Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: None <firstname.lastname@example.org, email@example.com, firstname.lastname@example.org>
From: Ignatios Souvatzis <email@example.com>
Date: 01/12/2007 12:56:16
On Fri, Jan 12, 2007 at 11:34:33AM +0000, Chavdar Ivanov wrote:
> On 1/12/07, Water NB <firstname.lastname@example.org> wrote:
> >In the recent days, a cracker always attack my host.
> >The cracker's IP is from Japan, Croatia and some coutries.
> If you ask me, once he is been there, the box is compromised. You have
> to search for rootkits etc. I wouldn't bother, if I were you; I would
> start from scratch.
Good advice, normally.
> >Question 1) Is it a bug of sshd?
> Not likely - but see below.
> >Yesterday, I change the password of cyrus to 16 characters which contain
> >digit, symbol and capital/lowercase letter, So I think it is more
> >But this morning I found the cracker still logined the system after only
> >two tries.
> Key logger? I don't know if such a thing exists for NetBSD, but
> wouldn't be surprised.
Well, once the guy is "in" and has a priviledged account, he can change
the passwd program... and if he only wants to capture cyrus' new password,
he can change cyrus' passwd.
> >Question 2) why /etc/passwd:cyrus has Shell: /bin/sh?
> >I think /sbin/nologin is enough.
> >In fact, when I change it to /sbin/nologin, the cracker stop cracking
> >because he has to logout once he login.
This should be suggested to either the pkg maintainers or to the cyrus
maintainers. Please send a pr about this so that this suggestion isn't
For the record: due to lazyness, I didn't block port 22 when returning
from my last conference, so I have my authlog full of
Jan 11 18:32:42 marie sshd: Invalid user takagi from 18.104.22.168
Jan 11 18:32:42 marie sshd: Failed password for invalid user takagi from 22.214.171.124 port 47462 ssh2
*shrug* such is life - I normally use a different port for ssh to
avoid clogging my authlog with this...
Maybe I should sweep it and notify the admins of those systems.
seal your e-mail: http://www.gnupg.org/