Re: [mythtv-users] ssh attack

Mon, 02 Jan 2006 12:46:29 -0800 

Darren Hart wrote:
I'm sure nobody here is dumb enough to do this, but since I was, thought I'd pass the word. 


There is an ssh attack going around with a brute force login using 
2187 different username/password pairs, one such pair happens to be:


mythtv:mythtv


Likle I said, I'm sure noone else but me thought that was a good idea 
:-)  Once in they must ahve found some app to exploit and get root, 
then it starts scanning addresses - to propogate I guess.  There are 
some indications that cupsys may have been the culprit there.  Anyway, 
just a heads up, it manifests itself with several sshf processes 
running (78 in my case) and lots of failed login attempts in 
/var/log/auth.log*


--Darren




A good thing to do is block out all ssh logins from accounts you don't 
want ssh from. And they dont really do it by exploiting root first. 
There are a few worms out there that find holes in your run of the mill 
php applications like cacti or phpbb. It essentually cats a perl script 
in tmp and then inits it with perl as a process. Then that totally 
oblivios server sits there with a user process that runs out checking 
username and passwords on random ip's to see if they get in on anything. 
Then it notifys whoever set themselves up with the ip username and 
password so they can do 'whatever' on that machine depending on how they 
got it.



Basic rule of thumb with ssh, don't let anything expect predefined 
accounts to log into ssh (expecially root). You log in with your 
predefined account and su to root when you need it. And don't have blank 
or matching username/passwords.



After that since my usernames and passwords are obscure anyways, I 
simply ignore these attecks. (not that I leave mythtv open to the 
outside anyways, I use mod_proxy from an external apache system to 
forward requests to and from the myth backends web interface. I always 
have to get around via that one gateway machine that I have hardened. 
Then I setup logcheck, logwatch, snmp and snort to review what is 
happening for me. Atleast make sure your using logwatch to review logs 
each day. Then you won't have too many suprises. But these attacks with 
mythtv:mythtv have been going on for quite some time now.


-Mike
_______________________________________________
mythtv-users mailing list
[email protected]
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users






















					Reply via email to