Date: Thu, 16 Dec 2004 08:49:57 -0500 (EST) From: John Von Essen <john@essenz.com> To: Peter Jeremy <PeterJeremy@optushome.com.au> Cc: John Von Essen <john@essenz.com> Subject: Re: brute3.tar.gz Message-ID: <20041216083803.A87235@beck.quonix.net> In-Reply-To: <20041216091351.GD91817@cirb503493.alcatel.com.au> References: <20041215184645.B79679@beck.quonix.net> <20041216091351.GD91817@cirb503493.alcatel.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Running tcpdump to a file worked out. This morning I was able to find the source machine by looking at that packet capture file. Someone gained legitimate access to the box via ssh using the oracle user. My stupid incompetent DBA's never set the password to something that wouldn't be obvious, like something other then oracle/oracle. ARgh! I hate DBA's - all they do is mess shit up... and yet they make more money then sysadmins (at least at this company). -john On Thu, 16 Dec 2004, Peter Jeremy wrote: > On Wed, 2004-Dec-15 18:55:20 -0500, John Von Essen wrote: > >Whatever this thing is, its tricky. It only runs a few times a day, so it > >is tough to find the culprit source with ethereal unless I run ethereal > >all day. In packet capture mode. > > Depending on how much disk space you have spare on your firewall and > how much ssh traffic you get normally, running "tcpdump -w ... port 22" > for a day or so may be feasible. You can add the target boxes address > to the filter and you won't get anything except the culprit address. > (Of course, permanently running tcpdump may or may not be practical for > other reasons). > > -- > Peter Jeremy >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041216083803.A87235>