Chuck's Blog

Today I poured over some of my auth.log files as usual, and yet again to my disappointment there were several hosts that had spent around three to four hours hounding my server with login attempts every five seconds. Having a few hours of time to kill I decided to investigate one of the machines.

I managed to determine large quantities of information. Below is a snippet of the text file I logged my findings in:

Fedora Core (unknown version)
Default Apache 2 installation
- /var/www/html is directory for www files
- /cgi-bin/ does exist, but directory indexing is off

Port 21 (ftp), 22 (ssh), 80 (http), 443 (http) are open.

All this points to that the owner set up a machine, connected it to the Internet, and forgot about it. One would assume the owner would have at least have tried to secure this server with some simple things, but nope. FTP still had its default banner, the apache test CGI scripts were available, and the machine was not patched. (Apache and ssh were about 6 months behind the latest, most secure versions)

I assume the reason this machine was attacking servers was because of a rogue individual compromising its security. I of course did not check, but it is perfectly possible that the owner left a default user account with a common password, opening the avenue for a simple bruteforce attack. How ironic, considering this is what it is doing itself to other machines.

In conclusion, admins, PLEASE SECURE YOUR MACHINES! If you do not then you will likely have your box compromised, just like this one. And trust me, you do not want to be on as many blacklists as this unfortunate victim.