Тема: Ботнет атакува!!! :) (Прочетена 4189 пъти)

bog_ara · « -: Oct 15, 2009, 15:28 »

Само към мен ли е това специално внимание или ме гони параноя?

gentoo bob # lastb -n 180
root ssh:notty cmr-208-124-171- Thu Oct 15 14:39 - 14:39 (00:00)
root ssh:notty 213.246.205.150 Thu Oct 15 14:38 - 14:38 (00:00)
root ssh:notty 117.121.220.194 Thu Oct 15 14:32 - 14:32 (00:00)
root ssh:notty rrcs-24-227-210- Thu Oct 15 14:24 - 14:24 (00:00)
root ssh:notty laubervilliers-1 Thu Oct 15 14:10 - 14:10 (00:00)
root ssh:notty ip-207-177.sn2.e Thu Oct 15 14:09 - 14:09 (00:00)
root ssh:notty freehost.net.au Thu Oct 15 14:01 - 14:01 (00:00)
root ssh:notty 218.202.4.243 Thu Oct 15 14:00 - 14:00 (00:00)
root ssh:notty churchconcord.or Thu Oct 15 13:57 - 13:57 (00:00)
root ssh:notty 81-65-206-182.re Thu Oct 15 13:54 - 13:54 (00:00)
root ssh:notty dwolp.de Thu Oct 15 13:49 - 13:49 (00:00)
root ssh:notty 58.62.239.150 Thu Oct 15 13:38 - 13:38 (00:00)
root ssh:notty 71.80-203-230.ne Thu Oct 15 13:36 - 13:36 (00:00)
root ssh:notty freehost.net.au Thu Oct 15 13:34 - 13:34 (00:00)
root ssh:notty 81.31.150.68 Thu Oct 15 13:33 - 13:33 (00:00)
root ssh:notty 196.219.80.187 Thu Oct 15 13:24 - 13:24 (00:00)
root ssh:notty host15-67-dynami Thu Oct 15 13:24 - 13:24 (00:00)
root ssh:notty 75.127.64.121 Thu Oct 15 13:22 - 13:22 (00:00)
root ssh:notty churchconcord.or Thu Oct 15 13:20 - 13:20 (00:00)
root ssh:notty 85.105.109.163 Thu Oct 15 13:20 - 13:20 (00:00)
root ssh:notty 81-65-206-182.re Thu Oct 15 13:11 - 13:11 (00:00)
root ssh:notty pomme.sai.msu.ru Thu Oct 15 13:09 - 13:09 (00:00)
root ssh:notty 62.225.63.99 Thu Oct 15 13:08 - 13:08 (00:00)
root ssh:notty v34204.1blu.de Thu Oct 15 13:05 - 13:05 (00:00)
root ssh:notty 85.92.145.186 Thu Oct 15 12:53 - 12:53 (00:00)
root ssh:notty rrcs-24-227-210- Thu Oct 15 12:53 - 12:53 (00:00)
root ssh:notty 117.102.102.165 Thu Oct 15 12:51 - 12:51 (00:00)
root ssh:notty relevantmusic.de Thu Oct 15 12:50 - 12:50 (00:00)
root ssh:notty 82.207.113.255 Thu Oct 15 12:48 - 12:48 (00:00)
root ssh:notty 188-193-191-72-d Thu Oct 15 12:43 - 12:43 (00:00)
root ssh:notty 211-20-225-199.h Thu Oct 15 12:43 - 12:43 (00:00)
root ssh:notty r200-40-80-34.ae Thu Oct 15 12:39 - 12:39 (00:00)
root ssh:notty mail.ingener.com Thu Oct 15 12:39 - 12:39 (00:00)
root ssh:notty laubervilliers-1 Thu Oct 15 12:36 - 12:36 (00:00)
root ssh:notty relevantmusic.de Thu Oct 15 12:33 - 12:33 (00:00)
root ssh:notty h95-155-228-37.d Thu Oct 15 12:32 - 12:32 (00:00)
root ssh:notty dsl212-235-117-2 Thu Oct 15 12:30 - 12:30 (00:00)
root ssh:notty ip4da3f197.direc Thu Oct 15 12:28 - 12:28 (00:00)
root ssh:notty cpe-76-187-240-1 Thu Oct 15 12:26 - 12:26 (00:00)
root ssh:notty erroumedia.stati Thu Oct 15 12:20 - 12:20 (00:00)
root ssh:notty 85.185.74.218 Thu Oct 15 12:17 - 12:17 (00:00)
root ssh:notty mail.tuempresa.u Thu Oct 15 12:15 - 12:15 (00:00)
root ssh:notty 58.181.152.99 Thu Oct 15 12:06 - 12:06 (00:00)
root ssh:notty 41.204.193.148 Thu Oct 15 12:02 - 12:02 (00:00)
root ssh:notty 81-65-206-182.re Thu Oct 15 12:01 - 12:01 (00:00)
root ssh:notty 220.247.163.253 Thu Oct 15 11:59 - 11:59 (00:00)
root ssh:notty 219.64.119.232 Thu Oct 15 11:58 - 11:58 (00:00)
root ssh:notty static0620381511 Thu Oct 15 11:58 - 11:58 (00:00)
root ssh:notty 85.92.218.80 Thu Oct 15 11:57 - 11:57 (00:00)
root ssh:notty 218.30.22.140 Thu Oct 15 11:56 - 11:56 (00:00)
root ssh:notty mail.auto-kanizs Thu Oct 15 11:53 - 11:53 (00:00)
root ssh:notty ip-64-139-28-236 Thu Oct 15 11:51 - 11:51 (00:00)
root ssh:notty 41.204.128.68 Thu Oct 15 11:49 - 11:49 (00:00)
root ssh:notty forumrsvp.com Thu Oct 15 11:47 - 11:47 (00:00)
root ssh:notty 41.204.193.148 Thu Oct 15 11:43 - 11:43 (00:00)
root ssh:notty 83.229.112.28 Thu Oct 15 11:42 - 11:42 (00:00)
root ssh:notty 83.142.148.178 Thu Oct 15 11:38 - 11:38 (00:00)
root ssh:notty static0620381511 Thu Oct 15 11:33 - 11:33 (00:00)
root ssh:notty freehost.net.au Thu Oct 15 11:30 - 11:30 (00:00)
root ssh:notty 183-bi2-2.acn.wa Thu Oct 15 11:22 - 11:22 (00:00)
root ssh:notty matrix.brunomarq Thu Oct 15 11:21 - 11:21 (00:00)
root ssh:notty 188-193-191-72-d Thu Oct 15 11:16 - 11:16 (00:00)
root ssh:notty rrcs-24-123-34-1 Thu Oct 15 11:13 - 11:13 (00:00)
root ssh:notty 66.212.1.34 Thu Oct 15 11:11 - 11:11 (00:00)
root ssh:notty dacit.cs.uni-dor Thu Oct 15 11:10 - 11:10 (00:00)
root ssh:notty 196.203.53.248 Thu Oct 15 11:09 - 11:09 (00:00)
root ssh:notty laubervilliers-1 Thu Oct 15 11:08 - 11:08 (00:00)
root ssh:notty ubuntuhal.stockt Thu Oct 15 11:07 - 11:07 (00:00)
root ssh:notty 59.93.105.38 Thu Oct 15 11:07 - 11:07 (00:00)
root ssh:notty 85.126.166.90 Thu Oct 15 11:03 - 11:03 (00:00)
root ssh:notty 1.pins3.xdsl.nau Thu Oct 15 10:54 - 10:54 (00:00)
root ssh:notty 218.30.22.140 Thu Oct 15 10:52 - 10:52 (00:00)
root ssh:notty 53.red-80-38-27. Thu Oct 15 10:44 - 10:44 (00:00)
root ssh:notty 87.244.222.14 Thu Oct 15 10:42 - 10:42 (00:00)
root ssh:notty ip-64-250-228-66 Thu Oct 15 10:36 - 10:36 (00:00)
root ssh:notty mail.ingener.com Thu Oct 15 10:35 - 10:35 (00:00)
root ssh:notty freehost.net.au Thu Oct 15 10:31 - 10:31 (00:00)
root ssh:notty 220.247.163.253 Thu Oct 15 10:31 - 10:31 (00:00)
root ssh:notty cmr-208-124-171- Thu Oct 15 10:30 - 10:30 (00:00)
root ssh:notty bucho.co.zw Thu Oct 15 10:15 - 10:15 (00:00)
root ssh:notty 83.142.148.10 Thu Oct 15 10:14 - 10:14 (00:00)
root ssh:notty 189.221.152.247 Thu Oct 15 10:12 - 10:12 (00:00)
root ssh:notty 217.194.133.58 Thu Oct 15 10:11 - 10:11 (00:00)
root ssh:notty 83.142.149.130 Thu Oct 15 10:09 - 10:09 (00:00)
root ssh:notty cpe-76-187-240-1 Thu Oct 15 10:02 - 10:02 (00:00)
root ssh:notty 217.73.200.86 Thu Oct 15 09:59 - 09:59 (00:00)
root ssh:notty 196.219.80.187 Thu Oct 15 09:57 - 09:57 (00:00)
root ssh:notty 89.185.231.112 Thu Oct 15 09:48 - 09:48 (00:00)
root ssh:notty 86.35.93.36 Thu Oct 15 09:46 - 09:46 (00:00)
root ssh:notty 121.147.224.92 Thu Oct 15 09:45 - 09:45 (00:00)
root ssh:notty 86.35.93.36 Thu Oct 15 09:41 - 09:41 (00:00)
root ssh:notty rrcs-24-227-210- Thu Oct 15 09:41 - 09:41 (00:00)
root ssh:notty 124.107.32.54 Thu Oct 15 09:40 - 09:40 (00:00)
root ssh:notty static-71-161-16 Thu Oct 15 09:37 - 09:37 (00:00)
root ssh:notty 74-212-228-162.s Thu Oct 15 09:36 - 09:36 (00:00)
root ssh:notty lputeaux-156-16- Thu Oct 15 09:36 - 09:36 (00:00)
root ssh:notty 92.61.193.138 Thu Oct 15 09:32 - 09:32 (00:00)
root ssh:notty static-72-85-249 Thu Oct 15 09:31 - 09:31 (00:00)
root ssh:notty ip-64-250-228-66 Thu Oct 15 09:27 - 09:27 (00:00)
root ssh:notty dialbs-088-079-1 Thu Oct 15 09:26 - 09:26 (00:00)
root ssh:notty 211-20-225-199.h Thu Oct 15 09:25 - 09:25 (00:00)
root ssh:notty a213-22-131-238. Thu Oct 15 09:22 - 09:22 (00:00)
root ssh:notty r200-40-80-34.ae Thu Oct 15 09:15 - 09:15 (00:00)
root ssh:notty rtg.co.zw Thu Oct 15 09:15 - 09:15 (00:00)
root ssh:notty 201.40.123.5 Thu Oct 15 09:12 - 09:12 (00:00)
root ssh:notty 211-20-225-199.h Thu Oct 15 09:11 - 09:11 (00:00)
root ssh:notty sozialraum.bioch Thu Oct 15 09:10 - 09:10 (00:00)
root ssh:notty sozialraum.bioch Thu Oct 15 09:07 - 09:07 (00:00)
root ssh:notty 60.49.234.149 Thu Oct 15 09:05 - 09:05 (00:00)
root ssh:notty 190.25.136.132 Thu Oct 15 09:04 - 09:04 (00:00)
root ssh:notty 81-65-206-182.re Thu Oct 15 09:02 - 09:02 (00:00)
root ssh:notty 173.175.95.219.k Thu Oct 15 09:01 - 09:01 (00:00)
root ssh:notty 190.25.136.132 Thu Oct 15 09:00 - 09:00 (00:00)
root ssh:notty mailgate2.binato Thu Oct 15 08:59 - 08:59 (00:00)
root ssh:notty 219.234.95.164 Thu Oct 15 08:58 - 08:58 (00:00)
root ssh:notty adsl-068-157-239 Thu Oct 15 08:56 - 08:56 (00:00)
root ssh:notty 66.212.1.34 Thu Oct 15 08:55 - 08:55 (00:00)
root ssh:notty imr5.mech.ar.wro Thu Oct 15 08:53 - 08:53 (00:00)
root ssh:notty li24-159.members Thu Oct 15 08:52 - 08:52 (00:00)
root ssh:notty a213-22-131-238. Thu Oct 15 08:48 - 08:48 (00:00)
root ssh:notty 212.175.47.29 Thu Oct 15 08:45 - 08:45 (00:00)
root ssh:notty 200.233.69.10 Thu Oct 15 08:44 - 08:44 (00:00)
root ssh:notty 84.124.52.98.sta Thu Oct 15 08:43 - 08:43 (00:00)
root ssh:notty 201.40.123.5 Thu Oct 15 08:42 - 08:42 (00:00)
root ssh:notty 74.43.232.147 Thu Oct 15 08:41 - 08:41 (00:00)
root ssh:notty 77.215.99.102 Thu Oct 15 08:39 - 08:39 (00:00)
root ssh:notty static-71-166-15 Thu Oct 15 08:35 - 08:35 (00:00)
root ssh:notty hsi-kbw-078-043- Thu Oct 15 08:34 - 08:34 (00:00)
root ssh:notty 69.red-80-33-156 Thu Oct 15 08:33 - 08:33 (00:00)
root ssh:notty 58.62.239.150 Thu Oct 15 08:31 - 08:31 (00:00)
root ssh:notty 58.60.106.2 Thu Oct 15 08:31 - 08:31 (00:00)
root ssh:notty 89.185.231.112 Thu Oct 15 08:27 - 08:27 (00:00)
root ssh:notty sianecki.pl Thu Oct 15 08:25 - 08:25 (00:00)
root ssh:notty rrcs-24-227-212- Thu Oct 15 08:23 - 08:23 (00:00)
root ssh:notty rrcs-24-227-210- Thu Oct 15 08:21 - 08:21 (00:00)
root ssh:notty v1660.ncsrv.de Thu Oct 15 08:20 - 08:20 (00:00)
root ssh:notty 213.144.228.190 Thu Oct 15 08:11 - 08:11 (00:00)
root ssh:notty mail.cafe.tg Thu Oct 15 08:11 - 08:11 (00:00)
root ssh:notty 82.160.33.5 Thu Oct 15 08:09 - 08:09 (00:00)
root ssh:notty copyworld.co.zw Thu Oct 15 08:08 - 08:08 (00:00)
root ssh:notty 202.102.245.109 Thu Oct 15 08:03 - 08:03 (00:00)
root ssh:notty 115.168.35.219 Thu Oct 15 08:00 - 08:00 (00:00)
root ssh:notty 81.210.113.66 Thu Oct 15 07:59 - 07:59 (00:00)
root ssh:notty 200.152.205.99 Thu Oct 15 07:55 - 07:55 (00:00)
root ssh:notty forumrsvp.com Thu Oct 15 07:51 - 07:51 (00:00)
root ssh:notty static0620381511 Thu Oct 15 07:50 - 07:50 (00:00)
root ssh:notty 60.51.198.173 Thu Oct 15 07:48 - 07:48 (00:00)
root ssh:notty lputeaux-156-16- Thu Oct 15 07:46 - 07:46 (00:00)
root ssh:notty 222.61.225.112 Thu Oct 15 07:45 - 07:45 (00:00)
root ssh:notty gabor.bolyh.hu Thu Oct 15 07:43 - 07:43 (00:00)
root ssh:notty static-195.22.76 Thu Oct 15 07:42 - 07:42 (00:00)
root ssh:notty 211-20-225-199.h Thu Oct 15 07:42 - 07:42 (00:00)
root ssh:notty h95-155-228-37.d Thu Oct 15 07:41 - 07:41 (00:00)
root ssh:notty 89-149-240-175.i Thu Oct 15 07:40 - 07:40 (00:00)
root ssh:notty static.184.53.40 Thu Oct 15 07:37 - 07:37 (00:00)
root ssh:notty 218.69.27.138 Thu Oct 15 07:34 - 07:34 (00:00)
root ssh:notty rrcs-24-227-212- Thu Oct 15 07:32 - 07:32 (00:00)
root ssh:notty 200.152.205.99 Thu Oct 15 07:32 - 07:32 (00:00)
root ssh:notty 86.57.250.45 Thu Oct 15 07:30 - 07:30 (00:00)
root ssh:notty 213.255.219.77 Thu Oct 15 07:29 - 07:29 (00:00)
root ssh:notty cpe-66-68-190-16 Thu Oct 15 07:26 - 07:26 (00:00)
root ssh:notty copyworld.co.zw Thu Oct 15 07:24 - 07:24 (00:00)
root ssh:notty 61.183.0.26 Thu Oct 15 07:23 - 07:23 (00:00)
root ssh:notty p54a7099f.dip0.t Thu Oct 15 07:19 - 07:19 (00:00)
root ssh:notty vgtrk-hst2.real. Thu Oct 15 07:18 - 07:18 (00:00)
root ssh:notty rtg.co.zw Thu Oct 15 07:16 - 07:16 (00:00)
root ssh:notty 196.203.53.248 Thu Oct 15 07:14 - 07:14 (00:00)
root ssh:notty 60-250-76-208.hi Thu Oct 15 07:13 - 07:13 (00:00)
root ssh:notty 58.108.186.149 Thu Oct 15 07:13 - 07:13 (00:00)
root ssh:notty 60-250-76-208.hi Thu Oct 15 07:08 - 07:08 (00:00)
root ssh:notty 61.17.230.26 Thu Oct 15 07:06 - 07:06 (00:00)
root ssh:notty s05.hix.nl Thu Oct 15 07:04 - 07:04 (00:00)
root ssh:notty 222.61.225.112 Thu Oct 15 07:03 - 07:03 (00:00)
root ssh:notty 222.177.15.78 Wed Oct 14 18:30 - 18:30 (00:00)
root ssh:notty 125.88.99.18 Wed Oct 14 18:29 - 18:29 (00:00)
root ssh:notty 86.57.250.45 Wed Oct 14 18:28 - 18:28 (00:00)
root ssh:notty 141.2.183.101 Wed Oct 14 18:26 - 18:26 (00:00)
root ssh:notty hsi-kbw-091-089- Wed Oct 14 18:24 - 18:24 (00:00)

btmp begins Thu Oct 1 11:00:18 2009

ntrance · « **Отговор #1 -:** Oct 15, 2009, 15:34 »

root@sysmaster:/home/sysmaster# lastb -n 180
root Tue Oct 13 17:40 - 17:40 (00:00)
root Tue Oct 13 17:40 - 17:40 (00:00)
sysmaste tty7 :0 Mon Oct 12 14:04 - 14:04 (00:00)

btmp begins Mon Oct 12 14:04:00 2009
root@sysmaster:/home/sysmaster#

root@******:~# lastb -n 180

btmp begins Thu Oct 1 06:25:19 2009
root@*****:~#

Mай не те гони да ти кажа :Д

bog_ara · « **Отговор #2 -:** Oct 15, 2009, 15:58 »

Така е вече втори ден. Използвам от около месец denyhosts, в /etc/hosts.deny вече имам около 8000 адреса.

Прави ми впечатление колко много машини се използват за да се бутне рут паролата, която съм забранил по ssh.

Минава ми през главата следния въпрос: Не съм ли вече част от ботнет?

ntrance · « **Отговор #3 -:** Oct 15, 2009, 16:03 »

Смени порта на SSH , Спри роот login , Смени си паролата , дай само на 1 IPadres to allow ssh. Инталирай си portsentry + fail2ban .!!!!

Провери за scp , za rsync за активни съмнителни процеси !!! Провери за клучове да нямат "ssh-keygens" ..!!!
Защото като гледам !!! лога ти

работата ти е много зле незнам дали знаеш !!!

NqqmNet · « **Отговор #4 -:** Oct 15, 2009, 17:37 »

Всъщност и аз имам проблеми..
root ssh:notty 220.225.217.183 Mon Oct 12 19:40 - 19:40 (00:00)
globus ssh:notty 220.225.217.183 Mon Oct 12 19:40 - 19:40 (00:00)
root ssh:notty host61-149-stati Mon Oct 12 18:52 - 18:52 (00:00)
root ssh:notty 203.116.198.165 Mon Oct 12 13:04 - 13:04 (00:00)
root ssh:notty 203.116.198.165 Mon Oct 12 13:04 - 13:04 (00:00)
root ssh:notty 203.116.198.165 Mon Oct 12 13:04 - 13:04 (00:00)
root ssh:notty 203.116.198.165 Mon Oct 12 13:04 - 13:04 (00:00)
root ssh:notty 203.116.198.165 Mon Oct 12 13:04 - 13:04 (00:00)
root ssh:notty 203.116.198.165 Mon Oct 12 13:04 - 13:04 (00:00)
root ssh:notty 203.116.198.165 Mon Oct 12 13:04 - 13:04 (00:00)
root ssh:notty 203.116.198.165 Mon Oct 12 13:04 - 13:04 (00:00)
root ssh:notty 203.116.198.165 Mon Oct 12 13:04 - 13:04 (00:00)
root ssh:notty 203.116.198.165 Mon Oct 12 13:04 - 13:04 (00:00)
root ssh:notty 203.116.198.165 Mon Oct 12 13:04 - 13:04 (00:00)
gopher ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
rpc ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
rpcuser ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
nfsnobod ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
mailnull ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
workshop ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
desktop ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
aptproxy ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
popa3d ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
divine ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
harrypot ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
radiomai ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
snort ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
james ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
dan ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
frank ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
zzz ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
sys ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
proxy ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
eleve ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
list ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
irc ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
jeff ssh:notty 200.20.215.131 Mon Oct 12 10:31 - 10:31 (00:00)
gnats ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
identd ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
telnetd ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
eppc ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
qtss ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
cyrusima ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
mailman ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
appserve ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
clamav ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
amavisd ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
jabber ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
xgridcon ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
agent ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
xgridage ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
appowner ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
windowse ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
tokend ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
security ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
unknown ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
dean ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
smmsp ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
uucp ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
halt ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
shutdown ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
sync ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
lp ssh:notty 200.20.215.131 Mon Oct 12 10:30 - 10:30 (00:00)
daemon ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
bin ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
admins ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
admins ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
users ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
sshd ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
sgi ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
operator ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
rpm ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
amanda ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
party ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
richard ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
robert ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
sara ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
search ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
ssh ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
steven ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
sunny ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
susan ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
webpop ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
ident ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
adm ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
mail ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
pgsql ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
games ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
angel ssh:notty 200.20.215.131 Mon Oct 12 10:29 - 10:29 (00:00)
news ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
john ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
john ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
george ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
richard ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
stephen ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
adam ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
wwwrun ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
www ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
web ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
sales ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
shop ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
info ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
backup ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
root ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
nobody ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
pop ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
httpd ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
http ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
www-data ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
data ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
alan ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
mike ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
brett ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
alex ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
danny ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
root ssh:notty 200.20.215.131 Mon Oct 12 10:28 - 10:28 (00:00)
root ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
root ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
test ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
admin ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
root ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
user ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
username ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
webmaste ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
test ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
test ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
root ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
root ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
admin ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
admin ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
admin ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
admin ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
root ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
root ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
root ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
root ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
root ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
master ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
guest ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
admin ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
root ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
root ssh:notty 200.20.215.131 Mon Oct 12 10:27 - 10:27 (00:00)
test ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
library ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
administ ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
username ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
ftpuser ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
visitor ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
named ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
newslett ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
core ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
tony ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
info ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
mysql ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
pgsql ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
apache ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
web ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
david ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
user ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
linux ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
admin ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
guest ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
root ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
paul ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
postgres ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
postfix ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
postmast ssh:notty 200.20.215.131 Mon Oct 12 10:26 - 10:26 (00:00)
webmaste ssh:notty 200.20.215.131 Mon Oct 12 10:25 - 10:25 (00:00)
test ssh:notty 200.20.215.131 Mon Oct 12 10:25 - 10:25 (00:00)
ftp ssh:notty 200.20.215.131 Mon Oct 12 10:25 - 10:25 (00:00)
michael ssh:notty 200.20.215.131 Mon Oct 12 10:25 - 10:25 (00:00)
oracle ssh:notty 200.20.215.131 Mon Oct 12 10:25 - 10:25 (00:00)
cyrus ssh:notty 200.20.215.131 Mon Oct 12 10:25 - 10:25 (00:00)
virus ssh:notty 200.20.215.131 Mon Oct 12 10:25 - 10:25 (00:00)
spam ssh:notty 200.20.215.131 Mon Oct 12 10:25 - 10:25 (00:00)
webadmin ssh:notty 200.20.215.131 Mon Oct 12 10:25 - 10:25 (00:00)
tomcat ssh:notty 200.20.215.131 Mon Oct 12 10:25 - 10:25 (00:00)
samba ssh:notty 200.20.215.131 Mon Oct 12 10:25 - 10:25 (00:00)
office ssh:notty 200.20.215.131 Mon Oct 12 10:25 - 10:25 (00:00)
alias ssh:notty 200.20.215.131 Mon Oct 12 10:25 - 10:25 (00:00)

Представа си нямам к'во иска въпросният тип

bog_ara · « **Отговор #5 -:** Oct 15, 2009, 20:32 »

Цитат на: ntrance в Oct 15, 2009, 16:03

Смени порта на SSH , Спри роот login , Смени си паролата ....

Направено

След ден, два ще съобщя резултата.

Цитат на: ntrance в Oct 15, 2009, 16:03

... дай само на 1 IPadres to allow ssh.

не мога, защото се свързвам от динамичен адрес. Неудобно ми е.

Цитат на: ntrance в Oct 15, 2009, 16:03

Инталирай си portsentry + fail2ban .!!!!

denyhost не върши ли същата работа?

Цитат на: ntrance в Oct 15, 2009, 16:03

Провери за scp , za rsync за активни съмнителни процеси !!! Провери за клучове да нямат "ssh-keygens" ..!!!

Ще проверя, но не знам как.

Цитат на: ntrance в Oct 15, 2009, 16:03

Защото като гледам !!! лога ти работата ти е много зле незнам дали знаеш !!!

В интерес на истината наистина не знам

. Надявам се не е станало нещо фатално.

ntrance · « **Отговор #6 -:** Oct 15, 2009, 20:44 »

Нe fail2ban и portsentry , долу горе има същатата процедура да спирам и да вкарват ипта-та в /etc/hosts.deny , но с други функции и по по различен начин. Прочети за тях дълго е за обяснение.
Я виж колко юсер може се логват
grep "/bin/bash" /etc/passwd един от начините е това
за ssh-keygen провери в /home/user/.ssh/ /root/.ssh/ и търси *.pub ili
find / -type f -name *.pub -exec ls -la {} \; . Но гледай къде са

За rsync и scp ps -fe |grep scp ps -fe |grep rsync
И гледаш дали има активни процеси

bog_ara · « **Отговор #7 -:** Oct 15, 2009, 21:03 »

За ail2ban и portsentry ще погледна утре на по свежа глава.

Цитат на: ntrance в Oct 15, 2009, 20:44

Я виж колко юсер може се логват
grep "/bin/bash" /etc/passwd един от начините е това
за ssh-keygen провери в /home/user/.ssh/ /root/.ssh/ и търси *.pub ili
find / -type f -name *.pub -exec ls -la {} \; . Но гледай къде са

За rsync и scp ps -fe |grep scp ps -fe |grep rsync
И гледаш дали има активни процеси

gentoo bob # grep "/bin/bash" /etc/passwd
root:x:0:0:root:/root:/bin/bash
operator:x:11:0:operator:/root:/bin/bash
bob:x:1000:1000::/home/bob:/bin/bash

gentoo bob # find / -type f -name *.pub -exec ls -la {} \;
-r--r--r-- 1 root root 1750 29 юли 11,00 /usr/lib/perl5/5.8.8/CPAN/PAUSE2003.pub
-rw-r--r-- 1 nx root 601 10 авг 11,51 /etc/nxserver/users.id_dsa.pub
-rw-r--r-- 1 root root 601 25 юли 22,58 /etc/ssh/ssh_host_dsa_key.pub
-rw-r--r-- 1 root root 330 25 юли 22,58 /etc/ssh/ssh_host_key.pub
-rw-r--r-- 1 root root 393 25 юли 22,58 /etc/ssh/ssh_host_rsa_key.pub
-rw-r--r-- 1 root vmware 182 27 мар 2009 /etc/vmware/hostd/key.pub
-rw-r--r-- 1 root root 451 27 мар 2009 /opt/vmware/server/lib/isoimages/tools-key.pub

bob@gentoo ~ $ ps -fe |grep rsync
bob 30711 30574 0 21:02 pts/1 00:00:00 grep --colour=auto rsync
bob@gentoo ~ $ ps -fe |grep scp
bob 30713 30574 0 21:02 pts/1 00:00:00 grep --colour=auto scp

ntrance · « **Отговор #8 -:** Oct 15, 2009, 21:33 »

Не виждам нищо не редно да ти кажа. Споко

bog_ara · « **Отговор #9 -:** Oct 15, 2009, 21:39 »

Благодаря за отделеното време и за съветите. След ден два ще пиша каво е положението с невалидните опити за вход.

ivanatora · « **Отговор #10 -:** Oct 15, 2009, 21:57 »

Смени само адреса. При мен това премахна всички записи в lastb. Сложи си и "PermitRootLogin no" в sshd_config, ако искаш да си по-спокоен.

lod · « **Отговор #11 -:** Oct 15, 2009, 23:25 »

най - първо пусни един rkhunter да ти сканира дялата система за инталирани rootkits, че като гледам е сериозно положението.

gat3way · « **Отговор #12 -:** Oct 16, 2009, 10:54 »

Параноя

Замислете се малко - ако ботнета се опитва да се логне като root, пък root logins са забранени, ще загуби доволно много време, което може да оползотвори, пробвайки върху друга система, където са разрешени. Затова си трайте - правите едно добро дело

ivanatora · « **Отговор #13 -:** Oct 16, 2009, 11:21 »

Да, но понякога се пробват и различни потребителски имена, някои от които съществуват по повечето машини.
Една статистика съм си направил тук: http://ivanatora.info/2008/03/06/lastb-funny-stats/#more-46

ntrance · « **Отговор #14 -:** Oct 16, 2009, 11:51 »

Цитат на: gat3way в Oct 16, 2009, 10:54

Параноя

Замислете се малко - ако ботнета се опитва да се логне като root, пък root logins са забранени, ще загуби доволно много време, което може да оползотвори, пробвайки върху друга система, където са разрешени. Затова си трайте - правите едно добро дело

Да но кога го е забранил! Това са си реални

hydra върши чудесна работа ... И тя не спи ... Пускаш я правиш си един лог с пароли и наспиваш се и сутринта гледаш

. В нета има достатъчно популярни

Автор Тема: Ботнет атакува!!! :) (Прочетена 4189 пъти)

bog_ara

Ботнет атакува!!! :)

ntrance

Re: Ботнет атакува!!! :)

bog_ara

Re: Ботнет атакува!!! :)

ntrance

Re: Ботнет атакува!!! :)

NqqmNet

Re: Ботнет атакува!!! :)

bog_ara

Re: Ботнет атакува!!! :)

ntrance

Re: Ботнет атакува!!! :)

bog_ara

Re: Ботнет атакува!!! :)

ntrance

Re: Ботнет атакува!!! :)

bog_ara

Re: Ботнет атакува!!! :)

ivanatora

Re: Ботнет атакува!!! :)

lod

Re: Ботнет атакува!!! :)

gat3way

Re: Ботнет атакува!!! :)

ivanatora

Re: Ботнет атакува!!! :)

ntrance

Re: Ботнет атакува!!! :)