[mythtv-users] ssh attack

Mike stuff at dustsmoke.com
Mon Jan 2 20:44:21 UTC 2006 

Darren Hart wrote:

> I'm sure nobody here is dumb enough to do this, but since I was, 
> thought I'd pass the word.
>
> There is an ssh attack going around with a brute force login using 
> 2187 different username/password pairs, one such pair happens to be:
>
> mythtv:mythtv
>
> Likle I said, I'm sure noone else but me thought that was a good idea 
> :-)  Once in they must ahve found some app to exploit and get root, 
> then it starts scanning addresses - to propogate I guess.  There are 
> some indications that cupsys may have been the culprit there.  Anyway, 
> just a heads up, it manifests itself with several sshf processes 
> running (78 in my case) and lots of failed login attempts in 
> /var/log/auth.log*
>
> --Darren


A good thing to do is block out all ssh logins from accounts you don't 
want ssh from. And they dont really do it by exploiting root first. 
There are a few worms out there that find holes in your run of the mill 
php applications like cacti or phpbb. It essentually cats a perl script 
in tmp and then inits it with perl as a process. Then that totally 
oblivios server sits there with a user process that runs out checking 
username and passwords on random ip's to see if they get in on anything. 
Then it notifys whoever set themselves up with the ip username and 
password so they can do 'whatever' on that machine depending on how they 
got it.

Basic rule of thumb with ssh, don't let anything expect predefined 
accounts to log into ssh (expecially root). You log in with your 
predefined account and su to root when you need it. And don't have blank 
or matching username/passwords.

After that since my usernames and passwords are obscure anyways, I 
simply ignore these attecks. (not that I leave mythtv open to the 
outside anyways, I use mod_proxy from an external apache system to 
forward requests to and from the myth backends web interface. I always 
have to get around via that one gateway machine that I have hardened. 
Then I setup logcheck, logwatch, snmp and snort to review what is 
happening for me. Atleast make sure your using logwatch to review logs 
each day. Then you won't have too many suprises. But these attacks with 
mythtv:mythtv have been going on for quite some time now.

-Mike

More information about the mythtv-users mailing list