Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Water NB <netbsd78@126.com>
From: Manuel Bouyer <bouyer@antioche.eu.org>
List: tech-net
Date: 01/12/2007 15:10:31
On Fri, Jan 12, 2007 at 05:17:13PM +0800, Water NB wrote:
> In the recent days, a cracker always attack my host.
> The cracker's IP is from Japan, Croatia and some coutries.
> But I guess it is the same cracker and remote-conrolled those hosts.
> Because he always did the same works:
> 1) try to ssh account one by one: root, postfix, ... cyrus.
> 2) at last, login successfully via account cyrus.
> 3) install a program psyBNC 2.3.1 under /tmp and run it.
> 4) sometimes he changes the password of cyrus.
> 
> Question 1) Is it a bug of sshd?
> Yesterday, I change the password of cyrus to 16 characters which contain
> digit, symbol and  capital/lowercase letter, So I think it is more
> secure.
> But this morning I found the cracker still logined the system after only
> two tries.

Did you check for .rhosts, .shosts for authorised_keys files the
cracker could have setup to get back without password.

-- 
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
     NetBSD: 26 ans d'experience feront toujours la difference
--