On 1/12/07, Water NB <netbsd78@126.com> wrote:
> In the recent days, a cracker always attack my host.
> The cracker's IP is from Japan, Croatia and some coutries.
> But I guess it is the same cracker and remote-conrolled those hosts.
> Because he always did the same works:
> 1) try to ssh account one by one: root, postfix, ... cyrus.
> 2) at last, login successfully via account cyrus.
> 3) install a program psyBNC 2.3.1 under /tmp and run it.
> 4) sometimes he changes the password of cyrus.
>
> Question 1) Is it a bug of sshd?

Probably not. I'm one of the ones who likes to believe that any bugs
in ssh will be quickly known and public. Maybe that's too optimistic.

> Question 2) why /etc/passwd:cyrus has Shell: /bin/sh?
> I think /sbin/nologin is enough.
> In fact, when I change it to /sbin/nologin, the cracker stop cracking
> because he has to logout once he login.

Seems like a good idea to mee.

I had the ssh phishers too, and this is a good way to keep them away
from you and working on someone else:

1. Change your ssh port to something else
2. Set pf to block with a drop policy, so the scanners and hackers
have to wait if they do try (which means they will likely go play
somewhere else in short order).
3. Figure out a way to log attempts to connect to port 22 and then
block those IPs (it's on my list of things to do, I just haven't
figured out how I'm going to do it yet. I think someone else posted a
link)

I'm surprised that a few people think you should start over. I would
seriously hope that a compromised user account wouldn't immediately
prompt paranoia that the box was rooted. I understand that this is a
thoght process that needs to take place, but I would hope that NetBSD
is more hardy than that.

I always keep my install sets somewhere else so I can do a checksum
against some important programs to see if it's been hacked.

I don't claim to be Mr. Security, so you'll probably want to look for
advice from others who have been around a while.

Andy