[mythtv-users] ssh attack
Mike
stuff at dustsmoke.com
Mon Jan 2 20:44:21 UTC 2006
Darren Hart wrote:
> I'm sure nobody here is dumb enough to do this, but since I was,
> thought I'd pass the word.
>
> There is an ssh attack going around with a brute force login using
> 2187 different username/password pairs, one such pair happens to be:
>
> mythtv:mythtv
>
> Likle I said, I'm sure noone else but me thought that was a good idea
> :-) Once in they must ahve found some app to exploit and get root,
> then it starts scanning addresses - to propogate I guess. There are
> some indications that cupsys may have been the culprit there. Anyway,
> just a heads up, it manifests itself with several sshf processes
> running (78 in my case) and lots of failed login attempts in
> /var/log/auth.log*
>
> --Darren
A good thing to do is block out all ssh logins from accounts you don't
want ssh from. And they dont really do it by exploiting root first.
There are a few worms out there that find holes in your run of the mill
php applications like cacti or phpbb. It essentually cats a perl script
in tmp and then inits it with perl as a process. Then that totally
oblivios server sits there with a user process that runs out checking
username and passwords on random ip's to see if they get in on anything.
Then it notifys whoever set themselves up with the ip username and
password so they can do 'whatever' on that machine depending on how they
got it.
Basic rule of thumb with ssh, don't let anything expect predefined
accounts to log into ssh (expecially root). You log in with your
predefined account and su to root when you need it. And don't have blank
or matching username/passwords.
After that since my usernames and passwords are obscure anyways, I
simply ignore these attecks. (not that I leave mythtv open to the
outside anyways, I use mod_proxy from an external apache system to
forward requests to and from the myth backends web interface. I always
have to get around via that one gateway machine that I have hardened.
Then I setup logcheck, logwatch, snmp and snort to review what is
happening for me. Atleast make sure your using logwatch to review logs
each day. Then you won't have too many suprises. But these attacks with
mythtv:mythtv have been going on for quite some time now.
-Mike
More information about the mythtv-users
mailing list