

From: Christophe Vandeplas (christophe_at_vandeplas.com)
Date: 06/17/05

  • Next message: John Gallet: "Re: possible hack thoughts please" 
    Date: Fri, 17 Jun 2005 09:06:04 +0200

    epicwinter@hotmail.com wrote:
    > Thanks for the reply. Yeah but what concerns me is that i got the hits
    > from the same kiddie ip to both the computers i was working on through
    > ssh which are on completely different class c. Could the kiddie have
    > been listening in on my ssh connection or something?
    >

    Script kiddies are usually just doing mass ip-ranges, go to sleep (even
    go to school during the day) and afterwards looking at the results.
    So it's really possible that he scanned more than one class C network.
    (usually it's only one or 2 very specific services that they are looking
    for)

    Well, my test server gets scanned like that every 2 or 3 days...

    If you doubt about the integrity of your server you should run a
    chkrootkit to see if any of the important binaries have been replaced by
    an untrustable version.

    Also have a look at the list of users on your system to check that no
    extra user has been added.
    Look at the ssh logins to check that unusual logins of (yourself or
    another user) are not in the list.

    But if you have an updated system, a script kiddie shouldn't be able to
    enter your machine... 

    -- 
-------------------------------------
Christophe 'ElCascador' Vandeplas
GSM: +32 (0)486/64.10.33
email: christophe(at)vandeplas(dot)com
http://www.vandeplas.com
GnuPG:1024D/14913897: 66BD A9EB 0357 D80F 20D4  D698 3B2B E562 1491 3897
-------------------------------------
*** PLEASE ***
"Never send mass-mails/forward to this email address.
 Please add the email-address to the BCC field (Blind Carbon Copy)
 or send the mail separately to me."
  • Next message: John Gallet: "Re: possible hack thoughts please"