[mythtv-users] ssh attack

Chris Ribe chrisribe at gmail.com
Thu Dec 29 20:40:52 EST 2005


You made me panic for a second there, Darren.

My first thought was, "Oh damn, how do I determine  if I have been
compromised?"

My second thought was, "Why bother,  I've surely been rooted by now."

My third thought was, "Wait a minute, I'm reading this on an unpatched Win2k
machine that has been up for 3 months now.  Oh yeah, my router must be doing
its job."

Thank God for $50 hardware firewalls, because I wouldn't bother owning a
computer if I had keep iptables and a Windows firewall up to date.

That said, this was probably all an elaborate phishing attack which succeded
on getting me to admit there is a mythtv/mythtv account on my myth box.


On 12/29/05, Darren Hart <darren at dvhart.com> wrote:
>
> I'm sure nobody here is dumb enough to do this, but since I was, thought
> I'd
> pass the word.
>
> There is an ssh attack going around with a brute force login using 2187
> different username/password pairs, one such pair happens to be:
>
> mythtv:mythtv
>
> Likle I said, I'm sure noone else but me thought that was a good idea
> :-)  Once
> in they must ahve found some app to exploit and get root, then it starts
> scanning addresses - to propogate I guess.  There are some indications
> that
> cupsys may have been the culprit there.  Anyway, just a heads up, it
> manifests
> itself with several sshf processes running (78 in my case) and lots of
> failed
> login attempts in /var/log/auth.log*
>
> --Darren
> _______________________________________________
> mythtv-users mailing list
> mythtv-users at mythtv.org
> http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mythtv.org/pipermail/mythtv-users/attachments/20051229/645315a5/attachment.htm


More information about the mythtv-users mailing list