Mystery infestation strikes Linux/Apache Web sites
Posted by: Anonymous
on February 03, 2008 11:21 AM
Yes, it is probably brute force, not a ~real~ compromise, certain netblocks seem to get hit harder. I manage several servers in different locations; one server is pretty quiet, hardly ever gets bothered. But a new server I recently brought online in a different location is getting upwards of 50k-100k ssh attempts per week!!! yow!!! I put a 'scumblocker' program on there, seems like ssh does not place any limits on failed attempts, so I added a program that monitors the message log and starts blocking the ip after n fails. Yup, lots of brute force going on. but it seems to be pretty stupid stuff, very repetitive. one thing they do is test all the services accounts, don't you dare leave any with default passwords or shell access.
The thing about md5 collisions is that the length is not the same. so if you compare byte count + md5 and for good measure do a crc32 as well. that combo will still detect the change.
However, you might find it simpler to use a Version Control System, yup that's what I did, but only for certain directories, it works great! Give www.bazaar-vcs.org a try, you might find that it does the trick. Even without virus worries, I find it is very useful for tracking changes to /etc and also to websites. Unlike most VCS, Bazaar does a decent job of dealing with binaries and renames.