This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new!

Mystery infestation strikes Linux/Apache Web sites

Posted by: Anonymous [ip:] on February 03, 2008 11:21 AM
Yes, it is probably brute force, not a ~real~ compromise, certain netblocks seem to get hit harder. I manage several servers in different locations; one server is pretty quiet, hardly ever gets bothered. But a new server I recently brought online in a different location is getting upwards of 50k-100k ssh attempts per week!!! yow!!! I put a 'scumblocker' program on there, seems like ssh does not place any limits on failed attempts, so I added a program that monitors the message log and starts blocking the ip after n fails. Yup, lots of brute force going on. but it seems to be pretty stupid stuff, very repetitive. one thing they do is test all the services accounts, don't you dare leave any with default passwords or shell access.

as for MD5 -- hey thanks for the link!! I've been hearing rumors about the compromise but this is the first time seeing the article. Here is the link again for any who missed it.

The thing about md5 collisions is that the length is not the same. so if you compare byte count + md5 and for good measure do a crc32 as well. that combo will still detect the change.

However, you might find it simpler to use a Version Control System, yup that's what I did, but only for certain directories, it works great! Give a try, you might find that it does the trick. Even without virus worries, I find it is very useful for tracking changes to /etc and also to websites. Unlike most VCS, Bazaar does a decent job of dealing with binaries and renames.

codeslinger (compsalot)


Return to Mystery infestation strikes Linux/Apache Web sites