Re: help needed after intrusion from a ssh dictionary attack



jinzishuai@xxxxxxxxx wrote:
Hello

One of our lab machine running Redhat Enterprise 3 has been intruded by
somebody. He used a simple ssh dictionary attack but unfortunately our
root is enabled through ssh and the root password was not strong
enough. We got report that there were 3GB of unexpected traffic during
that day throught ssh.

Goodness...

Now we are going to reset the root password but for some other reasons
we don't want to disable root login through ssh.

What you should do is unplug the compromised box from the net, backup your data, wipe out the rest and reinstall Linux. With regard to "for some other reasons we don't want to disable root login....", imho, is bad thinking. At least disable password login and use private/public RSA/DSA key authentication.


So I would like to do a dictionary attack on our machine first to make
sure our password is strong enough. Is there any well-known hacking
software that I can download and try to see if our system is secure?
Thanks a lot.

Bad thinking... .



Relevant Pages

  • RE: Linux hacked
    ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
    (Security-Basics)
  • Re: Linux hacked
    ... To find out what kernel version you are running, type "uname -a" without ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
    (Security-Basics)
  • Re: X11Forwarding, ssh -X, and /bin/su
    ... ]>but I'm not really tunneled using ssh then, ... ]connecting to the X server and have the home directory NFS-mounted ... ](unless you leave root unmapped over NFS, ... ]root-readable place and set the environment $XAUTHORITY variable ...
    (comp.security.ssh)
  • RE: Linux hacked
    ... hack the box, pull the drive and save it. ... Use the newest versions of Gentoo, Apache, SSH, PHP and Squirl Mail. ... been unsuccessful in getting root back. ... I found a hidden directory /var/tmp/.tmp that has a bunch of directories ...
    (Security-Basics)
  • RE: Linux hacked
    ... Was any of the sites running a php nuke or another portal or system that is vuln ... been able to use that with a locla root exploit to gain root on the machine. ... > hack the box, pull the drive and save it. ... > Use the newest versions of Gentoo, Apache, SSH, PHP and Squirl Mail. ...
    (Security-Basics)