It was bound to happen - suspected hack
Brian Kelsay
Brian.Kelsay at kcc.usda.gov
Thu Oct 21 10:58:22 CDT 2004
Block the IPs of the attackers specifically in your iptables rules. Make sure the users that they attempted to log on w/ are disabled, password changed or non-real users. Change root password. It looks like you are already working to allow only your IP to ssh, that's good. Check the other boxes and see if they have been compromised. You should also contact the ISP they are coming from and inform them of the break-in if they did in fact get in to your server.
This is where a separate logging firewall w/ snort would help you. You could see how many and what kind of attack attempts were made before they got in.
Brian Kelsay
More information about the Kclug
mailing list