Date: Fri, 25 Dec 2009 08:26:19 -0500 From: Dan Langille <dan@langille.org> To: Chris H <chris#@1command.com> Cc: freebsd-stable@freebsd.org Subject: Re: Hacked - FreeBSD 7.1-Release Message-ID: <4B34BD7B.2050109@langille.org> In-Reply-To: <ce92ed41260c438977298c2cf9dd1e3f.HRCIM@webmail.1command.com> References: <bd52e0bd614fbaffcf8c9ff9da35286e@mail.isot.com> <4B20B509.4050501@yahoo.it> <600C0C33850FFE49B76BDD81AED4D25801371D8056@IMCMBX3.MITRE.ORG> <ce92ed41260c438977298c2cf9dd1e3f.HRCIM@webmail.1command.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chris H wrote: > On Tue, December 22, 2009 8:35 am, Andresen, Jason R. wrote: >> Squirrel wrote: >> >>> most likely could be some kind of remote code execution or SQLi executed in >>> the context of some php scripts, you should audit php code of your web >>> interface and of the websites you host. also consider the strenght of your >>> passwords, lots of login attempts to ssh/ftp may mean a he has tried a >>> bruteforce (or a dictionary attack maybe). you should also check webmin logs, >>> there are a few bruteforcer for webmin out there, (*hint*) consider the lenght >>> of your average password if it's more than 7-8 characters aplhanumeric with >>> simbols most likely this isn't the case. >> While it's true that it's a good idea to check your password strength, pretty >> much any host connected to the internet is going to be hit daily by bots >> looking for weak passwords. It's one area where you logs don't help much >> because there is too much noise. > That's why there's GREP(1), AWK(1), FIND(1), TAIL(1), and CAT(1) > Consider the following... > adding the following to your /etc/rc.conf: > > # SECURITY RELATED > #################################### > syslogd_flags="-ss" > log_in_vain="YES" > tcp_keepalive="YES" > > > now your log file will /really/ sing (log_in_vain="YES"). > Of course, unless you have a great deal of time on your hands, visually parsing > that "noisy" log will be quite tedious, and time consuming. So you have a few > options... > If your running X11, simply run tail in a root window - there are quite a few > utilities in ports for doing just this - some that'll only write messages you > want to see. > You could also create a script out of cron that will only produce messages you > are interested in, for example: > > ~# cat /var/log/messages | ssh > > will emit any attempt to ssh into your box > you can also redirect the messages to a file: > > ~# cat /var/log/messages | ssh >>~/EVIL_DOERS > > You could also add en entry to PERIODIC(8) that will > provide a daily report on any attempts you are interested in. > > HTH > > --Chris H I use security/logcheck: Mails anomalies in the system logfiles to the administrator. Logcheck helps spot problems, anomalies and security violations in your logfiles automatically and will send the summaries to you via e-mail. Logcheck is run as a cron job.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B34BD7B.2050109>